Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1578871
MD5:	25369cacd15fd28391f08b48ad5fdf4d
SHA1:	f091fd2f772d7c566bcce4c046323ef02808f2da
SHA256:	b54b6ef71478646451ca1905b93c380141b4df637d73cb796af0a391ba47f43e
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 5496 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 25369CACD15FD28391F08B48AD5FDF4D)

file.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 25369CACD15FD28391F08B48AD5FDF4D)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

svchost.exe (PID: 5328 cmdline: "C:\Windows\SysWOW64\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cmd.exe (PID: 768 cmdline: /c del "C:\Users\user\Desktop\file.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rendylittlediva.store/gd04/"], "decoy": ["f5u8utd50.icu", "ob-offer-33304.bond", "aaf.zone", "hoppersrack.store", "nline-gaming-33476.bond", "isionaryvault.online", "ilitary-jobs-88516.bond", "iyxym.info", "eyes.xyz", "refle.xyz", "kinsmonlkey.shop", "oruu.shop", "est2x2.online", "nline-advertising-77889.bond", "hepresspoolai.xyz", "anilaberg.online", "reimutigleben.store", "anguage-courses-22450.bond", "zzt.xyz", "kfn.lat", "jrxy.bid", "ulfcoastnow.net", "utomatedcrypto.world", "sr961263m.vip", "ondonessex.net", "sychology-degree-20222.bond", "3312.buzz", "rumpaicto.vip", "8791.pink", "lashlightled.life", "omalkhali.info", "ompaz.xyz", "arehouse-inventory-88625.bond", "uktasalon.info", "ruck-driver-jobs-90329.bond", "pd40.online", "ilmguru.net", "ealthcare-trends-56730.bond", "ngersolllockwood.life", "zwtpe.info", "ifeeasystore.shop", "bthlcatgini.forum", "anausimoveis.net", "ashion-degree-38474.bond", "ooth-pain-14.sbs", "otagyrency.shop", "oyfriendtv.fyi", "atchy14.online", "aahoma4.info", "eddybalm.store", "rinc.xyz", "romthefarm.xyz", "est-control-jobs-69594.bond", "90880a27.buzz", "msqdhbbb2.shop", "ncantosgraitzline.lat", "emi.wtf", "fficecleaning717.xyz", "b25.lat", "usicone.xyz", "nfluencer-marketing-19257.bond", "utties.xyz", "pioxc.xyz", "dlxlxw848.vip"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6be1:$a1: 3C 30 50 4F 53 54 74 09 40 0x35001:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d520:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b940:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb35f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3977f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16247:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44667:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa298:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa512:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x386b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38932:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16045:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44465:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15b31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43f51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16147:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44567:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x162bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x446df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaf2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3934a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14dac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x431cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbc23:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3a043:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c287:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4a6a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d28a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x191a9:$sqlite3step: 68 34 1C 7B E1 0x192bc:$sqlite3step: 68 34 1C 7B E1 0x475c9:$sqlite3step: 68 34 1C 7B E1 0x476dc:$sqlite3step: 68 34 1C 7B E1 0x191d8:$sqlite3text: 68 38 2A 90 C5 0x192fd:$sqlite3text: 68 38 2A 90 C5 0x475f8:$sqlite3text: 68 38 2A 90 C5 0x4771d:$sqlite3text: 68 38 2A 90 C5 0x191eb:$sqlite3blob: 68 53 D8 7F 8C 0x19313:$sqlite3blob: 68 53 D8 7F 8C 0x4760b:$sqlite3blob: 68 53 D8 7F 8C 0x47733:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1e0739:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f7078:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1e4eb7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1efd9f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1e3df0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e406a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1efb9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1ef689:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1efc9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1efe17:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1e4a82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1ee904:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e577b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1f5ddf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f6de2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1f2d01:$sqlite3step: 68 34 1C 7B E1 0x1f2e14:$sqlite3step: 68 34 1C 7B E1 0x1f2d30:$sqlite3text: 68 38 2A 90 C5 0x1f2e55:$sqlite3text: 68 38 2A 90 C5 0x1f2d43:$sqlite3blob: 68 53 D8 7F 8C 0x1f2e6b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: file.exe PID: 5496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 5496	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x24044:$a1: 3C 30 50 4F 53 54 74 09 40 0xa2dd3:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: file.exe PID: 6580	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x66f55:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 5328	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6c4fd:$a1: 3C 30 50 4F 53 54 74 09 40 0x124ca0:$a1: 3C 30 50 4F 53 54 74 09 40 0x18221b:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.file.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.file.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.file.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.file.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.file.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
3.2.file.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.file.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.file.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.file.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.file.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\svchost.exe", CommandLine: "C:\Windows\SysWOW64\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1028, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\svchost.exe", ProcessId: 5328, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\SysWOW64\svchost.exe", CommandLine: "C:\Windows\SysWOW64\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1028, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\svchost.exe", ProcessId: 5328, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T16:01:08.296968+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49807	3.33.130.190	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rendylittlediva.store/gd04/"], "decoy": ["f5u8utd50.icu", "ob-offer-33304.bond", "aaf.zone", "hoppersrack.store", "nline-gaming-33476.bond", "isionaryvault.online", "ilitary-jobs-88516.bond", "iyxym.info", "eyes.xyz", "refle.xyz", "kinsmonlkey.shop", "oruu.shop", "est2x2.online", "nline-advertising-77889.bond", "hepresspoolai.xyz", "anilaberg.online", "reimutigleben.store", "anguage-courses-22450.bond", "zzt.xyz", "kfn.lat", "jrxy.bid", "ulfcoastnow.net", "utomatedcrypto.world", "sr961263m.vip", "ondonessex.net", "sychology-degree-20222.bond", "3312.buzz", "rumpaicto.vip", "8791.pink", "lashlightled.life", "omalkhali.info", "ompaz.xyz", "arehouse-inventory-88625.bond", "uktasalon.info", "ruck-driver-jobs-90329.bond", "pd40.online", "ilmguru.net", "ealthcare-trends-56730.bond", "ngersolllockwood.life", "zwtpe.info", "ifeeasystore.shop", "bthlcatgini.forum", "anausimoveis.net", "ashion-degree-38474.bond", "ooth-pain-14.sbs", "otagyrency.shop", "oyfriendtv.fyi", "atchy14.online", "aahoma4.info", "eddybalm.store", "rinc.xyz", "romthefarm.xyz", "est-control-jobs-69594.bond", "90880a27.buzz", "msqdhbbb2.shop", "ncantosgraitzline.lat", "emi.wtf", "fficecleaning717.xyz", "b25.lat", "usicone.xyz", "nfluencer-marketing-19257.bond", "utties.xyz", "pioxc.xyz", "dlxlxw848.vip"]}

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 77%			Perma Link
Source: file.exe	ReversingLabs: Detection: 71%

Yara detected FormBook

Source: Yara match	File source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: file.exe, 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2238748660.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2240595533.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: file.exe, file.exe, 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000003.2238748660.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2240595533.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: file.exe, 00000003.00000002.2239556574.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2239429797.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: file.exe, 00000003.00000002.2239556574.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2239429797.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then pop ebx	3_2_00407B1A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then pop edi	3_2_0040E483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi	5_2_008FE483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop ebx	5_2_008F7B1C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49807 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49807 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49807 -> 3.33.130.190:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 3.33.130.190 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.rendylittlediva.store/gd04/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.utties.xyz
Source:	DNS query: www.ompaz.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.rendylittlediva.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ompaz.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ruck-driver-jobs-90329.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.utties.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.otagyrency.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.atchy14.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.bthlcatgini.forum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.jrxy.bid replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.zwtpe.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.sychology-degree-20222.bond replaycode: Name error (3)

Source: global traffic

HTTP traffic detected: GET /gd04/?uvC=N20YWnVHT5RQC6WMyDV2V8c+DcGptM14OKih1BJNLsVd899Y1bUoCinKVTGhqICNh0dB&UlPxR=-Z1dwda8VP90AL HTTP/1.1Host: www.emi.wtfConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 3.33.130.190 3.33.130.190

Source: Joe Sandbox View

ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 4_2_1112BF82 getaddrinfo,setsockopt,recv,

4_2_1112BF82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.ruck-driver-jobs-90329.bond
Source: global traffic	DNS traffic detected: DNS query: www.emi.wtf
Source: global traffic	DNS traffic detected: DNS query: www.bthlcatgini.forum
Source: global traffic	DNS traffic detected: DNS query: www.jrxy.bid
Source: global traffic	DNS traffic detected: DNS query: www.sychology-degree-20222.bond
Source: global traffic	DNS traffic detected: DNS query: www.utties.xyz
Source: global traffic	DNS traffic detected: DNS query: www.atchy14.online
Source: global traffic	DNS traffic detected: DNS query: www.zwtpe.info
Source: global traffic	DNS traffic detected: DNS query: www.rendylittlediva.store
Source: global traffic	DNS traffic detected: DNS query: www.otagyrency.shop
Source: global traffic	DNS traffic detected: DNS query: www.ompaz.xyz

Source: explorer.exe, 00000004.00000002.4627498534.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000002.4620986517.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2177647614.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000004.00000002.4627498534.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000002.4627498534.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000002.4627498534.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000000.2183668325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000000.2183057970.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2183019072.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2182397623.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.3312.buzz
Source: explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.3312.buzz/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.3312.buzzReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atchy14.online
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atchy14.online/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atchy14.online/gd04/www.zwtpe.info
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atchy14.onlineReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bthlcatgini.forum
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bthlcatgini.forum/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bthlcatgini.forum/gd04/www.jrxy.bid
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bthlcatgini.forumReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dlxlxw848.vip
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dlxlxw848.vip/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dlxlxw848.vip/gd04/www.eddybalm.store
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dlxlxw848.vipReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eddybalm.store
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eddybalm.store/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eddybalm.store/gd04/www.usicone.xyz
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eddybalm.storeReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emi.wtf
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emi.wtf/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emi.wtf/gd04/www.bthlcatgini.forum
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emi.wtfReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jrxy.bid
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jrxy.bid/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jrxy.bid/gd04/www.sychology-degree-20222.bond
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jrxy.bidReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ompaz.xyz
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ompaz.xyz/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ompaz.xyz/gd04/www.dlxlxw848.vip
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ompaz.xyzReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otagyrency.shop
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otagyrency.shop/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otagyrency.shop/gd04/www.ompaz.xyz
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otagyrency.shopReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pioxc.xyz
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pioxc.xyz/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pioxc.xyz/gd04/www.otagyrency.shop
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pioxc.xyzReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rendylittlediva.store
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rendylittlediva.store/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rendylittlediva.store/gd04/www.pioxc.xyz
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rendylittlediva.storeReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-90329.bond
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-90329.bond/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-90329.bond/gd04/www.emi.wtf
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-90329.bondReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sychology-degree-20222.bond
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sychology-degree-20222.bond/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sychology-degree-20222.bond/gd04/www.utties.xyz
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sychology-degree-20222.bondReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usicone.xyz
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usicone.xyz/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usicone.xyz/gd04/www.3312.buzz
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usicone.xyzReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.utties.xyz
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.utties.xyz/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.utties.xyz/gd04/www.atchy14.online
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.utties.xyzReferer:
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zwtpe.info
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zwtpe.info/gd04/
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zwtpe.info/gd04/www.rendylittlediva.store
Source: explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zwtpe.infoReferer:
Source: explorer.exe, 00000004.00000002.4632272582.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2187785461.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000004.00000003.3949097092.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2181193761.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4624877885.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3099032572.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000002.4627498534.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000000.2181193761.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4624877885.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000003.3098070861.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4623056184.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2179401479.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000004.00000003.3948615344.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009B7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096810013.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3949653636.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4628497427.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000004.00000003.3948615344.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4628561312.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3948948498.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009B7B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000004.00000000.2187785461.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4632272582.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000004.00000000.2183668325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000004.00000000.2183668325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: file.exe PID: 5496, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: file.exe PID: 6580, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 5328, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041A330 NtCreateFile,	3_2_0041A330
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041A3E0 NtReadFile,	3_2_0041A3E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041A460 NtClose,	3_2_0041A460
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041A510 NtAllocateVirtualMemory,	3_2_0041A510
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041A2A3 NtCreateFile,NtReadFile,	3_2_0041A2A3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041A3DA NtReadFile,	3_2_0041A3DA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041A45A NtClose,	3_2_0041A45A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041A50A NtAllocateVirtualMemory,	3_2_0041A50A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01992BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992B60 NtClose,LdrInitializeThunk,	3_2_01992B60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992AD0 NtReadFile,LdrInitializeThunk,	3_2_01992AD0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992DD0 NtDelayExecution,LdrInitializeThunk,	3_2_01992DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01992DF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_01992D10
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_01992D30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_01992CA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01992C70
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992F90 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_01992F90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992FB0 NtResumeThread,LdrInitializeThunk,	3_2_01992FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992FE0 NtCreateFile,LdrInitializeThunk,	3_2_01992FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992F30 NtCreateSection,LdrInitializeThunk,	3_2_01992F30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_01992E80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_01992EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01994340 NtSetContextThread,	3_2_01994340
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01994650 NtSuspendThread,	3_2_01994650
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992B80 NtQueryInformationFile,	3_2_01992B80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992BA0 NtEnumerateValueKey,	3_2_01992BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992BE0 NtQueryValueKey,	3_2_01992BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992AB0 NtWaitForSingleObject,	3_2_01992AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992AF0 NtWriteFile,	3_2_01992AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992DB0 NtEnumerateKey,	3_2_01992DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992D00 NtSetInformationFile,	3_2_01992D00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992CC0 NtQueryVirtualMemory,	3_2_01992CC0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992CF0 NtOpenProcess,	3_2_01992CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992C00 NtQueryInformationProcess,	3_2_01992C00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992C60 NtCreateKey,	3_2_01992C60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992FA0 NtQuerySection,	3_2_01992FA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992F60 NtCreateProcessEx,	3_2_01992F60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992EE0 NtQueueApcThread,	3_2_01992EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992E30 NtWriteVirtualMemory,	3_2_01992E30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01993090 NtSetValueKey,	3_2_01993090
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01993010 NtOpenDirectoryObject,	3_2_01993010
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019935C0 NtCreateMutant,	3_2_019935C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019939B0 NtGetContextThread,	3_2_019939B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01993D10 NtOpenProcessToken,	3_2_01993D10
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01993D70 NtOpenThread,	3_2_01993D70
Source: C:\Windows\explorer.exe	Code function: 4_2_1112CE12 NtProtectVirtualMemory,	4_2_1112CE12
Source: C:\Windows\explorer.exe	Code function: 4_2_1112B232 NtCreateFile,	4_2_1112B232
Source: C:\Windows\explorer.exe	Code function: 4_2_1112CE0A NtProtectVirtualMemory,	4_2_1112CE0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00B32720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	5_2_00B32720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00B33540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	5_2_00B33540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00B333C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	5_2_00B333C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472B60 NtClose,LdrInitializeThunk,	5_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472AD0 NtReadFile,LdrInitializeThunk,	5_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472F30 NtCreateSection,LdrInitializeThunk,	5_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472FE0 NtCreateFile,LdrInitializeThunk,	5_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472DD0 NtDelayExecution,LdrInitializeThunk,	5_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472C60 NtCreateKey,LdrInitializeThunk,	5_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034735C0 NtCreateMutant,LdrInitializeThunk,	5_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03474340 NtSetContextThread,	5_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03474650 NtSuspendThread,	5_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472B80 NtQueryInformationFile,	5_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472BA0 NtEnumerateValueKey,	5_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472AF0 NtWriteFile,	5_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472AB0 NtWaitForSingleObject,	5_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472F60 NtCreateProcessEx,	5_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472F90 NtProtectVirtualMemory,	5_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472FA0 NtQuerySection,	5_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472FB0 NtResumeThread,	5_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472E30 NtWriteVirtualMemory,	5_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472EE0 NtQueueApcThread,	5_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472E80 NtReadVirtualMemory,	5_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472D00 NtSetInformationFile,	5_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472D30 NtUnmapViewOfSection,	5_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472DB0 NtEnumerateKey,	5_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472C00 NtQueryInformationProcess,	5_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472CC0 NtQueryVirtualMemory,	5_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03472CF0 NtOpenProcess,	5_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03473010 NtOpenDirectoryObject,	5_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03473090 NtSetValueKey,	5_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034739B0 NtGetContextThread,	5_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03473D70 NtOpenThread,	5_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03473D10 NtOpenProcessToken,	5_2_03473D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090A3E0 NtReadFile,	5_2_0090A3E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090A330 NtCreateFile,	5_2_0090A330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090A460 NtClose,	5_2_0090A460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090A510 NtAllocateVirtualMemory,	5_2_0090A510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090A2A3 NtCreateFile,NtReadFile,	5_2_0090A2A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090A3DA NtReadFile,	5_2_0090A3DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090A45A NtClose,	5_2_0090A45A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090A50A NtAllocateVirtualMemory,	5_2_0090A50A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032A9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	5_2_032A9BAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032AA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	5_2_032AA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032A9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_032A9BB2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032AA042 NtQueryInformationProcess,	5_2_032AA042

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0248D404	0_2_0248D404
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04C16DC0	0_2_04C16DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04C10040	0_2_04C10040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04C16DB3	0_2_04C16DB3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06931E88	0_2_06931E88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_069396C8	0_2_069396C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06932CF8	0_2_06932CF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06930B90	0_2_06930B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_069380A0	0_2_069380A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06938691	0_2_06938691
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06938698	0_2_06938698
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_069396B8	0_2_069396B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06938E50	0_2_06938E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06938E40	0_2_06938E40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06931E7A	0_2_06931E7A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06939FC3	0_2_06939FC3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06939FC8	0_2_06939FC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06934F10	0_2_06934F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06934F00	0_2_06934F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06932C9E	0_2_06932C9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06932CAD	0_2_06932CAD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06933CF8	0_2_06933CF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06931450	0_2_06931450
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06931440	0_2_06931440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06935588	0_2_06935588
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06933D08	0_2_06933D08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0693A570	0_2_0693A570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06935578	0_2_06935578
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0693A56A	0_2_0693A56A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06938A90	0_2_06938A90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06938A8B	0_2_06938A8B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06935398	0_2_06935398
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_069353A8	0_2_069353A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06930B3D	0_2_06930B3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06938353	0_2_06938353
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06938358	0_2_06938358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06930B76	0_2_06930B76
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06938090	0_2_06938090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_069318D9	0_2_069318D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_069318E8	0_2_069318E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06930006	0_2_06930006
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06930040	0_2_06930040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06935118	0_2_06935118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06935108	0_2_06935108
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041F01A	3_2_0041F01A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040102D	3_2_0040102D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041EB8A	3_2_0041EB8A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041EB8D	3_2_0041EB8D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041DD46	3_2_0041DD46
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041E569	3_2_0041E569
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00402D87	3_2_00402D87
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00409E60	3_2_00409E60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D728	3_2_0041D728
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A141A2	3_2_01A141A2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A201AA	3_2_01A201AA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A181CC	3_2_01A181CC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FA118	3_2_019FA118
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01950100	3_2_01950100
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E8158	3_2_019E8158
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F2000	3_2_019F2000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A203E6	3_2_01A203E6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196E3F0	3_2_0196E3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1A352	3_2_01A1A352
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E02C0	3_2_019E02C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A20591	3_2_01A20591
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960535	3_2_01960535
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0E4F6	3_2_01A0E4F6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A04420	3_2_01A04420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A12446	3_2_01A12446
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195C7C0	3_2_0195C7C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01984750	3_2_01984750
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197C6E0	3_2_0197C6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A2A9A6	3_2_01A2A9A6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01976962	3_2_01976962
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019468B8	3_2_019468B8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E8F0	3_2_0198E8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01962840	3_2_01962840
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196A840	3_2_0196A840
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A16BD7	3_2_01A16BD7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1AB40	3_2_01A1AB40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01978DBF	3_2_01978DBF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195ADE0	3_2_0195ADE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FCD1F	3_2_019FCD1F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196AD00	3_2_0196AD00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00CB5	3_2_01A00CB5
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01950CF2	3_2_01950CF2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960C00	3_2_01960C00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DEFA0	3_2_019DEFA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01952FC8	3_2_01952FC8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196CFE0	3_2_0196CFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A02F30	3_2_01A02F30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01980F30	3_2_01980F30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019A2F28	3_2_019A2F28
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D4F40	3_2_019D4F40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01972E90	3_2_01972E90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1CE93	3_2_01A1CE93
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1EEDB	3_2_01A1EEDB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1EE26	3_2_01A1EE26
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960E59	3_2_01960E59
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196B1B0	3_2_0196B1B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A2B16B	3_2_01A2B16B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194F172	3_2_0194F172
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0199516C	3_2_0199516C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1F0E0	3_2_01A1F0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A170E9	3_2_01A170E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019670C0	3_2_019670C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0F0CC	3_2_01A0F0CC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019A739A	3_2_019A739A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1132D	3_2_01A1132D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194D34C	3_2_0194D34C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019652A0	3_2_019652A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A012ED	3_2_01A012ED
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197B2C0	3_2_0197B2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FD5B0	3_2_019FD5B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A17571	3_2_01A17571
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1F43F	3_2_01A1F43F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01951460	3_2_01951460
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1F7B0	3_2_01A1F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A116CC	3_2_01A116CC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F5910	3_2_019F5910
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01969950	3_2_01969950
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197B950	3_2_0197B950
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019638E0	3_2_019638E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CD800	3_2_019CD800
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197FB80	3_2_0197FB80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0199DBF9	3_2_0199DBF9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D5BF0	3_2_019D5BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1FB76	3_2_01A1FB76
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A01AA3	3_2_01A01AA3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FDAAC	3_2_019FDAAC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019A5AA0	3_2_019A5AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0DAC6	3_2_01A0DAC6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A17A46	3_2_01A17A46
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1FA49	3_2_01A1FA49
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D3A6C	3_2_019D3A6C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197FDC0	3_2_0197FDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A17D73	3_2_01A17D73
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01963D40	3_2_01963D40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A11D5A	3_2_01A11D5A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1FCF2	3_2_01A1FCF2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D9C32	3_2_019D9C32
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01961F92	3_2_01961F92
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1FFB1	3_2_01A1FFB1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1FF09	3_2_01A1FF09
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01969EB0	3_2_01969EB0
Source: C:\Windows\explorer.exe	Code function: 4_2_1061B036	4_2_1061B036
Source: C:\Windows\explorer.exe	Code function: 4_2_10612082	4_2_10612082
Source: C:\Windows\explorer.exe	Code function: 4_2_10613D02	4_2_10613D02
Source: C:\Windows\explorer.exe	Code function: 4_2_10619912	4_2_10619912
Source: C:\Windows\explorer.exe	Code function: 4_2_1061F5CD	4_2_1061F5CD
Source: C:\Windows\explorer.exe	Code function: 4_2_1061C232	4_2_1061C232
Source: C:\Windows\explorer.exe	Code function: 4_2_10616B30	4_2_10616B30
Source: C:\Windows\explorer.exe	Code function: 4_2_10616B32	4_2_10616B32
Source: C:\Windows\explorer.exe	Code function: 4_2_1112B232	4_2_1112B232
Source: C:\Windows\explorer.exe	Code function: 4_2_11128912	4_2_11128912
Source: C:\Windows\explorer.exe	Code function: 4_2_11122D02	4_2_11122D02
Source: C:\Windows\explorer.exe	Code function: 4_2_11125B32	4_2_11125B32
Source: C:\Windows\explorer.exe	Code function: 4_2_11125B30	4_2_11125B30
Source: C:\Windows\explorer.exe	Code function: 4_2_1112E5CD	4_2_1112E5CD
Source: C:\Windows\explorer.exe	Code function: 4_2_1112A036	4_2_1112A036
Source: C:\Windows\explorer.exe	Code function: 4_2_11121082	4_2_11121082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00B32720	5_2_00B32720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FA352	5_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0344E3F0	5_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_035003E6	5_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034E0274	5_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034C02C0	5_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034C8158	5_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03430100	5_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034DA118	5_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F81CC	5_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_035001AA	5_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034D2000	5_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03464750	5_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03440770	5_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0343C7C0	5_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0345C6E0	5_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03440535	5_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03500591	5_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F2446	5_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034E4420	5_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034EE4F6	5_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FAB40	5_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F6BD7	5_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0343EA80	5_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03456962	5_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034429A0	5_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0350A9A6	5_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0344A840	5_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03442840	5_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0346E8F0	5_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034268B8	5_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034B4F40	5_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03482F28	5_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03460F30	5_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034E2F30	5_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03432FC8	5_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0344CFE0	5_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034BEFA0	5_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03440E59	5_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FEE26	5_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FEEDB	5_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03452E90	5_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FCE93	5_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0344AD00	5_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034DCD1F	5_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0343ADE0	5_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03458DBF	5_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03440C00	5_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03430CF2	5_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034E0CB5	5_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0342D34C	5_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F132D	5_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0348739A	5_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0345B2C0	5_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034E12ED	5_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034452A0	5_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0347516C	5_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0342F172	5_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0350B16B	5_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0344B1B0	5_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034EF0CC	5_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034470C0	5_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F70E9	5_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FF0E0	5_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FF7B0	5_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F16CC	5_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F7571	5_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034DD5B0	5_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03431460	5_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FF43F	5_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FFB76	5_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034B5BF0	5_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0347DBF9	5_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0345FB80	5_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FFA49	5_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F7A46	5_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034B3A6C	5_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034EDAC6	5_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034DDAAC	5_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03485AA0	5_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034E1AA3	5_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03449950	5_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0345B950	5_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034D5910	5_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034AD800	5_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034438E0	5_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FFF09	5_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03441F92	5_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FFFB1	5_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03449EB0	5_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03443D40	5_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F1D5A	5_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034F7D73	5_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0345FDC0	5_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034B9C32	5_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034FFCF2	5_2_034FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090F01A	5_2_0090F01A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090E569	5_2_0090E569
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090D728	5_2_0090D728
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090EB8A	5_2_0090EB8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090EB8D	5_2_0090EB8D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_008F2D87	5_2_008F2D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_008F2D90	5_2_008F2D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090DD46	5_2_0090DD46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_008F9E60	5_2_008F9E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_008F2FB0	5_2_008F2FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032AA036	5_2_032AA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032A5B32	5_2_032A5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032A5B30	5_2_032A5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032AB232	5_2_032AB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032A8912	5_2_032A8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032A1082	5_2_032A1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032A2D02	5_2_032A2D02
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032AE5CD	5_2_032AE5CD

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 019A7E54 appears 102 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 019CEA12 appears 86 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 01995130 appears 58 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0194B970 appears 280 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 019DF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 278 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times

Source: file.exe, 00000000.00000002.2166283908.000000000076E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2179416932.0000000005220000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000000.00000002.2180465836.0000000009FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000000.2154189576.00000000002E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePeZb.exe, vs file.exe
Source: file.exe, 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000003.00000002.2239556574.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs file.exe
Source: file.exe, 00000003.00000002.2239793292.0000000001A4D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs file.exe
Source: file.exe, 00000003.00000002.2239429797.00000000014BB000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamePeZb.exe, vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: file.exe PID: 5496, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 6580, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5328, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.file.exe.9fa0000.2.raw.unpack, va9CFUCrYea5Ru7tp7.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.9fa0000.2.raw.unpack, va9CFUCrYea5Ru7tp7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.40e1b08.0.raw.unpack, zqoiqEAFnejIZmUbvw.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.40e1b08.0.raw.unpack, zqoiqEAFnejIZmUbvw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.40e1b08.0.raw.unpack, zqoiqEAFnejIZmUbvw.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.40e1b08.0.raw.unpack, va9CFUCrYea5Ru7tp7.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.40e1b08.0.raw.unpack, va9CFUCrYea5Ru7tp7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.9fa0000.2.raw.unpack, zqoiqEAFnejIZmUbvw.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.9fa0000.2.raw.unpack, zqoiqEAFnejIZmUbvw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.9fa0000.2.raw.unpack, zqoiqEAFnejIZmUbvw.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@11/1

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_00B33360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

5_2_00B33360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_00B33360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

5_2_00B33360

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	Virustotal: Detection: 77%
Source: file.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\file.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: file.exe, 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2238748660.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2240595533.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: file.exe, file.exe, 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000003.2238748660.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2240595533.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: file.exe, 00000003.00000002.2239556574.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2239429797.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: file.exe, 00000003.00000002.2239556574.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2239429797.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: file.exe, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.file.exe.9fa0000.2.raw.unpack, zqoiqEAFnejIZmUbvw.cs	.Net Code: e42jBF0Hco System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.40e1b08.0.raw.unpack, zqoiqEAFnejIZmUbvw.cs	.Net Code: e42jBF0Hco System.Reflection.Assembly.Load(byte[])
Source: 4.2.explorer.exe.108bf840.0.raw.unpack, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 5.2.svchost.exe.3100000.1.raw.unpack, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 5.2.svchost.exe.394f840.4.raw.unpack, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04C19688 push es; retn 0004h	0_2_04C19692
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0693949E push es; iretd	0_2_069394A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00417910 push esp; ret	3_2_00417912
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040E479 push DB4E52F4h; iretd	3_2_0040E47E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040B418 push EA1EC8EFh; retf	3_2_0040B41D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D4D2 push eax; ret	3_2_0041D4D8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D4DB push eax; ret	3_2_0041D542
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D485 push eax; ret	3_2_0041D4D8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D53C push eax; ret	3_2_0041D542
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416652 push ebp; iretd	3_2_0041665C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416FD5 push 0B7FCB0Eh; ret	3_2_00416FDC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019509AD push ecx; mov dword ptr [esp], ecx	3_2_019509B6
Source: C:\Windows\explorer.exe	Code function: 4_2_1061F9B5 push esp; retn 0000h	4_2_1061FAE7
Source: C:\Windows\explorer.exe	Code function: 4_2_1061FB02 push esp; retn 0000h	4_2_1061FB03
Source: C:\Windows\explorer.exe	Code function: 4_2_1061FB1E push esp; retn 0000h	4_2_1061FB1F
Source: C:\Windows\explorer.exe	Code function: 4_2_1112EB1E push esp; retn 0000h	4_2_1112EB1F
Source: C:\Windows\explorer.exe	Code function: 4_2_1112EB02 push esp; retn 0000h	4_2_1112EB03
Source: C:\Windows\explorer.exe	Code function: 4_2_1112E9B5 push esp; retn 0000h	4_2_1112EAE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_034309AD push ecx; mov dword ptr [esp], ecx	5_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090D485 push eax; ret	5_2_0090D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090D4D2 push eax; ret	5_2_0090D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090D4DB push eax; ret	5_2_0090D542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_008FB418 push EA1EC8EFh; retf	5_2_008FB41D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_008FE479 push DB4E52F4h; iretd	5_2_008FE47E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0090D53C push eax; ret	5_2_0090D542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00906652 push ebp; iretd	5_2_0090665C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00907910 push esp; ret	5_2_00907912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00906FD5 push 0B7FCB0Eh; ret	5_2_00906FDC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032AEB02 push esp; retn 0000h	5_2_032AEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032AEB1E push esp; retn 0000h	5_2_032AEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_032AE9B5 push esp; retn 0000h	5_2_032AEAE7

Source: file.exe

Static PE information: section name: .text entropy: 7.656214120857171

Source: 0.2.file.exe.9fa0000.2.raw.unpack, nMKoq8jbao9YiUlbiW.cs	High entropy of concatenated method names: 'krNMoa9CFU', 'sYeMAa5Ru7', 'HQQMpQbgr3', 'tZ3MRv3lTn', 'y75MXHpMTT', 'ascMJ9i8jY', 'ALug4Rrptq7oOcLQAv', 'cmttlc0pq5ELCZMSG5', 'odBMMiDjfB', 'QMbMt8XJvy'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, Jc5qZ3QsK8AQCUFe17.cs	High entropy of concatenated method names: 'sGWrwYwrXc', 'KGIrhwagJu', 'SitrH9qEe9', 'zSpro2kHQE', 'AwdrO1kvaY', 'O7QrAKUAox', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, TlTnRJvOm7mHfF75Hp.cs	High entropy of concatenated method names: 'awHh99loux', 'R3KhiKgNua', 'Pmqw8O4sWj', 'rqDwTxFeYA', 'st7waebkBc', 'ggGwVmunnB', 'GUnwGUWS2y', 'MjWwmtcweU', 'xJ1wnASZnl', 'Ypuw1Sp6p3'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, KsBNlhgQNJqrfJTHnV.cs	High entropy of concatenated method names: 'YFNECRStD3', 'ESREbxlCCs', 'xknElCjnet', 'ekAEkF1pX9', 'C6WETZqTJa', 'O1dEakuyfa', 'BatEGyK0MH', 'MrLEmRKeyB', 'ORYE1Xu5vX', 'FmsEUNLwcj'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, ArtBg84OR9maF9sTbu.cs	High entropy of concatenated method names: 'ToString', 'SRjJUjqXQ8', 'pt3JkESGDY', 'PctJ8IejX1', 'JxAJT5J4Bh', 'hMtJacNEwi', 'WbAJVu0IUZ', 'yGOJG2ubPB', 'KvqJm0OmNs', 'dbwJn5hqST'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, A9DnFLqExDLVNNauOy.cs	High entropy of concatenated method names: 'Vv1OlSj4gw', 'RoxOkpByss', 'cuhO8h10A8', 'EEEOTCMg3o', 'ce3OaWpbbQ', 'YWQOV9iLmc', 'DYyOGepryw', 'beGOmFcL5S', 'bkDOnCoKxr', 'FfVO1UX6vN'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, zqoiqEAFnejIZmUbvw.cs	High entropy of concatenated method names: 'VJIt7UZSZY', 'NkAtLUI7mo', 'gS9tIpv7iB', 'yAEtwihB08', 'edrthJjUBJ', 'UGEtH41cJP', 'ntQtomiFc9', 'z7ZtA721ed', 'e7MtyEVpxw', 'bFAtpG7bpQ'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, lJK0OtxaPcRewZ9CQJ.cs	High entropy of concatenated method names: 'yTdOXKe7mW', 'E7AOcxu5Dh', 'IdkOOX48Pl', 'AScODcoA02', 'vWpONRFEi7', 'IRCOfLugyF', 'Dispose', 'r6Q5LMsUlX', 'vXG5IUoI5q', 'loE5w8LLVw'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, GLTj2J6d6EQvVj1xLL.cs	High entropy of concatenated method names: 'K8DX1GtM4b', 'RAhXs4HNy3', 'CHNX6YohgA', 'djXXZc6wLE', 'rBvXkQltSp', 'plOX8wVc1Z', 'ou8XTFQX2c', 'eTSXam5yuV', 'R3FXVAShZk', 'KtOXG7kfBA'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, s9XP94MMxVrOOm2wTNI.cs	High entropy of concatenated method names: 'lp5rQu5Ey1', 'GLJrzLv3xn', 'h5YDK8UIAQ', 'DMQDMfCMhh', 'rLnDYcVsaw', 'pfXDtn693i', 'ad6DjHUsaC', 'bRdD7K2sP9', 'PcqDLal2ng', 'K3ADItRgRF'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, bTTMscl9i8jYtg6kwH.cs	High entropy of concatenated method names: 'JAuH72tZQ8', 'GlDHIFTJYv', 'AicHhP1ybP', 'PbbHoJe3lb', 'zoVHAfsWES', 'sXjh0oswP5', 'cedhWbZMP9', 'V7mhxtb6y4', 'bSJhdlHHIK', 'BiKhqtqRUu'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, iJvQyqYQHodGkdqsQU.cs	High entropy of concatenated method names: 'UPEB9pUZq', 'rCPejCC8n', 'wYbPwPmyO', 'eTPiG9v2a', 'vlLbIfmsj', 'IKkvCwkta', 'BeRIBfKvZ73MnXIlEj', 'LPk7Csun89ZQ2vI1q5', 'h6k51WFq6', 'IilrN3UGn'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, VnOCUkbQQQbgr3DZ3v.cs	High entropy of concatenated method names: 'cwlweAUXB5', 'K58wPEflmw', 'at7wChOOIx', 'qwowbQh2Qk', 'IRxwXGJUaS', 'vxqwJpuk4x', 'iQewcg0ZLg', 'LZVw5pJR9A', 'NHxwOHeC8J', 'GJswrGcSAG'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, va9CFUCrYea5Ru7tp7.cs	High entropy of concatenated method names: 'hOqI6bpCsv', 'a0iIZfCVFQ', 'yJmI4VFBIo', 'EZOI37uOVy', 'SeqI0xHrJk', 'enDIWkJhU1', 's0nIxl3wlV', 'PCIIdwLU1C', 'YISIqJxl7Q', 'Ia2IQUjL7p'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, e2JWtTMKQFQRW5KBnAf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HEerUboYG9', 'DX2rs1hFAq', 'OSIrgG2wdg', 'keJr6S9NT0', 'HyTrZ9wQYO', 'OVor4kH7jE', 'QENr35fbep'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, VbL3tUIArYGjGdWj4w.cs	High entropy of concatenated method names: 'Dispose', 'qReMqwZ9CQ', 'g67Yk0w0vt', 'kLSW202TtW', 'pwQMQTXppK', 'JqZMzLW6VK', 'ProcessDialogKey', 'FqeYK9DnFL', 'nxDYMLVNNa', 'vOyYYac5qZ'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, RlopelnTxXDa5G6Q2a.cs	High entropy of concatenated method names: 'OsJoS3sFTg', 'xWHoFBDcei', 'pCEoBQ0LqJ', 'wvOoeeVi5g', 'xivo91F76s', 'uR2oPUYo0J', 'FgPoiZFieq', 'CfMoCSV5Mf', 'KlQob5bhtm', 'a2fov42f8p'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, MtR8l9MjaLlUW1HdOot.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Rhs2OTwxpv', 'Svu2rkHf6e', 'uRs2Dnh1a7', 'lUr227vF9i', 'FJt2NIM1q9', 'Wn62uOh6IE', 'lnb2fSYoxN'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, YpgfixzBF3QAdySX4t.cs	High entropy of concatenated method names: 'IcgrP4VAuj', 'tDHrCPuoeS', 'wbfrbmcJNI', 'K8Url3LTUv', 'VQrrkYHekX', 'jFbrT5glIR', 'Fp6radq6aT', 'jvorf5kAjU', 'XX7rSGFloE', 'fwqrFaK9LF'
Source: 0.2.file.exe.9fa0000.2.raw.unpack, ynJIldWk4mujkVRKZM.cs	High entropy of concatenated method names: 'IvEcd3PaVm', 'EsVcQtNAfY', 'UdM5Kr5uFS', 'ChR5MlSNHV', 'wmIcUHoUxA', 'bHecsBP9Ch', 'WoUcgSfhBn', 'FrYc6jV4QY', 'pAZcZEXbXp', 'q8nc4E8Q85'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, nMKoq8jbao9YiUlbiW.cs	High entropy of concatenated method names: 'krNMoa9CFU', 'sYeMAa5Ru7', 'HQQMpQbgr3', 'tZ3MRv3lTn', 'y75MXHpMTT', 'ascMJ9i8jY', 'ALug4Rrptq7oOcLQAv', 'cmttlc0pq5ELCZMSG5', 'odBMMiDjfB', 'QMbMt8XJvy'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, Jc5qZ3QsK8AQCUFe17.cs	High entropy of concatenated method names: 'sGWrwYwrXc', 'KGIrhwagJu', 'SitrH9qEe9', 'zSpro2kHQE', 'AwdrO1kvaY', 'O7QrAKUAox', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, TlTnRJvOm7mHfF75Hp.cs	High entropy of concatenated method names: 'awHh99loux', 'R3KhiKgNua', 'Pmqw8O4sWj', 'rqDwTxFeYA', 'st7waebkBc', 'ggGwVmunnB', 'GUnwGUWS2y', 'MjWwmtcweU', 'xJ1wnASZnl', 'Ypuw1Sp6p3'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, KsBNlhgQNJqrfJTHnV.cs	High entropy of concatenated method names: 'YFNECRStD3', 'ESREbxlCCs', 'xknElCjnet', 'ekAEkF1pX9', 'C6WETZqTJa', 'O1dEakuyfa', 'BatEGyK0MH', 'MrLEmRKeyB', 'ORYE1Xu5vX', 'FmsEUNLwcj'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, ArtBg84OR9maF9sTbu.cs	High entropy of concatenated method names: 'ToString', 'SRjJUjqXQ8', 'pt3JkESGDY', 'PctJ8IejX1', 'JxAJT5J4Bh', 'hMtJacNEwi', 'WbAJVu0IUZ', 'yGOJG2ubPB', 'KvqJm0OmNs', 'dbwJn5hqST'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, A9DnFLqExDLVNNauOy.cs	High entropy of concatenated method names: 'Vv1OlSj4gw', 'RoxOkpByss', 'cuhO8h10A8', 'EEEOTCMg3o', 'ce3OaWpbbQ', 'YWQOV9iLmc', 'DYyOGepryw', 'beGOmFcL5S', 'bkDOnCoKxr', 'FfVO1UX6vN'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, zqoiqEAFnejIZmUbvw.cs	High entropy of concatenated method names: 'VJIt7UZSZY', 'NkAtLUI7mo', 'gS9tIpv7iB', 'yAEtwihB08', 'edrthJjUBJ', 'UGEtH41cJP', 'ntQtomiFc9', 'z7ZtA721ed', 'e7MtyEVpxw', 'bFAtpG7bpQ'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, lJK0OtxaPcRewZ9CQJ.cs	High entropy of concatenated method names: 'yTdOXKe7mW', 'E7AOcxu5Dh', 'IdkOOX48Pl', 'AScODcoA02', 'vWpONRFEi7', 'IRCOfLugyF', 'Dispose', 'r6Q5LMsUlX', 'vXG5IUoI5q', 'loE5w8LLVw'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, GLTj2J6d6EQvVj1xLL.cs	High entropy of concatenated method names: 'K8DX1GtM4b', 'RAhXs4HNy3', 'CHNX6YohgA', 'djXXZc6wLE', 'rBvXkQltSp', 'plOX8wVc1Z', 'ou8XTFQX2c', 'eTSXam5yuV', 'R3FXVAShZk', 'KtOXG7kfBA'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, s9XP94MMxVrOOm2wTNI.cs	High entropy of concatenated method names: 'lp5rQu5Ey1', 'GLJrzLv3xn', 'h5YDK8UIAQ', 'DMQDMfCMhh', 'rLnDYcVsaw', 'pfXDtn693i', 'ad6DjHUsaC', 'bRdD7K2sP9', 'PcqDLal2ng', 'K3ADItRgRF'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, bTTMscl9i8jYtg6kwH.cs	High entropy of concatenated method names: 'JAuH72tZQ8', 'GlDHIFTJYv', 'AicHhP1ybP', 'PbbHoJe3lb', 'zoVHAfsWES', 'sXjh0oswP5', 'cedhWbZMP9', 'V7mhxtb6y4', 'bSJhdlHHIK', 'BiKhqtqRUu'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, iJvQyqYQHodGkdqsQU.cs	High entropy of concatenated method names: 'UPEB9pUZq', 'rCPejCC8n', 'wYbPwPmyO', 'eTPiG9v2a', 'vlLbIfmsj', 'IKkvCwkta', 'BeRIBfKvZ73MnXIlEj', 'LPk7Csun89ZQ2vI1q5', 'h6k51WFq6', 'IilrN3UGn'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, VnOCUkbQQQbgr3DZ3v.cs	High entropy of concatenated method names: 'cwlweAUXB5', 'K58wPEflmw', 'at7wChOOIx', 'qwowbQh2Qk', 'IRxwXGJUaS', 'vxqwJpuk4x', 'iQewcg0ZLg', 'LZVw5pJR9A', 'NHxwOHeC8J', 'GJswrGcSAG'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, va9CFUCrYea5Ru7tp7.cs	High entropy of concatenated method names: 'hOqI6bpCsv', 'a0iIZfCVFQ', 'yJmI4VFBIo', 'EZOI37uOVy', 'SeqI0xHrJk', 'enDIWkJhU1', 's0nIxl3wlV', 'PCIIdwLU1C', 'YISIqJxl7Q', 'Ia2IQUjL7p'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, e2JWtTMKQFQRW5KBnAf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HEerUboYG9', 'DX2rs1hFAq', 'OSIrgG2wdg', 'keJr6S9NT0', 'HyTrZ9wQYO', 'OVor4kH7jE', 'QENr35fbep'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, VbL3tUIArYGjGdWj4w.cs	High entropy of concatenated method names: 'Dispose', 'qReMqwZ9CQ', 'g67Yk0w0vt', 'kLSW202TtW', 'pwQMQTXppK', 'JqZMzLW6VK', 'ProcessDialogKey', 'FqeYK9DnFL', 'nxDYMLVNNa', 'vOyYYac5qZ'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, RlopelnTxXDa5G6Q2a.cs	High entropy of concatenated method names: 'OsJoS3sFTg', 'xWHoFBDcei', 'pCEoBQ0LqJ', 'wvOoeeVi5g', 'xivo91F76s', 'uR2oPUYo0J', 'FgPoiZFieq', 'CfMoCSV5Mf', 'KlQob5bhtm', 'a2fov42f8p'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, MtR8l9MjaLlUW1HdOot.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Rhs2OTwxpv', 'Svu2rkHf6e', 'uRs2Dnh1a7', 'lUr227vF9i', 'FJt2NIM1q9', 'Wn62uOh6IE', 'lnb2fSYoxN'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, YpgfixzBF3QAdySX4t.cs	High entropy of concatenated method names: 'IcgrP4VAuj', 'tDHrCPuoeS', 'wbfrbmcJNI', 'K8Url3LTUv', 'VQrrkYHekX', 'jFbrT5glIR', 'Fp6radq6aT', 'jvorf5kAjU', 'XX7rSGFloE', 'fwqrFaK9LF'
Source: 0.2.file.exe.40e1b08.0.raw.unpack, ynJIldWk4mujkVRKZM.cs	High entropy of concatenated method names: 'IvEcd3PaVm', 'EsVcQtNAfY', 'UdM5Kr5uFS', 'ChR5MlSNHV', 'wmIcUHoUxA', 'bHecsBP9Ch', 'WoUcgSfhBn', 'FrYc6jV4QY', 'pAZcZEXbXp', 'q8nc4E8Q85'

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_00B33360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

5_2_00B33360

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file.exe PID: 5496, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 8F9904 second address: 8F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 8F9B7E second address: 8F9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 77C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 87C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 97C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: A020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: B020000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00409AB0 rdtsc

3_2_00409AB0

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3279	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6668	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 880	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 6592	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 3378	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_4-13786

Source: C:\Users\user\Desktop\file.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 1.9 %

Source: C:\Users\user\Desktop\file.exe TID: 1200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6844	Thread sleep count: 3279 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6844	Thread sleep time: -6558000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6844	Thread sleep count: 6668 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6844	Thread sleep time: -13336000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1436	Thread sleep count: 6592 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1436	Thread sleep time: -13184000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1436	Thread sleep count: 3378 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1436	Thread sleep time: -6756000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000004.00000003.3096810013.0000000009B85000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000003.3099032572.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000004.00000002.4627498534.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000004.00000002.4628497427.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000003.3096810013.0000000009B85000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000004.00000003.3096810013.0000000009B85000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.3094211340.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000004.00000002.4623056184.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000004.00000003.3096810013.0000000009B85000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000002.4623056184.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000000.2177647614.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000004.00000003.3099032572.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000004.00000000.2183668325.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000002.4623056184.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000002.4623056184.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000004.00000002.4628497427.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000004.00000000.2177647614.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000004.00000003.3094211340.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.2183668325.0000000009B7B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}-
Source: explorer.exe, 00000004.00000000.2181193761.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00409AB0 rdtsc

3_2_00409AB0

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_0040ACF0 LdrLoadDll,

3_2_0040ACF0

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D019F mov eax, dword ptr fs:[00000030h]	3_2_019D019F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D019F mov eax, dword ptr fs:[00000030h]	3_2_019D019F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D019F mov eax, dword ptr fs:[00000030h]	3_2_019D019F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D019F mov eax, dword ptr fs:[00000030h]	3_2_019D019F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194A197 mov eax, dword ptr fs:[00000030h]	3_2_0194A197
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194A197 mov eax, dword ptr fs:[00000030h]	3_2_0194A197
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194A197 mov eax, dword ptr fs:[00000030h]	3_2_0194A197
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01990185 mov eax, dword ptr fs:[00000030h]	3_2_01990185
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F4180 mov eax, dword ptr fs:[00000030h]	3_2_019F4180
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F4180 mov eax, dword ptr fs:[00000030h]	3_2_019F4180
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0C188 mov eax, dword ptr fs:[00000030h]	3_2_01A0C188
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0C188 mov eax, dword ptr fs:[00000030h]	3_2_01A0C188
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A261E5 mov eax, dword ptr fs:[00000030h]	3_2_01A261E5
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019801F8 mov eax, dword ptr fs:[00000030h]	3_2_019801F8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A161C3 mov eax, dword ptr fs:[00000030h]	3_2_01A161C3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A161C3 mov eax, dword ptr fs:[00000030h]	3_2_01A161C3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FA118 mov ecx, dword ptr fs:[00000030h]	3_2_019FA118
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FA118 mov eax, dword ptr fs:[00000030h]	3_2_019FA118
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FA118 mov eax, dword ptr fs:[00000030h]	3_2_019FA118
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FA118 mov eax, dword ptr fs:[00000030h]	3_2_019FA118
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov ecx, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov ecx, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov ecx, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE10E mov ecx, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A10115 mov eax, dword ptr fs:[00000030h]	3_2_01A10115
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01980124 mov eax, dword ptr fs:[00000030h]	3_2_01980124
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956154 mov eax, dword ptr fs:[00000030h]	3_2_01956154
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956154 mov eax, dword ptr fs:[00000030h]	3_2_01956154
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194C156 mov eax, dword ptr fs:[00000030h]	3_2_0194C156
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E8158 mov eax, dword ptr fs:[00000030h]	3_2_019E8158
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E4144 mov eax, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E4144 mov eax, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E4144 mov ecx, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E4144 mov eax, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E4144 mov eax, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A160B8 mov eax, dword ptr fs:[00000030h]	3_2_01A160B8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A160B8 mov ecx, dword ptr fs:[00000030h]	3_2_01A160B8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195208A mov eax, dword ptr fs:[00000030h]	3_2_0195208A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E80A8 mov eax, dword ptr fs:[00000030h]	3_2_019E80A8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D20DE mov eax, dword ptr fs:[00000030h]	3_2_019D20DE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194C0F0 mov eax, dword ptr fs:[00000030h]	3_2_0194C0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019920F0 mov ecx, dword ptr fs:[00000030h]	3_2_019920F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_0194A0E3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019580E9 mov eax, dword ptr fs:[00000030h]	3_2_019580E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D60E0 mov eax, dword ptr fs:[00000030h]	3_2_019D60E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196E016 mov eax, dword ptr fs:[00000030h]	3_2_0196E016
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196E016 mov eax, dword ptr fs:[00000030h]	3_2_0196E016
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196E016 mov eax, dword ptr fs:[00000030h]	3_2_0196E016
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196E016 mov eax, dword ptr fs:[00000030h]	3_2_0196E016
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D4000 mov ecx, dword ptr fs:[00000030h]	3_2_019D4000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E6030 mov eax, dword ptr fs:[00000030h]	3_2_019E6030
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194A020 mov eax, dword ptr fs:[00000030h]	3_2_0194A020
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194C020 mov eax, dword ptr fs:[00000030h]	3_2_0194C020
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01952050 mov eax, dword ptr fs:[00000030h]	3_2_01952050
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D6050 mov eax, dword ptr fs:[00000030h]	3_2_019D6050
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197C073 mov eax, dword ptr fs:[00000030h]	3_2_0197C073
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01948397 mov eax, dword ptr fs:[00000030h]	3_2_01948397
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01948397 mov eax, dword ptr fs:[00000030h]	3_2_01948397
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01948397 mov eax, dword ptr fs:[00000030h]	3_2_01948397
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197438F mov eax, dword ptr fs:[00000030h]	3_2_0197438F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197438F mov eax, dword ptr fs:[00000030h]	3_2_0197438F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194E388 mov eax, dword ptr fs:[00000030h]	3_2_0194E388
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194E388 mov eax, dword ptr fs:[00000030h]	3_2_0194E388
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194E388 mov eax, dword ptr fs:[00000030h]	3_2_0194E388
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE3DB mov eax, dword ptr fs:[00000030h]	3_2_019FE3DB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE3DB mov eax, dword ptr fs:[00000030h]	3_2_019FE3DB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE3DB mov ecx, dword ptr fs:[00000030h]	3_2_019FE3DB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FE3DB mov eax, dword ptr fs:[00000030h]	3_2_019FE3DB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F43D4 mov eax, dword ptr fs:[00000030h]	3_2_019F43D4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F43D4 mov eax, dword ptr fs:[00000030h]	3_2_019F43D4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019583C0 mov eax, dword ptr fs:[00000030h]	3_2_019583C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019583C0 mov eax, dword ptr fs:[00000030h]	3_2_019583C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019583C0 mov eax, dword ptr fs:[00000030h]	3_2_019583C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019583C0 mov eax, dword ptr fs:[00000030h]	3_2_019583C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D63C0 mov eax, dword ptr fs:[00000030h]	3_2_019D63C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0196E3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0196E3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0196E3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019863FF mov eax, dword ptr fs:[00000030h]	3_2_019863FF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0C3CD mov eax, dword ptr fs:[00000030h]	3_2_01A0C3CD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194C310 mov ecx, dword ptr fs:[00000030h]	3_2_0194C310
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01970310 mov ecx, dword ptr fs:[00000030h]	3_2_01970310
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A30B mov eax, dword ptr fs:[00000030h]	3_2_0198A30B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A30B mov eax, dword ptr fs:[00000030h]	3_2_0198A30B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A30B mov eax, dword ptr fs:[00000030h]	3_2_0198A30B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D035C mov ecx, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F8350 mov ecx, dword ptr fs:[00000030h]	3_2_019F8350
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F437C mov eax, dword ptr fs:[00000030h]	3_2_019F437C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1A352 mov eax, dword ptr fs:[00000030h]	3_2_01A1A352
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E284 mov eax, dword ptr fs:[00000030h]	3_2_0198E284
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E284 mov eax, dword ptr fs:[00000030h]	3_2_0198E284
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D0283 mov eax, dword ptr fs:[00000030h]	3_2_019D0283
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D0283 mov eax, dword ptr fs:[00000030h]	3_2_019D0283
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D0283 mov eax, dword ptr fs:[00000030h]	3_2_019D0283
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019602A0 mov eax, dword ptr fs:[00000030h]	3_2_019602A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019602A0 mov eax, dword ptr fs:[00000030h]	3_2_019602A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E62A0 mov ecx, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019602E1 mov eax, dword ptr fs:[00000030h]	3_2_019602E1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019602E1 mov eax, dword ptr fs:[00000030h]	3_2_019602E1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019602E1 mov eax, dword ptr fs:[00000030h]	3_2_019602E1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194823B mov eax, dword ptr fs:[00000030h]	3_2_0194823B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194A250 mov eax, dword ptr fs:[00000030h]	3_2_0194A250
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956259 mov eax, dword ptr fs:[00000030h]	3_2_01956259
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D8243 mov eax, dword ptr fs:[00000030h]	3_2_019D8243
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D8243 mov ecx, dword ptr fs:[00000030h]	3_2_019D8243
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0A250 mov eax, dword ptr fs:[00000030h]	3_2_01A0A250
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0A250 mov eax, dword ptr fs:[00000030h]	3_2_01A0A250
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01954260 mov eax, dword ptr fs:[00000030h]	3_2_01954260
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01954260 mov eax, dword ptr fs:[00000030h]	3_2_01954260
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01954260 mov eax, dword ptr fs:[00000030h]	3_2_01954260
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194826B mov eax, dword ptr fs:[00000030h]	3_2_0194826B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E59C mov eax, dword ptr fs:[00000030h]	3_2_0198E59C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01984588 mov eax, dword ptr fs:[00000030h]	3_2_01984588
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01952582 mov eax, dword ptr fs:[00000030h]	3_2_01952582
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01952582 mov ecx, dword ptr fs:[00000030h]	3_2_01952582
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019745B1 mov eax, dword ptr fs:[00000030h]	3_2_019745B1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019745B1 mov eax, dword ptr fs:[00000030h]	3_2_019745B1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D05A7 mov eax, dword ptr fs:[00000030h]	3_2_019D05A7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D05A7 mov eax, dword ptr fs:[00000030h]	3_2_019D05A7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D05A7 mov eax, dword ptr fs:[00000030h]	3_2_019D05A7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019565D0 mov eax, dword ptr fs:[00000030h]	3_2_019565D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0198A5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0198A5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E5CF mov eax, dword ptr fs:[00000030h]	3_2_0198E5CF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E5CF mov eax, dword ptr fs:[00000030h]	3_2_0198E5CF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019525E0 mov eax, dword ptr fs:[00000030h]	3_2_019525E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198C5ED mov eax, dword ptr fs:[00000030h]	3_2_0198C5ED
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198C5ED mov eax, dword ptr fs:[00000030h]	3_2_0198C5ED
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E6500 mov eax, dword ptr fs:[00000030h]	3_2_019E6500
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01958550 mov eax, dword ptr fs:[00000030h]	3_2_01958550
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01958550 mov eax, dword ptr fs:[00000030h]	3_2_01958550
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198656A mov eax, dword ptr fs:[00000030h]	3_2_0198656A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198656A mov eax, dword ptr fs:[00000030h]	3_2_0198656A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198656A mov eax, dword ptr fs:[00000030h]	3_2_0198656A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019844B0 mov ecx, dword ptr fs:[00000030h]	3_2_019844B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DA4B0 mov eax, dword ptr fs:[00000030h]	3_2_019DA4B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0A49A mov eax, dword ptr fs:[00000030h]	3_2_01A0A49A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019564AB mov eax, dword ptr fs:[00000030h]	3_2_019564AB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019504E5 mov ecx, dword ptr fs:[00000030h]	3_2_019504E5
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01988402 mov eax, dword ptr fs:[00000030h]	3_2_01988402
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01988402 mov eax, dword ptr fs:[00000030h]	3_2_01988402
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01988402 mov eax, dword ptr fs:[00000030h]	3_2_01988402
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A430 mov eax, dword ptr fs:[00000030h]	3_2_0198A430
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194C427 mov eax, dword ptr fs:[00000030h]	3_2_0194C427
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194E420 mov eax, dword ptr fs:[00000030h]	3_2_0194E420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194E420 mov eax, dword ptr fs:[00000030h]	3_2_0194E420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194E420 mov eax, dword ptr fs:[00000030h]	3_2_0194E420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194645D mov eax, dword ptr fs:[00000030h]	3_2_0194645D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197245A mov eax, dword ptr fs:[00000030h]	3_2_0197245A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197A470 mov eax, dword ptr fs:[00000030h]	3_2_0197A470
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197A470 mov eax, dword ptr fs:[00000030h]	3_2_0197A470
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197A470 mov eax, dword ptr fs:[00000030h]	3_2_0197A470
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A0A456 mov eax, dword ptr fs:[00000030h]	3_2_01A0A456
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DC460 mov ecx, dword ptr fs:[00000030h]	3_2_019DC460
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A047A0 mov eax, dword ptr fs:[00000030h]	3_2_01A047A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F678E mov eax, dword ptr fs:[00000030h]	3_2_019F678E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019507AF mov eax, dword ptr fs:[00000030h]	3_2_019507AF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195C7C0 mov eax, dword ptr fs:[00000030h]	3_2_0195C7C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D07C3 mov eax, dword ptr fs:[00000030h]	3_2_019D07C3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019547FB mov eax, dword ptr fs:[00000030h]	3_2_019547FB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019547FB mov eax, dword ptr fs:[00000030h]	3_2_019547FB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019727ED mov eax, dword ptr fs:[00000030h]	3_2_019727ED
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019727ED mov eax, dword ptr fs:[00000030h]	3_2_019727ED
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019727ED mov eax, dword ptr fs:[00000030h]	3_2_019727ED
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DE7E1 mov eax, dword ptr fs:[00000030h]	3_2_019DE7E1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01950710 mov eax, dword ptr fs:[00000030h]	3_2_01950710
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01980710 mov eax, dword ptr fs:[00000030h]	3_2_01980710
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198C700 mov eax, dword ptr fs:[00000030h]	3_2_0198C700
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198273C mov eax, dword ptr fs:[00000030h]	3_2_0198273C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198273C mov ecx, dword ptr fs:[00000030h]	3_2_0198273C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198273C mov eax, dword ptr fs:[00000030h]	3_2_0198273C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CC730 mov eax, dword ptr fs:[00000030h]	3_2_019CC730
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198C720 mov eax, dword ptr fs:[00000030h]	3_2_0198C720
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198C720 mov eax, dword ptr fs:[00000030h]	3_2_0198C720
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DE75D mov eax, dword ptr fs:[00000030h]	3_2_019DE75D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01950750 mov eax, dword ptr fs:[00000030h]	3_2_01950750
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D4755 mov eax, dword ptr fs:[00000030h]	3_2_019D4755
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992750 mov eax, dword ptr fs:[00000030h]	3_2_01992750
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992750 mov eax, dword ptr fs:[00000030h]	3_2_01992750
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198674D mov esi, dword ptr fs:[00000030h]	3_2_0198674D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198674D mov eax, dword ptr fs:[00000030h]	3_2_0198674D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198674D mov eax, dword ptr fs:[00000030h]	3_2_0198674D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01958770 mov eax, dword ptr fs:[00000030h]	3_2_01958770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01954690 mov eax, dword ptr fs:[00000030h]	3_2_01954690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01954690 mov eax, dword ptr fs:[00000030h]	3_2_01954690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019866B0 mov eax, dword ptr fs:[00000030h]	3_2_019866B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198C6A6 mov eax, dword ptr fs:[00000030h]	3_2_0198C6A6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_0198A6C7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A6C7 mov eax, dword ptr fs:[00000030h]	3_2_0198A6C7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D06F1 mov eax, dword ptr fs:[00000030h]	3_2_019D06F1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D06F1 mov eax, dword ptr fs:[00000030h]	3_2_019D06F1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019CE6F2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019CE6F2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019CE6F2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019CE6F2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01992619 mov eax, dword ptr fs:[00000030h]	3_2_01992619
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE609 mov eax, dword ptr fs:[00000030h]	3_2_019CE609
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196E627 mov eax, dword ptr fs:[00000030h]	3_2_0196E627
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01986620 mov eax, dword ptr fs:[00000030h]	3_2_01986620
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01988620 mov eax, dword ptr fs:[00000030h]	3_2_01988620
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195262C mov eax, dword ptr fs:[00000030h]	3_2_0195262C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1866E mov eax, dword ptr fs:[00000030h]	3_2_01A1866E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1866E mov eax, dword ptr fs:[00000030h]	3_2_01A1866E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0196C640 mov eax, dword ptr fs:[00000030h]	3_2_0196C640
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01982674 mov eax, dword ptr fs:[00000030h]	3_2_01982674
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A660 mov eax, dword ptr fs:[00000030h]	3_2_0198A660
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A660 mov eax, dword ptr fs:[00000030h]	3_2_0198A660
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D89B3 mov esi, dword ptr fs:[00000030h]	3_2_019D89B3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D89B3 mov eax, dword ptr fs:[00000030h]	3_2_019D89B3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D89B3 mov eax, dword ptr fs:[00000030h]	3_2_019D89B3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019509AD mov eax, dword ptr fs:[00000030h]	3_2_019509AD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019509AD mov eax, dword ptr fs:[00000030h]	3_2_019509AD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019849D0 mov eax, dword ptr fs:[00000030h]	3_2_019849D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E69C0 mov eax, dword ptr fs:[00000030h]	3_2_019E69C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019829F9 mov eax, dword ptr fs:[00000030h]	3_2_019829F9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019829F9 mov eax, dword ptr fs:[00000030h]	3_2_019829F9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1A9D3 mov eax, dword ptr fs:[00000030h]	3_2_01A1A9D3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DE9E0 mov eax, dword ptr fs:[00000030h]	3_2_019DE9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01948918 mov eax, dword ptr fs:[00000030h]	3_2_01948918
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01948918 mov eax, dword ptr fs:[00000030h]	3_2_01948918
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DC912 mov eax, dword ptr fs:[00000030h]	3_2_019DC912
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE908 mov eax, dword ptr fs:[00000030h]	3_2_019CE908
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CE908 mov eax, dword ptr fs:[00000030h]	3_2_019CE908
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E892B mov eax, dword ptr fs:[00000030h]	3_2_019E892B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D892A mov eax, dword ptr fs:[00000030h]	3_2_019D892A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019D0946 mov eax, dword ptr fs:[00000030h]	3_2_019D0946
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DC97C mov eax, dword ptr fs:[00000030h]	3_2_019DC97C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F4978 mov eax, dword ptr fs:[00000030h]	3_2_019F4978
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F4978 mov eax, dword ptr fs:[00000030h]	3_2_019F4978
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01976962 mov eax, dword ptr fs:[00000030h]	3_2_01976962
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01976962 mov eax, dword ptr fs:[00000030h]	3_2_01976962
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01976962 mov eax, dword ptr fs:[00000030h]	3_2_01976962
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0199096E mov eax, dword ptr fs:[00000030h]	3_2_0199096E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0199096E mov edx, dword ptr fs:[00000030h]	3_2_0199096E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0199096E mov eax, dword ptr fs:[00000030h]	3_2_0199096E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DC89D mov eax, dword ptr fs:[00000030h]	3_2_019DC89D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01950887 mov eax, dword ptr fs:[00000030h]	3_2_01950887
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1A8E4 mov eax, dword ptr fs:[00000030h]	3_2_01A1A8E4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197E8C0 mov eax, dword ptr fs:[00000030h]	3_2_0197E8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0198C8F9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0198C8F9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DC810 mov eax, dword ptr fs:[00000030h]	3_2_019DC810
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01972835 mov ecx, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F483A mov eax, dword ptr fs:[00000030h]	3_2_019F483A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F483A mov eax, dword ptr fs:[00000030h]	3_2_019F483A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198A830 mov eax, dword ptr fs:[00000030h]	3_2_0198A830
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01954859 mov eax, dword ptr fs:[00000030h]	3_2_01954859
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01954859 mov eax, dword ptr fs:[00000030h]	3_2_01954859
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01980854 mov eax, dword ptr fs:[00000030h]	3_2_01980854
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01962840 mov ecx, dword ptr fs:[00000030h]	3_2_01962840
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E6870 mov eax, dword ptr fs:[00000030h]	3_2_019E6870
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E6870 mov eax, dword ptr fs:[00000030h]	3_2_019E6870
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DE872 mov eax, dword ptr fs:[00000030h]	3_2_019DE872
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DE872 mov eax, dword ptr fs:[00000030h]	3_2_019DE872
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A04BB0 mov eax, dword ptr fs:[00000030h]	3_2_01A04BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A04BB0 mov eax, dword ptr fs:[00000030h]	3_2_01A04BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960BBE mov eax, dword ptr fs:[00000030h]	3_2_01960BBE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960BBE mov eax, dword ptr fs:[00000030h]	3_2_01960BBE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FEBD0 mov eax, dword ptr fs:[00000030h]	3_2_019FEBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01950BCD mov eax, dword ptr fs:[00000030h]	3_2_01950BCD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01950BCD mov eax, dword ptr fs:[00000030h]	3_2_01950BCD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01950BCD mov eax, dword ptr fs:[00000030h]	3_2_01950BCD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01970BCB mov eax, dword ptr fs:[00000030h]	3_2_01970BCB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01970BCB mov eax, dword ptr fs:[00000030h]	3_2_01970BCB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01970BCB mov eax, dword ptr fs:[00000030h]	3_2_01970BCB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01958BF0 mov eax, dword ptr fs:[00000030h]	3_2_01958BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01958BF0 mov eax, dword ptr fs:[00000030h]	3_2_01958BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01958BF0 mov eax, dword ptr fs:[00000030h]	3_2_01958BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197EBFC mov eax, dword ptr fs:[00000030h]	3_2_0197EBFC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DCBF0 mov eax, dword ptr fs:[00000030h]	3_2_019DCBF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A18B28 mov eax, dword ptr fs:[00000030h]	3_2_01A18B28
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A18B28 mov eax, dword ptr fs:[00000030h]	3_2_01A18B28
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197EB20 mov eax, dword ptr fs:[00000030h]	3_2_0197EB20
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197EB20 mov eax, dword ptr fs:[00000030h]	3_2_0197EB20
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FEB50 mov eax, dword ptr fs:[00000030h]	3_2_019FEB50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019F8B42 mov eax, dword ptr fs:[00000030h]	3_2_019F8B42
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E6B40 mov eax, dword ptr fs:[00000030h]	3_2_019E6B40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019E6B40 mov eax, dword ptr fs:[00000030h]	3_2_019E6B40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A1AB40 mov eax, dword ptr fs:[00000030h]	3_2_01A1AB40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0194CB7E mov eax, dword ptr fs:[00000030h]	3_2_0194CB7E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A04B4B mov eax, dword ptr fs:[00000030h]	3_2_01A04B4B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A04B4B mov eax, dword ptr fs:[00000030h]	3_2_01A04B4B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01988A90 mov edx, dword ptr fs:[00000030h]	3_2_01988A90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A24A80 mov eax, dword ptr fs:[00000030h]	3_2_01A24A80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01958AA0 mov eax, dword ptr fs:[00000030h]	3_2_01958AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01958AA0 mov eax, dword ptr fs:[00000030h]	3_2_01958AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019A6AA4 mov eax, dword ptr fs:[00000030h]	3_2_019A6AA4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01950AD0 mov eax, dword ptr fs:[00000030h]	3_2_01950AD0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01984AD0 mov eax, dword ptr fs:[00000030h]	3_2_01984AD0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01984AD0 mov eax, dword ptr fs:[00000030h]	3_2_01984AD0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019A6ACC mov eax, dword ptr fs:[00000030h]	3_2_019A6ACC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019A6ACC mov eax, dword ptr fs:[00000030h]	3_2_019A6ACC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019A6ACC mov eax, dword ptr fs:[00000030h]	3_2_019A6ACC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198AAEE mov eax, dword ptr fs:[00000030h]	3_2_0198AAEE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198AAEE mov eax, dword ptr fs:[00000030h]	3_2_0198AAEE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019DCA11 mov eax, dword ptr fs:[00000030h]	3_2_019DCA11
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198CA38 mov eax, dword ptr fs:[00000030h]	3_2_0198CA38
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01974A35 mov eax, dword ptr fs:[00000030h]	3_2_01974A35
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01974A35 mov eax, dword ptr fs:[00000030h]	3_2_01974A35
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0197EA2E mov eax, dword ptr fs:[00000030h]	3_2_0197EA2E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198CA24 mov eax, dword ptr fs:[00000030h]	3_2_0198CA24
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960A5B mov eax, dword ptr fs:[00000030h]	3_2_01960A5B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01960A5B mov eax, dword ptr fs:[00000030h]	3_2_01960A5B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CCA72 mov eax, dword ptr fs:[00000030h]	3_2_019CCA72
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019CCA72 mov eax, dword ptr fs:[00000030h]	3_2_019CCA72
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198CA6F mov eax, dword ptr fs:[00000030h]	3_2_0198CA6F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198CA6F mov eax, dword ptr fs:[00000030h]	3_2_0198CA6F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198CA6F mov eax, dword ptr fs:[00000030h]	3_2_0198CA6F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_019FEA60 mov eax, dword ptr fs:[00000030h]	3_2_019FEA60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A18DAE mov eax, dword ptr fs:[00000030h]	3_2_01A18DAE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A18DAE mov eax, dword ptr fs:[00000030h]	3_2_01A18DAE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01A24DAD mov eax, dword ptr fs:[00000030h]	3_2_01A24DAD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01978DBF mov eax, dword ptr fs:[00000030h]	3_2_01978DBF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01978DBF mov eax, dword ptr fs:[00000030h]	3_2_01978DBF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198CDB1 mov ecx, dword ptr fs:[00000030h]	3_2_0198CDB1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0198CDB1 mov eax, dword ptr fs:[00000030h]	3_2_0198CDB1

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_00B333C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,

5_2_00B333C0

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00B333C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,		5_2_00B333C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00B35848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		5_2_00B35848

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 3.33.130.190 80

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\file.exe	NtClose: Indirect: 0x1D8A56C
Source: C:\Users\user\Desktop\file.exe	NtQueueApcThread: Indirect: 0x1D8A4F2			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread register set: target process: 1028			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 1028			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\file.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\file.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: B30000

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\file.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_00B34610 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,HeapAlloc,InitializeSecurityDescriptor,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,GetLengthSid,GetLengthSid,GetLengthSid,GetLengthSid,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,SetSecurityDescriptorDacl,GetLastError,CloseHandle,HeapFree,HeapFree,

5_2_00B34610

Source: explorer.exe, 00000004.00000003.3948615344.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009B7B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000004.00000000.2178624238.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4622038019.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.2178624238.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2180962357.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4622038019.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.2178624238.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4622038019.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.2178624238.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4622038019.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000002.4620986517.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2177647614.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_00B357B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_00B357B0

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00B36BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	5_2_00B36BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00B36AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	5_2_00B36AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00B36B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	5_2_00B36B60

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	3 Windows Service	3 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	512 Process Injection	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	512 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	77%	Virustotal		Browse
file.exe	71%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
file.exe	100%	Avira	HEUR/AGEN.1305388
file.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
emi.wtf	3.33.130.190	true	true	unknown
www.ruck-driver-jobs-90329.bond	unknown	unknown	true	unknown
www.bthlcatgini.forum	unknown	unknown	true	unknown
www.jrxy.bid	unknown	unknown	true	unknown
www.zwtpe.info	unknown	unknown	true	unknown
www.ompaz.xyz	unknown	unknown	true	unknown
www.emi.wtf	unknown	unknown	true	unknown
www.rendylittlediva.store	unknown	unknown	true	unknown
www.otagyrency.shop	unknown	unknown	true	unknown
www.sychology-degree-20222.bond	unknown	unknown	true	unknown
www.utties.xyz	unknown	unknown	true	unknown
www.atchy14.online	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.emi.wtf/gd04/?uvC=N20YWnVHT5RQC6WMyDV2V8c+DcGptM14OKih1BJNLsVd899Y1bUoCinKVTGhqICNh0dB&UlPxR=-Z1dwda8VP90AL	true		unknown
www.rendylittlediva.store/gd04/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.zwtpe.infoReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://word.office.comon	explorer.exe, 00000004.00000000.2183668325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.utties.xyzReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.zwtpe.info/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.emi.wtfReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.ruck-driver-jobs-90329.bondReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.sychology-degree-20222.bond/gd04/www.utties.xyz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://powerpoint.office.comcember	explorer.exe, 00000004.00000000.2187785461.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4632272582.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.eddybalm.store	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.ruck-driver-jobs-90329.bond	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.rendylittlediva.storeReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.jrxy.bid/gd04/www.sychology-degree-20222.bond	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.jrxy.bidReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.otagyrency.shop/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://excel.office.com	explorer.exe, 00000004.00000003.3948615344.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009B7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096810013.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3949653636.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4628497427.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.micro	explorer.exe, 00000004.00000000.2183057970.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2183019072.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2182397623.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false	high
http://www.sychology-degree-20222.bond	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.dlxlxw848.vipReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.pioxc.xyz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.emi.wtf/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.rendylittlediva.store/gd04/www.pioxc.xyz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.utties.xyz/gd04/www.atchy14.online	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.eddybalm.store/gd04/www.usicone.xyz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.bthlcatgini.forum/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.ruck-driver-jobs-90329.bond/gd04/www.emi.wtf	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.pioxc.xyz/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.otagyrency.shop/gd04/www.ompaz.xyz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.eddybalm.storeReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.otagyrency.shop	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000004.00000002.4632272582.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2187785461.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.3312.buzz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.3312.buzzReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.sychology-degree-20222.bondReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.bthlcatgini.forum/gd04/www.jrxy.bid	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.pioxc.xyzReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.emi.wtf/gd04/www.bthlcatgini.forum	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.jrxy.bid/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://wns.windows.com/)s	explorer.exe, 00000004.00000000.2183668325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4627498534.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.ompaz.xyz/gd04/www.dlxlxw848.vip	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.sychology-degree-20222.bond/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.eddybalm.store/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.usicone.xyz/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.zwtpe.info	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.atchy14.onlineReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.atchy14.online/gd04/www.zwtpe.info	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.bthlcatgini.forumReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.3312.buzz/gd04/	explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.ompaz.xyz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.rendylittlediva.store/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.jrxy.bid	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.atchy14.online	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.usicone.xyzReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://outlook.com	explorer.exe, 00000004.00000003.3948615344.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4628561312.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3948948498.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009B7B000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.atchy14.online/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.usicone.xyz/gd04/www.3312.buzz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.ruck-driver-jobs-90329.bond/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.ompaz.xyzReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.rendylittlediva.store	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.dlxlxw848.vip/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.utties.xyz/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.ompaz.xyz/gd04/	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000004.00000003.3949097092.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2181193761.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4624877885.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3099032572.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.dlxlxw848.vip	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.dlxlxw848.vip/gd04/www.eddybalm.store	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.otagyrency.shopReferer:	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.utties.xyz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://api.msn.com/	explorer.exe, 00000004.00000002.4627498534.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3094211340.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2183668325.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.bthlcatgini.forum	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.emi.wtf	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://crl.v	explorer.exe, 00000004.00000002.4620986517.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2177647614.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.usicone.xyz	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.zwtpe.info/gd04/www.rendylittlediva.store	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://www.pioxc.xyz/gd04/www.otagyrency.shop	explorer.exe, 00000004.00000002.4635974580.000000000CA15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096582801.000000000CA0E000.00000004.00000001.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.33.130.190	emi.wtf	United States		8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578871
Start date and time:	2024-12-20 15:59:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@11/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 123 Number of non-executed functions: 337
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:00:08	API Interceptor	1x Sleep call for process: file.exe modified
10:00:18	API Interceptor	6200752x Sleep call for process: explorer.exe modified
10:00:53	API Interceptor	5756148x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.33.130.190	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.medicaresbasics.xyz/fm31/
	236236236.elf	Get hash	malicious	Unknown	Browse	lojasdinastia.com.br/
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.medicaresbasics.xyz/fm31/
	profroma invoice.exe	Get hash	malicious	FormBook	Browse	www.iglpg.online/rbqc/
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	www.tdassetmgt.info/d55l/
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	www.deikamalaharris.info/lrgf/
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	www.likesharecomment.net/nqht/
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	www.cbprecise.online/cvmn/
	Outstanding Invoices Spreadsheet Scan 00495_PDF.exe	Get hash	malicious	FormBook	Browse	www.binacamasala.com/gnm5/
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.goldstarfootwear.shop/8m07/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZONEXPANSIONGB	https://alphaarchitect.com/2024/12/long-term-expected-returns/	Get hash	malicious	Unknown	Browse	52.223.40.198
	6CWcISKhf1.msi	Get hash	malicious	AteraAgent	Browse	52.223.39.232
	LightBurn-v1.7.04.exe	Get hash	malicious	Unknown	Browse	52.223.22.71
	setup.msi	Get hash	malicious	AteraAgent	Browse	52.223.39.232
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.43.220.102
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.46.27.245
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.58.83.225
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	3.37.208.254
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.51.45.249
	http://inspirafinancial.com	Get hash	malicious	Unknown	Browse	3.33.220.150

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6553032669148315
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	760'320 bytes
MD5:	25369cacd15fd28391f08b48ad5fdf4d
SHA1:	f091fd2f772d7c566bcce4c046323ef02808f2da
SHA256:	b54b6ef71478646451ca1905b93c380141b4df637d73cb796af0a391ba47f43e
SHA512:	e13b6e32e1106f93f6a9fdf8a1871d4a60ca015d8c68a72ca557990dedb82da81c722a36a0a862f564b0809bd092da4bf2dfa9a809febc81b19413d534581598
SSDEEP:	12288:ZjlIpHtMPku+l0CPPlzYUDbl3H7WZiga3jtuAEzY69hbnrF65FO28EYT/0:ZjlIhSPd+plzYu3+UuAEzY0h3FfxECs
TLSH:	AFF4CFC03F2A7701DEACB934853AEDB862551E74B004B9F36EED2B57B599112AE1CF40
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m[g..............0..t...$........... ........@.. ....................................@................................

File Icon


Icon Hash:	37c38329a3924d33

Static PE Info

General

Entrypoint:	0x4b92fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675B6D2E [Thu Dec 12 23:09:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb92a8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x21e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb7300	0xb7400	e4076bb0905391be213ce9cb0dc78a76	False	0.8754969410811733	data	7.656214120857171	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x21e0	0x2200	79295696639a588a31589cdf59b94108	False	0.9304917279411765	data	7.6203143873060455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	6d3a27a23161793f244e5ff4cbd05e2e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xba0c8	0x1e1f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9939048113085203
RT_GROUP_ICON	0xbbef8	0x14	data	1.05
RT_VERSION	0xbbf1c	0x2c0	data	0.4602272727272727

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-20T16:01:08.296968+0100	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49807	3.33.130.190	80	TCP
2024-12-20T16:01:08.296968+0100	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49807	3.33.130.190	80	TCP
2024-12-20T16:01:08.296968+0100	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49807	3.33.130.190	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:01:07.266288996 CET	49807	80	192.168.2.5	3.33.130.190
Dec 20, 2024 16:01:07.385900974 CET	80	49807	3.33.130.190	192.168.2.5
Dec 20, 2024 16:01:07.386099100 CET	49807	80	192.168.2.5	3.33.130.190
Dec 20, 2024 16:01:07.386214972 CET	49807	80	192.168.2.5	3.33.130.190
Dec 20, 2024 16:01:07.506258011 CET	80	49807	3.33.130.190	192.168.2.5
Dec 20, 2024 16:01:07.876257896 CET	49807	80	192.168.2.5	3.33.130.190
Dec 20, 2024 16:01:08.041218996 CET	80	49807	3.33.130.190	192.168.2.5
Dec 20, 2024 16:01:08.296875954 CET	80	49807	3.33.130.190	192.168.2.5
Dec 20, 2024 16:01:08.296967983 CET	49807	80	192.168.2.5	3.33.130.190

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:00:46.455738068 CET	55373	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:00:46.847706079 CET	53	55373	1.1.1.1	192.168.2.5
Dec 20, 2024 16:01:06.643635035 CET	51457	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:01:07.265377045 CET	53	51457	1.1.1.1	192.168.2.5
Dec 20, 2024 16:01:27.454713106 CET	50782	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:01:27.843672037 CET	53	50782	1.1.1.1	192.168.2.5
Dec 20, 2024 16:01:48.067329884 CET	61040	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:01:48.297539949 CET	53	61040	1.1.1.1	192.168.2.5
Dec 20, 2024 16:02:08.689492941 CET	59716	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:02:09.181797981 CET	53	59716	1.1.1.1	192.168.2.5
Dec 20, 2024 16:02:29.251482010 CET	61355	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:02:29.555325031 CET	53	61355	1.1.1.1	192.168.2.5
Dec 20, 2024 16:02:50.065629005 CET	62090	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:02:50.288039923 CET	53	62090	1.1.1.1	192.168.2.5
Dec 20, 2024 16:03:11.263947964 CET	49389	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:03:11.602961063 CET	53	49389	1.1.1.1	192.168.2.5
Dec 20, 2024 16:03:32.081054926 CET	53008	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:03:32.304796934 CET	53	53008	1.1.1.1	192.168.2.5
Dec 20, 2024 16:04:13.299983025 CET	51100	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:04:13.532613039 CET	53	51100	1.1.1.1	192.168.2.5
Dec 20, 2024 16:04:34.471282005 CET	54431	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:04:34.772891045 CET	53	54431	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 16:00:46.455738068 CET	192.168.2.5	1.1.1.1	0xaa1e	Standard query (0)	www.ruck-driver-jobs-90329.bond	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:01:06.643635035 CET	192.168.2.5	1.1.1.1	0x56e5	Standard query (0)	www.emi.wtf	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:01:27.454713106 CET	192.168.2.5	1.1.1.1	0x41f9	Standard query (0)	www.bthlcatgini.forum	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:01:48.067329884 CET	192.168.2.5	1.1.1.1	0x6ff6	Standard query (0)	www.jrxy.bid	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:02:08.689492941 CET	192.168.2.5	1.1.1.1	0x4a68	Standard query (0)	www.sychology-degree-20222.bond	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:02:29.251482010 CET	192.168.2.5	1.1.1.1	0x49d4	Standard query (0)	www.utties.xyz	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:02:50.065629005 CET	192.168.2.5	1.1.1.1	0x99a5	Standard query (0)	www.atchy14.online	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:03:11.263947964 CET	192.168.2.5	1.1.1.1	0x35fd	Standard query (0)	www.zwtpe.info	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:03:32.081054926 CET	192.168.2.5	1.1.1.1	0x50e6	Standard query (0)	www.rendylittlediva.store	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:04:13.299983025 CET	192.168.2.5	1.1.1.1	0x38de	Standard query (0)	www.otagyrency.shop	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:04:34.471282005 CET	192.168.2.5	1.1.1.1	0xd6b0	Standard query (0)	www.ompaz.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 16:00:46.847706079 CET	1.1.1.1	192.168.2.5	0xaa1e	Name error (3)	www.ruck-driver-jobs-90329.bond	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:01:07.265377045 CET	1.1.1.1	192.168.2.5	0x56e5	No error (0)	www.emi.wtf	emi.wtf		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 16:01:07.265377045 CET	1.1.1.1	192.168.2.5	0x56e5	No error (0)	emi.wtf		3.33.130.190	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:01:07.265377045 CET	1.1.1.1	192.168.2.5	0x56e5	No error (0)	emi.wtf		15.197.148.33	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:01:27.843672037 CET	1.1.1.1	192.168.2.5	0x41f9	Name error (3)	www.bthlcatgini.forum	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:01:48.297539949 CET	1.1.1.1	192.168.2.5	0x6ff6	Name error (3)	www.jrxy.bid	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:02:09.181797981 CET	1.1.1.1	192.168.2.5	0x4a68	Name error (3)	www.sychology-degree-20222.bond	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:02:29.555325031 CET	1.1.1.1	192.168.2.5	0x49d4	Name error (3)	www.utties.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:02:50.288039923 CET	1.1.1.1	192.168.2.5	0x99a5	Name error (3)	www.atchy14.online	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:03:11.602961063 CET	1.1.1.1	192.168.2.5	0x35fd	Name error (3)	www.zwtpe.info	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:03:32.304796934 CET	1.1.1.1	192.168.2.5	0x50e6	Name error (3)	www.rendylittlediva.store	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:04:13.532613039 CET	1.1.1.1	192.168.2.5	0x38de	Name error (3)	www.otagyrency.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:04:34.772891045 CET	1.1.1.1	192.168.2.5	0xd6b0	Name error (3)	www.ompaz.xyz	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.emi.wtf

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49807	3.33.130.190	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:01:07.386214972 CET	162	OUT	GET /gd04/?uvC=N20YWnVHT5RQC6WMyDV2V8c+DcGptM14OKih1BJNLsVd899Y1bUoCinKVTGhqICNh0dB&UlPxR=-Z1dwda8VP90AL HTTP/1.1 Host: www.emi.wtf Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	10:00:07
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x2e0000
File size:	760'320 bytes
MD5 hash:	25369CACD15FD28391F08B48AD5FDF4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2169103916.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2169103916.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:00:09
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe30000
File size:	760'320 bytes
MD5 hash:	25369CACD15FD28391F08B48AD5FDF4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:00:10
Start date:	20/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:00:13
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0xb30000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4621349688.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4621301602.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:00:16
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\file.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:00:17
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	6

Executed Functions

Function 06932C9E Relevance: 4.1, Strings: 3, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 06932FCB
ry, xrefs: 06932FC4
ry, xrefs: 06932FE2

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 807d259c893b3f6d3bc3ec20fe89246fe7725a9d4108ac2f0d0009c282b4b03a
Instruction ID: 8b80e33fe6078607ef71e87d686f52676e7e0b2dec5e26c86c8ed3b30626bfce
Opcode Fuzzy Hash: 807d259c893b3f6d3bc3ec20fe89246fe7725a9d4108ac2f0d0009c282b4b03a
Instruction Fuzzy Hash: 36D18174E0521ADFDB54CFA5C8858AEFBB2FF89340B10D566D412AB258D734EA42CF90

Function 06932CAD Relevance: 4.1, Strings: 3, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 06932FCB
ry, xrefs: 06932FC4
ry, xrefs: 06932FE2

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: c833b051917254ebcb1437a16d96a69fe1dbc5dc5232e1f57f34fa15e344e5c3
Instruction ID: 22783353025b5d5693b8fa569b4fbf3a3f64ef020a80101273eadbf17b27d026
Opcode Fuzzy Hash: c833b051917254ebcb1437a16d96a69fe1dbc5dc5232e1f57f34fa15e344e5c3
Instruction Fuzzy Hash: C3D19174E0521ADFDB54CFA5C8858AEFBB2FF89300B10C566D412AB258D734EA42CF94

Function 06932CF8 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 06932FCB
ry, xrefs: 06932FC4
ry, xrefs: 06932FE2

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 6391b304d3dfa5f7455aa52ac460982ea6a6cf603b7f59ee251be23b716064c5
Instruction ID: 2d3a2ee9cc866b90156f1268ad4521a9fa77231dabb4f0f8fc8b814c9cc37235
Opcode Fuzzy Hash: 6391b304d3dfa5f7455aa52ac460982ea6a6cf603b7f59ee251be23b716064c5
Instruction Fuzzy Hash: 2DC15C74E0521ADFDB54CFA5C4858AEFBB2FF88300B10D466D416AB658D734AA82CF94

Function 06930B3D Relevance: 4.0, Strings: 3, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z^I, xrefs: 06930D51
Teeq, xrefs: 06930BF9
Teeq, xrefs: 06930E00

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: Teeq$Teeq$z^I
API String ID: 0-3834019116
Opcode ID: 8c06d783eeeb6eedac5031d2ff92e717958fea6ae5f3abb2295a4d15ad859458
Instruction ID: 76ee46e5f19cdb69c5295da688300a94d99053b2514a87f31c82328e3240611e
Opcode Fuzzy Hash: 8c06d783eeeb6eedac5031d2ff92e717958fea6ae5f3abb2295a4d15ad859458
Instruction Fuzzy Hash: 8DA13875E042198FDB48CFAAC884AEEFBB2EF89300F14942AD415BB254D7349945CFA4

Function 06930B76 Relevance: 4.0, Strings: 3, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z^I, xrefs: 06930D51
Teeq, xrefs: 06930BF9
Teeq, xrefs: 06930E00

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: Teeq$Teeq$z^I
API String ID: 0-3834019116
Opcode ID: 70030030111fd09e39b4071f1a18ff59041bc80bd38fde19c2374c2fc1a9b238
Instruction ID: 4a7a4b51f94fbe55506808115aa908e5d54b087ee64e0ed3a93819f19e691763
Opcode Fuzzy Hash: 70030030111fd09e39b4071f1a18ff59041bc80bd38fde19c2374c2fc1a9b238
Instruction Fuzzy Hash: 47A1F375E002198FDB48CFAAC984AEEFBB2FF89300F24942AD415BB254D7349945CF64

Function 06930B90 Relevance: 4.0, Strings: 3, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z^I, xrefs: 06930D51
Teeq, xrefs: 06930BF9
Teeq, xrefs: 06930E00

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: Teeq$Teeq$z^I
API String ID: 0-3834019116
Opcode ID: 7212215b0c0482896519f7fbbe3171151536900dc318468c1444062bba43b5a1
Instruction ID: 69288eb35e809e7d16aa844a37559811ae6d4fad2bc5b133285fdd17414d205d
Opcode Fuzzy Hash: 7212215b0c0482896519f7fbbe3171151536900dc318468c1444062bba43b5a1
Instruction Fuzzy Hash: 4991C3B4E112198FDB48CFAAC584AAEFBB2FF88310F24942AD415BB254D7349945CF64

Function 069396B8 Relevance: 2.7, Strings: 2, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 06939838
UC;", xrefs: 069398B6

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: bb8f9857ec427b8bd4999bd55c0653eaac1025b59df53a2875388fc2fc744006
Instruction ID: e7d367aa46d86ae26ccc486ba8649d86969e31d32b446126ab018367b5a127d4
Opcode Fuzzy Hash: bb8f9857ec427b8bd4999bd55c0653eaac1025b59df53a2875388fc2fc744006
Instruction Fuzzy Hash: 19916A75D15219EFCB48CFA5E58059EFBB2FF89350F10A42AE516B7264E7709902CF40

Function 069396C8 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 06939838
UC;", xrefs: 069398B6

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 3d4fa7503080a5564122956abe2543996efe1a13563e2ff14ebfb5b7b5dd3eea
Instruction ID: afc8192788fa88a42fabf5be4e6f487432512bcf2c5cf10b9c805d02a4ddd594
Opcode Fuzzy Hash: 3d4fa7503080a5564122956abe2543996efe1a13563e2ff14ebfb5b7b5dd3eea
Instruction Fuzzy Hash: C2915975D15219EFCB48CFE6E58069EFBB2FF89350F10A42AE516A7264E7709902CF40

Function 06938090 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

5=6, xrefs: 069381CE

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: d387095dee75003655683138b19a720af91c1263670bc7f5a2a0a104618d7f00
Instruction ID: fd6faad54750ef0a2f5cde0140e69af98bf505336d7cecee92b70a112f6f920d
Opcode Fuzzy Hash: d387095dee75003655683138b19a720af91c1263670bc7f5a2a0a104618d7f00
Instruction Fuzzy Hash: 10716674E1561A9FCB44CFA6DA444AEFBB2FF89240F00D86AD016E7654E7789A018F90

Function 069380A0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

5=6, xrefs: 069381CE

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: ed70c9d872410abd2c3f86ed67f7fe96c610de950f35ed9a90f875db4f4d9ca8
Instruction ID: 60a8dffb5e0fbfd595089d84ee34ccf7c5d807ba795784753cce434812d22eb6
Opcode Fuzzy Hash: ed70c9d872410abd2c3f86ed67f7fe96c610de950f35ed9a90f875db4f4d9ca8
Instruction Fuzzy Hash: C3615774E1561A9FCB44CFA6DA444AEFBF2FF89240F00D86AD016E7614D7789A01CF90

Function 04C16DC0 Relevance: .8, Instructions: 839COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178288224.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f54dbd7d9b49d85693441bee21d1f6caabcd2f7ed3de6ca8cd62bb6a9152e7
Instruction ID: d6e12bd5bc4c41fc2c1125714c046e1f3f01d2f8010332c841f802d732d7ba5c
Opcode Fuzzy Hash: 76f54dbd7d9b49d85693441bee21d1f6caabcd2f7ed3de6ca8cd62bb6a9152e7
Instruction Fuzzy Hash: E492D534A00659CFD764DF64C894AE9B7B2FF8A300F1186EAD4096B360DB71AE85CF50

Function 04C16DB3 Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178288224.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40d4eeb994babfb66807606ab7b1a8d6d870b2749f34d399dbf5b3892db5040
Instruction ID: a4571e4514e4c7c46eb8e6bb0dfaef277fccbf582033e38cd4562597f51bc9cd
Opcode Fuzzy Hash: b40d4eeb994babfb66807606ab7b1a8d6d870b2749f34d399dbf5b3892db5040
Instruction Fuzzy Hash: 4192D534A00659CFD764DF64C894AE9B7B2FF8A300F1186EAD4096B360DB71AE85DF50

Function 06931E88 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91acfdbd9bb397f6bc70aed6e608311e875468a89b2d86b6d2ccca4c4b9acc4c
Instruction ID: 93dd806c5e916dd4aed01fb5184ecbee0ee29ee1ceac13772a8fd9d6aaf949b4
Opcode Fuzzy Hash: 91acfdbd9bb397f6bc70aed6e608311e875468a89b2d86b6d2ccca4c4b9acc4c
Instruction Fuzzy Hash: 2B212675E006188BDB18CFABD9446DEFBB3EFC8310F14C06AD409A6268DB355A45CF40

Function 06931E7A Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5696dfbf4bb01a2ee15dfdcf9d2d6e1ef28f734568b7bf4a0b57f7f5f47c163
Instruction ID: ca0ec45e8c351c1cb83947d4be5915dfe70d80c40e499f7821ab8ae78e917a06
Opcode Fuzzy Hash: b5696dfbf4bb01a2ee15dfdcf9d2d6e1ef28f734568b7bf4a0b57f7f5f47c163
Instruction Fuzzy Hash: DF21E7B5E016588BDB18CFA7C9452DEBFF3AFC9300F14C06AD408AA268DB755A46CF51

Function 0248AE48 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0248B09E

Memory Dump Source

Source File: 00000000.00000002.2167418216.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a3a9cedc7251e4f7e0912accd6916eb8bdd9c5de110fd7335ce017ca54283053
Instruction ID: 162a301c805af5ae8832c301a4f8783e04004bb824ef8b4b47724974a1a32e5a
Opcode Fuzzy Hash: a3a9cedc7251e4f7e0912accd6916eb8bdd9c5de110fd7335ce017ca54283053
Instruction Fuzzy Hash: 037101B1A10B158FD725EF2AD44476ABBF2FF88304F00892EE58A97B50D774E945CB90

Function 024844B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 024859C9

Memory Dump Source

Source File: 00000000.00000002.2167418216.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f4972bfc54d4e7db41f190bb41b454c26b21e1d06b036f54e3f83ef2f0dc0037
Instruction ID: 8d1cb304e0932f1e1ac33a1e75f7c8d4b289f0990adeeafc7201727491940a30
Opcode Fuzzy Hash: f4972bfc54d4e7db41f190bb41b454c26b21e1d06b036f54e3f83ef2f0dc0037
Instruction Fuzzy Hash: 9E41E0B0C00719CBDB24DFA9C884B8EBBF5BF49304F60806AD408AB265DB756949CF90

Function 0248590D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 024859C9

Memory Dump Source

Source File: 00000000.00000002.2167418216.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e9e64fcfe64b84b9f017b527254378756eb200afa68f0d2a7c880e340b96e6d6
Instruction ID: 27f8036f6317602f04d7891cfb819ffda9901b9c3957640530c17434a7106d8d
Opcode Fuzzy Hash: e9e64fcfe64b84b9f017b527254378756eb200afa68f0d2a7c880e340b96e6d6
Instruction Fuzzy Hash: 9C41DFB1C00719CBDB24DFA9C884BCEBBF5BF48304F64816AD418AB265DB756949CF90

Function 04C14050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04C14111

Memory Dump Source

Source File: 00000000.00000002.2178288224.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c10000_file.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8fd841eed3e3a63111222d167557f4d7131354922674b499b857addd4ebb738b
Instruction ID: 62a3702e6b1d370196bf904c9b752348cc226218f4181fb6b9f615424eae6ce7
Opcode Fuzzy Hash: 8fd841eed3e3a63111222d167557f4d7131354922674b499b857addd4ebb738b
Instruction Fuzzy Hash: 5F415DB9900309DFDB14CF9AC848A9ABBF6FF89314F24C459D519AB321D374A841CFA0

Function 0248B830 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0248D6E6,?,?,?,?,?), ref: 0248D7A7

Memory Dump Source

Source File: 00000000.00000002.2167418216.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 29d7450d8fbbfeb9b5e73353ce83badf0b4ecd1bbfbce2aa172230b0cb2632a3
Instruction ID: 46bf0c5ec615e8f810195fd38d0c286456095fe998c806d2ad8fb993c6067a1c
Opcode Fuzzy Hash: 29d7450d8fbbfeb9b5e73353ce83badf0b4ecd1bbfbce2aa172230b0cb2632a3
Instruction Fuzzy Hash: 522103B5D11208EFDB10DFAAD984ADEBFF8EB48310F14801AE914A3350D374A940CFA0

Function 0248D719 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0248D6E6,?,?,?,?,?), ref: 0248D7A7

Memory Dump Source

Source File: 00000000.00000002.2167418216.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f9e5905f10010c822bf3b36e83541fe1a86ec4f0ccfc8eaba26bb3512dae7090
Instruction ID: a14cbaa1e1e0bfc902b2859f03bfe9fdca0a10d3ee75c3f077fbe1fb9455aa4d
Opcode Fuzzy Hash: f9e5905f10010c822bf3b36e83541fe1a86ec4f0ccfc8eaba26bb3512dae7090
Instruction Fuzzy Hash: DF21E0B5901209DFDB10DFAAD984ADEBBF4EB48324F14801AE918B7350C378A954DFA0

Function 06937CB8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06937D33

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9f060b2f3474c495a857bf8e82768db9db264bc0e30dd34bcb121508c1ac4b5a
Instruction ID: 67c4354f15c526d38e445b5471c61ff12a45b037467dd401518b51e5ce9a1429
Opcode Fuzzy Hash: 9f060b2f3474c495a857bf8e82768db9db264bc0e30dd34bcb121508c1ac4b5a
Instruction Fuzzy Hash: EC2103B5900259DFCB10DF9AC984ADEBBF4FB48320F10842AE959A7650D378A644CFA5

Function 06937CC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06937D33

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: db8060dc8cbf804ccc2d37b0b8caeb83728f06c0d7c00c35b470f67345defa2d
Instruction ID: 3c85ceab213452c42f96dde5848f93fec14fa8e0881efbf1dd176fb2ca578679
Opcode Fuzzy Hash: db8060dc8cbf804ccc2d37b0b8caeb83728f06c0d7c00c35b470f67345defa2d
Instruction Fuzzy Hash: 832117B59002499FCB10DF9AC984BDEFBF8FB48320F10842AE559A7251D774A544CFA5

Function 0248B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0248B09E

Memory Dump Source

Source File: 00000000.00000002.2167418216.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 21d3563b4a7ff05a286cde9ce34385efdd048690050a58d18a9b8b185ceccf87
Instruction ID: 31035961d1097d627feb12a6a7783cd048ddcd5f0ffcc5f930a57fffe2e03f90
Opcode Fuzzy Hash: 21d3563b4a7ff05a286cde9ce34385efdd048690050a58d18a9b8b185ceccf87
Instruction Fuzzy Hash: FA11E0B6C002498FCB20DF9AC944BDEFBF4FB89324F14845AD969A7210D375A545CFA1

Function 0242D110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2167085030.000000000242D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0242D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_242d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf5989e26d6fd8878873ded75a4480221ec3ef013b11d97e91f751c6d7dea23
Instruction ID: a3a164b3c9580c4362a94b7b8097d1da160dd9241269620119e1b0b904b98063
Opcode Fuzzy Hash: bdf5989e26d6fd8878873ded75a4480221ec3ef013b11d97e91f751c6d7dea23
Instruction Fuzzy Hash: BD212571904220DFDB06DF14D9C0B27BF66FB98324F64C56AE9090B75AC336D85AC6A2

Function 0243D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2167162618.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42e234e8ade599c8918584ef5a35efcf5b331af8e45ed1e6d96c9bef099f6a7
Instruction ID: a36ec66b8e065de0d7a15a2f5a6d8d59edcc802d224213a61fc844267600cc9f
Opcode Fuzzy Hash: a42e234e8ade599c8918584ef5a35efcf5b331af8e45ed1e6d96c9bef099f6a7
Instruction Fuzzy Hash: FC212671904200EFDB06DF14D9C0B26BBA5FB8C324F24C96EE8094F356C73AD846CA61

Function 0243D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2167162618.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1d08da39a068e84870db57076daf9affe9cc3afc264511a0f3215c1c0c1665
Instruction ID: 90d274f02538709cc642747ee27660fb6693fc16cfdcdef812b2fcf8cda953e6
Opcode Fuzzy Hash: 7b1d08da39a068e84870db57076daf9affe9cc3afc264511a0f3215c1c0c1665
Instruction Fuzzy Hash: 22210371904200DFDB16DF14D980B16BB75EB88728F20C56AD80A0B346C33AD447CA61

Function 0243D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2167162618.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7cc078b23d489cf4670cba4017ddbb78794c7b4c3e77b3252333002801e9bd
Instruction ID: 5daaf426b26cf416169a3c0e6c87ed2ccf2b33f8f7e2530e7584d20736ab969b
Opcode Fuzzy Hash: 2f7cc078b23d489cf4670cba4017ddbb78794c7b4c3e77b3252333002801e9bd
Instruction Fuzzy Hash: B6217175509380CFC703CF24D594716BF71EB4A214F28C5DAD8498B2A7C33A940ACB62

Function 0242D10B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2167085030.000000000242D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0242D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_242d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 295b959972d3a1d11680c09c37f94b60f58cb3c50e7337493fb92b9372d6a77e
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 5311B476904240CFCB16CF10D9C4B26BF72FB88314F24C5AAD9054B756C336D45ACB92

Function 0243D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2167162618.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: edfb0d90ace9ae18253504784aa90371e90144fb5cceca8066620fd463089e6e
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: BF118B75904280DFDB16CF14D5C4B16BBA1FB88324F24C6AED8494F796C33AD45ACB61

Non-executed Functions

Function 0693A570 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

{#L, xrefs: 0693A748

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 28e3f03840a7380a8005e9e35c61feca3fdc5132732d3205d7744fb8bc446417
Instruction ID: b698796f9b120345fc44ebac1a0bc002db014af71e4ecc2ba02326afc5e3fafa
Opcode Fuzzy Hash: 28e3f03840a7380a8005e9e35c61feca3fdc5132732d3205d7744fb8bc446417
Instruction Fuzzy Hash: 58D1F171E05229DFDB58CFAAC98059EFBF2FF88300F14D52AD41AAB224D73499428F50

Function 0693A56A Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

{#L, xrefs: 0693A748

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: ea71c4b2e715d791e2186f57d8ec84d53121ba19a04a3b437c8350c6e0294896
Instruction ID: a22bfcc68d68e202f457e51513a95ba9ccaff5d6e95361ffea2f2114fad6c9ba
Opcode Fuzzy Hash: ea71c4b2e715d791e2186f57d8ec84d53121ba19a04a3b437c8350c6e0294896
Instruction Fuzzy Hash: DBD1E275E05229DFDB58CFAAD98049EFBF2FF88300F14D52AD45AAB224D73499428F50

Function 069318E8 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

98R, xrefs: 06931A43

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: 86140fc4121fca74b72a93ef4062146aac4bc890b1de6d67da02d2aaca46d76b
Instruction ID: 68ef08ba3e13adda8fcfbed2d6fda5a143470372feba5c493743d6b836b4b1a9
Opcode Fuzzy Hash: 86140fc4121fca74b72a93ef4062146aac4bc890b1de6d67da02d2aaca46d76b
Instruction Fuzzy Hash: 68711774E0521ADFDB48CF99D4819AEFBB1FF89310F148929D415AB724D334AA42CF94

Function 069318D9 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

98R, xrefs: 06931A43

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: 308ec8f02febdeef410b9ff7f75eef5c92169dfd49121149c55753c4eacf18b7
Instruction ID: dcf04a0ed6e598066a456cde84547861c9c0ed23349f5cce681fc67172598b00
Opcode Fuzzy Hash: 308ec8f02febdeef410b9ff7f75eef5c92169dfd49121149c55753c4eacf18b7
Instruction Fuzzy Hash: 22612874E0421A9FDB48CF99D4819AEFBB2FF89310F148826D515AB724D374AA42CF94

Function 06938698 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 069387AE

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 850f398bf132a807deba67fe961061868f470ea027909c47edd32b582992cbbe
Instruction ID: ca010a00b6014fa443bbd0062489264213484beef7a82b1d59bc410107350e0b
Opcode Fuzzy Hash: 850f398bf132a807deba67fe961061868f470ea027909c47edd32b582992cbbe
Instruction Fuzzy Hash: 715115B8E012299FDB54CFA9D6456EEFBF2FF88300F10942AE406B7654E73459418F94

Function 06938691 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

iUfo, xrefs: 069387AE

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 509a15acb919bb6068b81ef34df9458d0b9dff6ee0f06079f9baa2d80ed62839
Instruction ID: 5404742a3795b2d6f795c1ac6c808165bc74d12db9b5f660838343501c99057e
Opcode Fuzzy Hash: 509a15acb919bb6068b81ef34df9458d0b9dff6ee0f06079f9baa2d80ed62839
Instruction Fuzzy Hash: A851E5B8E012299FDF54CFA9D6456EEFBF2FF88300F10942AE405B7654E7785A018B94

Function 06931440 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

-2m, xrefs: 06931563

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: e2cdc444a198431c4dac15f9ca63786b39c51145451a68aa776ef3b386ef1f1e
Instruction ID: a1968321f046b584b22b9cb0417e0dbf4cf647e6448dcc4074eea37d17259f37
Opcode Fuzzy Hash: e2cdc444a198431c4dac15f9ca63786b39c51145451a68aa776ef3b386ef1f1e
Instruction Fuzzy Hash: 11514AB4E052198FDB08CFAAC4446AEFBF2EF88301F28D46AD419A7264D7349941CB64

Function 06931450 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

-2m, xrefs: 06931563

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: 21ac8bf212e5fa0c162f8a925a2321d471dd5b19abd339ede2ebc362b6818a2c
Instruction ID: bd2aea808a4b110dca1c1215b6866f470f2c6e6f2684a39ef731b90186cfc948
Opcode Fuzzy Hash: 21ac8bf212e5fa0c162f8a925a2321d471dd5b19abd339ede2ebc362b6818a2c
Instruction Fuzzy Hash: 24510AB4E052198FDB48CFAAD5445AEFBF2EF88301F24D42AD419B7264D7349941CBA4

Function 06938A90 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 06938BC5

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 05273e2403893790d8233c0cb1426bcaa5b1b712ab4d48e696fe01c7dba1b48e
Instruction ID: d8d0a60f46c04a79adee04f2eb970a894ac84f3fede65fa3e4c8582ae3395628
Opcode Fuzzy Hash: 05273e2403893790d8233c0cb1426bcaa5b1b712ab4d48e696fe01c7dba1b48e
Instruction Fuzzy Hash: 364147B4D04229CFDF44CFA6C6405EEFBB1FB89210F14982AD416B7644D3385A42CF98

Function 06938A8B Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

w7e^, xrefs: 06938BC5

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 2cb05a4561fff674bbc7f53d5a18d0c349e779664bdae7244067c0f930d42b05
Instruction ID: dcdfd179ef7f3a4a96350ade3decd52773897411f8f862db96fe6195a5652996
Opcode Fuzzy Hash: 2cb05a4561fff674bbc7f53d5a18d0c349e779664bdae7244067c0f930d42b05
Instruction Fuzzy Hash: F84147B1D04229DFDF44CFA6CA416EEFBB2FB89240F14982AD016B7654D7385A41CF98

Function 06935588 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0ni, xrefs: 069356F3

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 3668054cf410b687e264ef668543cffce9ec2ce63d5b9678c17bf23738f0ee2c
Instruction ID: cd6bafd832f893505daa2e1323cdafa77bc986522b9a74e5947a7fd1b759766b
Opcode Fuzzy Hash: 3668054cf410b687e264ef668543cffce9ec2ce63d5b9678c17bf23738f0ee2c
Instruction Fuzzy Hash: D8516971E11618CBDB68DF6B8D4479EFAF3AFC8300F14C1BA950CA6264EB300A858F51

Function 06935578 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

0ni, xrefs: 069356F3

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 9cb7a8b715318939241cd45bd841a89f2513a90233f30e85a767d5c578604d1d
Instruction ID: d28c7f4d7a39d059a4f5d71873936b1c174d157461c616c44bf60e6a2bab40a4
Opcode Fuzzy Hash: 9cb7a8b715318939241cd45bd841a89f2513a90233f30e85a767d5c578604d1d
Instruction Fuzzy Hash: 8B516C71E116188BDB68CF6B8D4578EFBF3AFC8300F14C1BA950CA6255EB3009858F41

Function 04C10040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178288224.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0696b02e69561170b7ac1d18f9ba82517247c9b8d399f646ada658fb9c8261e0
Instruction ID: 13e7c62b6021a16d56eaa2e4f264cd8a2351e6aa270fdf2257894bf34f041fdb
Opcode Fuzzy Hash: 0696b02e69561170b7ac1d18f9ba82517247c9b8d399f646ada658fb9c8261e0
Instruction Fuzzy Hash: 5412D5B0C817458BE75ADF25F84C189BBB6BB81319FD08B09C2616F2E5DBB4106ACF44

Function 0248D404 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2167418216.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027a1b401a47b4c1bb2b8065863024d98c5ef9a6b1258dfa741ef31dc6f523d9
Instruction ID: 3d019be21781deddc32529bb485a76e7379e4b8b2e230fdaa20c13fc78751938
Opcode Fuzzy Hash: 027a1b401a47b4c1bb2b8065863024d98c5ef9a6b1258dfa741ef31dc6f523d9
Instruction Fuzzy Hash: 82A18332E102158FCF06EFB5C8405AEB7B2FF85304B66456AE801BB661DB71E95ACF40

Function 06939FC8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76564c8463898f2534c07eb99dcd4e764ceaecd42c9aa608aed73a0dd475c850
Instruction ID: 6650958891a8256859fbe77476e68e5e0a8ccf92a8d0b117622069ac942a4a7e
Opcode Fuzzy Hash: 76564c8463898f2534c07eb99dcd4e764ceaecd42c9aa608aed73a0dd475c850
Instruction Fuzzy Hash: 7EB10671D05219DFDB58CFE6D98059EFBB2FF89300F20942AD019AB654EB35AA06CF50

Function 06939FC3 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc390a5d71a8dd5388e801ad11ad87f0727fe128e098de42db9a15c38e768c7
Instruction ID: d4b62d48764e69871809557f0a262293b93484e0aafee3f792911a98db875b42
Opcode Fuzzy Hash: 8fc390a5d71a8dd5388e801ad11ad87f0727fe128e098de42db9a15c38e768c7
Instruction Fuzzy Hash: 7EA10671D05219DFDB58CFAAD98059EFBB2FF89300F20D42AD419A7254DB35AA02CF50

Function 06933CF8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e683cd380fea8acf85d14c299ee9f92bf99ceb87eb5b558146549221b3ea46
Instruction ID: a2b03d329b4731eccf55f3f51f189499c422c7c0e1b58768e0c94ba11fa38e79
Opcode Fuzzy Hash: d9e683cd380fea8acf85d14c299ee9f92bf99ceb87eb5b558146549221b3ea46
Instruction Fuzzy Hash: BC910374A1526ACFDB44CFA9C58499EFBF1FF88310B24956AE415EB620D330AE41CF91

Function 06933D08 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6caf973e09f64e945998ad85947d944bb5a6a7a02bcd2c9502124f3678194077
Instruction ID: 0bc4998850b0b40aafce740088c842ce8e3138c59565a0cda7e41b8392f2b686
Opcode Fuzzy Hash: 6caf973e09f64e945998ad85947d944bb5a6a7a02bcd2c9502124f3678194077
Instruction Fuzzy Hash: 1691D274A1525ACFDB44CF99C58499EFBF2FF88310F24956AE415AB620D330AE41CF91

Function 06938E50 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e8a10155f884360503a0ce9fb716071c752384a5353161cdd713a56bf860d9
Instruction ID: 8b2f0f93dbd02ba99386c798bb39feb7c8eaab1bd9095cd18852cf8aa9e7368c
Opcode Fuzzy Hash: c7e8a10155f884360503a0ce9fb716071c752384a5353161cdd713a56bf860d9
Instruction Fuzzy Hash: A0811E74E04629CFCB54DFA9C580AAEFBB6FF89300F24C169D418A7616D734A941CFA1

Function 06938E40 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c99e15e25828ff8f17ab4e7bcab7eef5c9b314fa8f9fe5beb2a9e99392bb6db
Instruction ID: 8e0f818552ee31ba876b1991f654267652d63e8c9d0aebf9a2a71d01d5bc66d1
Opcode Fuzzy Hash: 2c99e15e25828ff8f17ab4e7bcab7eef5c9b314fa8f9fe5beb2a9e99392bb6db
Instruction Fuzzy Hash: 18810E74E146298FCB54DF69C580AAEFBB2BF89300F24C169D418A7716D734AA41CF61

Function 06935118 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098a8877d13ad44fdc4db355c0292395c320ccc57f7f374f86992b5fe1b8cac9
Instruction ID: bc7ea37242706d71a7587e5bb51772ade19d37424fe372ec991e03c29808de79
Opcode Fuzzy Hash: 098a8877d13ad44fdc4db355c0292395c320ccc57f7f374f86992b5fe1b8cac9
Instruction Fuzzy Hash: 2371F474E15619CFDB44CFA9C9809DEFBF2FF8C250F25942AD415BB224E3349A428B64

Function 06935108 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0932e98cf30d72213b2261dd2f0df073a776d4bb4ab0c5c10a538136a8da6016
Instruction ID: fb68a50a10798072037f3da2c290866b63dbe480a9dce9f7ca55d6acf978d8ea
Opcode Fuzzy Hash: 0932e98cf30d72213b2261dd2f0df073a776d4bb4ab0c5c10a538136a8da6016
Instruction Fuzzy Hash: F8711574E156198FDB44CFA9C9805DEFBF2FF8C210F25942AD415BB264E3349A428B64

Function 069353A8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28a37f493d9280ddde368108f841e7a36915852027de695174a17db18798694
Instruction ID: 22001c23ef9f93f4d29bc951cb237ea024ee93d1a571714a23ffb63ef7bd3ba3
Opcode Fuzzy Hash: d28a37f493d9280ddde368108f841e7a36915852027de695174a17db18798694
Instruction Fuzzy Hash: 1D4106B0E0521ADFDB48CFAAC5815AEFBF2EF8C200F20C56AC415B7614D7749A41CBA4

Function 06935398 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9682fff077568c8da6a36ec6907688656ffab2153d497d936ba0bbe5833e4d
Instruction ID: dd42d38742e925c356569c46dcdbc0239aefdc0553877e18822204667ec46379
Opcode Fuzzy Hash: 5b9682fff077568c8da6a36ec6907688656ffab2153d497d936ba0bbe5833e4d
Instruction Fuzzy Hash: AA41F7B1E0521ADFDB48CFA9C5816AEFBF2EF8C200F24C56AC415A7614E7749A41CB94

Function 06938358 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5ca9c89b13f3daa96fcac6096309862bc597582aade886f8c5b28ab8ab0692
Instruction ID: 15a70fbc66470ab6dc64ee82ba6ad406b5ab7a275d5c8b379f4b6659c905896f
Opcode Fuzzy Hash: fc5ca9c89b13f3daa96fcac6096309862bc597582aade886f8c5b28ab8ab0692
Instruction Fuzzy Hash: 0C416D70E0521ADFDB44CFA6C6416AEFBF6EF88300F20D86AD104B7664E3749B018B94

Function 06934F00 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ff48afc86b04d7e895b3d2adcc95dc9c27802017e8a15d325a5faf9379a35f
Instruction ID: 5b0074b519b879a8d993835f0d524998a429c4e0310cd101bd40422cee3434fc
Opcode Fuzzy Hash: 24ff48afc86b04d7e895b3d2adcc95dc9c27802017e8a15d325a5faf9379a35f
Instruction Fuzzy Hash: 154109B1E0421A9FDB44CFAAC5816AEFBF2EF88700F19C42AD415B7654D3349A41CF94

Function 06938353 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfe86c727a1d6d7c895d153bd8f26bc9831d32a282774d7403852d6a6388fb4
Instruction ID: 96410b63e4ce093edd01278e3d08c934b10037ea7985209c4cd1e714714079b0
Opcode Fuzzy Hash: cbfe86c727a1d6d7c895d153bd8f26bc9831d32a282774d7403852d6a6388fb4
Instruction Fuzzy Hash: 39414A74E0521ADFDB44CFA6C6416AEFBF2EF88300F20D86AD104B7664E3749B418B94

Function 06934F10 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5400d2fa70e37fc11e37116b818d67b6889352318328ab798da3082ffef3c03b
Instruction ID: 20331264aaac9fc79496e51889f31e0c37e9d1c96849c93d2cd8f19af31f07bf
Opcode Fuzzy Hash: 5400d2fa70e37fc11e37116b818d67b6889352318328ab798da3082ffef3c03b
Instruction Fuzzy Hash: 6741E3B0E0421ADFDB48CFAAC4805AEFBF2AF88700F24C46AD415BB614D3349A41CF94

Function 06930006 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6ae6f9823a7edafde5154020937238f3da880e3aa6c3dd88c369538902e2c5
Instruction ID: 3a93d441a8de973d962569a7a99c83b8519f92d725a4199f71f36b92263f93b1
Opcode Fuzzy Hash: 2e6ae6f9823a7edafde5154020937238f3da880e3aa6c3dd88c369538902e2c5
Instruction Fuzzy Hash: C3312D71E097548FE74ACF678C5069ABFB3AFCA200F19C0BBC448AB165D6380946CF61

Function 06930040 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179710772.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0fb3cd298ce7f2dd26247cb38e2b4cc2cb5e5f1d8bd43900aaade911b3cb39
Instruction ID: 414b511087ea8481393edfdcd19ec4998e36a36e3de4123c52cccb58ccbaf4ea
Opcode Fuzzy Hash: 8b0fb3cd298ce7f2dd26247cb38e2b4cc2cb5e5f1d8bd43900aaade911b3cb39
Instruction Fuzzy Hash: 2611D771E006189BEB58CFABD84469EFAF7AFC8210F14C07AC918B6224EB7406468F51

Analysis Process: file.exePID: 6580, Parent PID: 5496COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.8%
Signature Coverage:	6.5%
Total number of Nodes:	572
Total number of Limit Nodes:	74

Executed Functions

Function 0041A2A3 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

rMA, xrefs: 0041A41D, 0041A424
rMA, xrefs: 0041A402, 0041A410
1JA, xrefs: 0041A3FC, 0041A408

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 1JA$rMA$rMA
API String ID: 0-782607585
Opcode ID: bfb10d67e359e1b5667d3151c10b8994d631b2503b365fb78af5193f19005855
Instruction ID: 52d2ee83ec039d1d3edd33a6e1eb1303a02abb5d7a01953540d01ef818e07c0a
Opcode Fuzzy Hash: bfb10d67e359e1b5667d3151c10b8994d631b2503b365fb78af5193f19005855
Instruction Fuzzy Hash: 5F5127B2211108AFCB18DF99DC84EEB77A9EF8C714F158249FA1D97241C634E852CBA4

Function 0041A3DA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

rMA, xrefs: 0041A41D, 0041A424
rMA, xrefs: 0041A402, 0041A410
1JA, xrefs: 0041A3FC, 0041A408

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: 7e78531269fb37ed48e5e78fe5c90646949908e99ce96e9344ba31ff10933831
Instruction ID: be642ffe53fecdc8d5671b3553d21e206fd0b2d71daba6b42e4a19d2f7918ff3
Opcode Fuzzy Hash: 7e78531269fb37ed48e5e78fe5c90646949908e99ce96e9344ba31ff10933831
Instruction Fuzzy Hash: ACF0F9B2210108AFCB14DF99DC80EEB77A9EF8D364F158249FE5D97291C630E851CBA4

Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

rMA, xrefs: 0041A41D, 0041A424
rMA, xrefs: 0041A402, 0041A410
1JA, xrefs: 0041A3FC, 0041A408

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95

Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4

Function 0041A50A Relevance: 1.5, APIs: 1, Instructions: 34
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7a67e3d9e8ecb8523e88244e3f561fe333782a2b051ad208c2f7ded54b79c758
Instruction ID: 979baeedf11ac67f3f626f0c962877ecff329699be0a8fde3cbd86996d3a4aa1
Opcode Fuzzy Hash: 7a67e3d9e8ecb8523e88244e3f561fe333782a2b051ad208c2f7ded54b79c758
Instruction Fuzzy Hash: 6CF0E2B6114148AFCB04DFA8DC84CE777ACEF88224710865EF90C97202D234E821CBA1

Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4bfcf2e1ef047a1a25f75289ea0b1f0c0c08ad3c55a84db1a232845fd00cc5e8
Instruction ID: a5b77fc065fdb58ac6052ce37c3ddc2d56732b91dfeb64b669bd0fc18a7c0c38
Opcode Fuzzy Hash: 4bfcf2e1ef047a1a25f75289ea0b1f0c0c08ad3c55a84db1a232845fd00cc5e8
Instruction Fuzzy Hash: C0E08C762401006BE710DB989C84EEB7B99EF88364F10419AB91CDB291C130E5028690

Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0

Function 01992BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992BFA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 238447c2de64c0f9b67a2eebef4b6e05746d2a1135fb59c3e157798862fed38b
Instruction ID: 65ef93abc42a22878f057de42ce8192b5742f143b37ea446066cadd73bff02d9
Opcode Fuzzy Hash: 238447c2de64c0f9b67a2eebef4b6e05746d2a1135fb59c3e157798862fed38b
Instruction Fuzzy Hash: 2590027170150802D1807198441864A404997D1302FD5C015A0065654DCA158B5D77E1

Function 01992B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992B6A

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39f0a88d50b6c44eb76da7a5605c24e5e6c04074f4173a0e55aaf13d1621c663
Instruction ID: daa30d32cab72c32ebe2c19c88073e52170ef349cf28b439aa0656403283b4bb
Opcode Fuzzy Hash: 39f0a88d50b6c44eb76da7a5605c24e5e6c04074f4173a0e55aaf13d1621c663
Instruction Fuzzy Hash: 9E9002A170250003410571984428616804E97E0202B95C021E1054590DC52589956265

Function 01992AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992ADA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e2c1e7128cf846d940a14b851d7cd7986ee6228e4911a41c30f74b2d791e1342
Instruction ID: 2383c2e20996d375aa9db4ba355daf25ef88719731362904a687e91430adc1e3
Opcode Fuzzy Hash: e2c1e7128cf846d940a14b851d7cd7986ee6228e4911a41c30f74b2d791e1342
Instruction Fuzzy Hash: 02900265711500030105B5980718507408A97D5352395C021F1055550CD62189655261

Function 01992DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992DDA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 47a4686439f8aa8615025b7e2ba67d1482ad98ccf483242e9aa7e823671cc7fd
Instruction ID: 85f4188efc3cb1c4c357ec5a775271795f076a1b19928d478687897085663e0f
Opcode Fuzzy Hash: 47a4686439f8aa8615025b7e2ba67d1482ad98ccf483242e9aa7e823671cc7fd
Instruction Fuzzy Hash: BF900261742541525545B1984418507804AA7E02427D5C012A1454950CC526995AD761

Function 01992DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992DFA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09b83223b074cb1af06e906c548df34c4a28dcdb71beb37a94d26032c7fb42c5
Instruction ID: 18ca2fdc0bf1e96872e9230d230d0045789c69c9a0e1ace1c0ced392466951fc
Opcode Fuzzy Hash: 09b83223b074cb1af06e906c548df34c4a28dcdb71beb37a94d26032c7fb42c5
Instruction Fuzzy Hash: DD90027170150413D11171984518707404D97D0242FD5C412A0464558DD6568A56A261

Function 01992D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992D1A

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb79ca49fa1cd9690cf7c59a92b397dd15a4128ae5564d629030fb6c38ca682f
Instruction ID: 18cdcf9db24de54f42fb6952a33dd3ef9aa89545b261ebf80bdf928f9a09c956
Opcode Fuzzy Hash: cb79ca49fa1cd9690cf7c59a92b397dd15a4128ae5564d629030fb6c38ca682f
Instruction Fuzzy Hash: 4890026971350002D1807198541C60A404997D1203FD5D415A0055558CC915896D5361

Function 01992D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992D3A

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17fba441e6f3d61c772d5a54ba438feeddcf35148f18caa6e36ea338ce53c6a8
Instruction ID: d0f4463b6a0632ebbdcf00951299ecddd2c5b4a0c1625639bc43745b48caf070
Opcode Fuzzy Hash: 17fba441e6f3d61c772d5a54ba438feeddcf35148f18caa6e36ea338ce53c6a8
Instruction Fuzzy Hash: 5E90026170150003D1407198542C6068049E7E1302F95D011E0454554CD915895A5362

Function 01992CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992CAA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 79194610d237bd4c217febdf0185e98aaaa8ec07df32972d5552251bb38f3fb8
Instruction ID: 98909f403fe81f434ad174a785e721cf7b87f8764063b785322071167a41d3fe
Opcode Fuzzy Hash: 79194610d237bd4c217febdf0185e98aaaa8ec07df32972d5552251bb38f3fb8
Instruction Fuzzy Hash: 5090027170150402D10075D8541C646404997E0302F95D011A5064555EC66589956271

Function 01992C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992C7A

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65a9c19877330b4dc6ab0e008c8815641ccee102c18acdd0f4af28e445f279be
Instruction ID: b089f23618b67e638e7fd4dddb19c52dfb6f35090cc958e16a8139852c57ca8a
Opcode Fuzzy Hash: 65a9c19877330b4dc6ab0e008c8815641ccee102c18acdd0f4af28e445f279be
Instruction Fuzzy Hash: 5490027170158802D1107198841874A404997D0302F99C411A4464658DC69589957261

Function 01992F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992F9A

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4882ad0304b07d211590529a3e2eb51a315d160f91a5e4a30a085aa700d77d31
Instruction ID: c0b8e7db019e6796b4febc00c72205c6812654313f4fe9183aebf45fa56aca4f
Opcode Fuzzy Hash: 4882ad0304b07d211590529a3e2eb51a315d160f91a5e4a30a085aa700d77d31
Instruction Fuzzy Hash: 7990027170190402D1007198482870B404997D0303F95C011A11A4555DC625895566B1

Function 01992FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992FBA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cc941d01e99834015a75a0b82a23f618364457228f9b4a76330928efcc4d7dc
Instruction ID: 2a3dc337503ad5efc2280fe652f2c94e024fc523d5bd0a7f390b35823e22d370
Opcode Fuzzy Hash: 5cc941d01e99834015a75a0b82a23f618364457228f9b4a76330928efcc4d7dc
Instruction Fuzzy Hash: 2B900261B0150042414071A888589068049BBE1212795C121A09D8550DC559896957A5

Function 01992FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992FEA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 248217b47a18182a37ad9587e4678a7c8acf67c088d7c02a4d59d8a4d4380e1a
Instruction ID: 5a10fc1cbe7d7903efaaf097f1afda287215ba1c1ea9c35d40faa9cb91f9374e
Opcode Fuzzy Hash: 248217b47a18182a37ad9587e4678a7c8acf67c088d7c02a4d59d8a4d4380e1a
Instruction Fuzzy Hash: 79900261711D0042D20075A84C28B07404997D0303F95C115A0194554CC91589655661

Function 01992F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992F3A

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c407fa9992fe83dd0041c5f72a09d24f68373f6b4ec9c62ff3728e10c6da667
Instruction ID: 4db3df2010e1aa96b88c5eac581b3d0797e7854a2c680008b9d0a75b524920b2
Opcode Fuzzy Hash: 7c407fa9992fe83dd0041c5f72a09d24f68373f6b4ec9c62ff3728e10c6da667
Instruction Fuzzy Hash: 159002A174150442D10071984428B064049D7E1302F95C015E10A4554DC619CD566266

Function 01992E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992E8A

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0acd34920c9a6e7622ddc084dc6e1454f287c0eb6508898aad35cb32d37334bb
Instruction ID: f068d399baf8d85218e06c227add27bcfd6275a104dde6725f376c8d2019a7e0
Opcode Fuzzy Hash: 0acd34920c9a6e7622ddc084dc6e1454f287c0eb6508898aad35cb32d37334bb
Instruction Fuzzy Hash: 68900261B0150502D10171984418616404E97D0242FD5C022A1064555ECA258A96A271

Function 01992EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992EAA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8cca2e9391e1f9d7c1fc62f4c47a6903c768a505c6583d64a60c20e221dbfa7
Instruction ID: 897d219b6ab120eec65c50f084dd832096384957788c31b60e1870005480fafe
Opcode Fuzzy Hash: c8cca2e9391e1f9d7c1fc62f4c47a6903c768a505c6583d64a60c20e221dbfa7
Instruction Fuzzy Hash: 5D9002B170150402D14071984418746404997D0302F95C011A50A4554EC6598ED967A5

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Function 0041A632 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Strings

6EA, xrefs: 0041A622, 0041A62C

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: 6EA
API String ID: 2488874121-1400015478
Opcode ID: 3757c2c6a5d1561a2bdb5c60845ad52221d0923deb1eb8d4a44c943d8d8b509f
Instruction ID: e8c91d0f042e5314da6de229ae80247683e2df2942e3ba40f1d71260d36c8e8c
Opcode Fuzzy Hash: 3757c2c6a5d1561a2bdb5c60845ad52221d0923deb1eb8d4a44c943d8d8b509f
Instruction Fuzzy Hash: C401D1B52043086FC714EF69CC40DAB77A8AF84324F00864AFC6847382C730F825CAB1

Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D

Strings

6EA, xrefs: 0041A622, 0041A62C

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0

Function 00408309 Relevance: 1.6, APIs: 1, Instructions: 65
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ee6b825a62932c4ec3046cc3f6eeb594a8be82cc834cc3703d2ff77c72c7dd07
Instruction ID: 9e2f576cad27da0ab2e358dbc50c42e20382dc3af9a46660abedd7273eb180ef
Opcode Fuzzy Hash: ee6b825a62932c4ec3046cc3f6eeb594a8be82cc834cc3703d2ff77c72c7dd07
Instruction Fuzzy Hash: C6012B31A8031876E710A6A59D03FFE775C9B40F14F14016EFF48FA1C1EAB9690542EA

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Function 0040ACE7 Relevance: 1.6, APIs: 1, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4ed6ad2336e631d943ccb6ad37d4b7ccb9270185f2795c60a41aaf75e0551ddd
Instruction ID: 67bc8959cd0f8a91bda03e530ac7552ea913b8ed4de936fc8f58a412d22e11bb
Opcode Fuzzy Hash: 4ed6ad2336e631d943ccb6ad37d4b7ccb9270185f2795c60a41aaf75e0551ddd
Instruction Fuzzy Hash: 60019675E4020DBBDB10DAA0DC42FDEB3759F54308F0085A6E909AB281F675DA54CB96

Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0

Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A7A4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: cf23342c5812746ab9c243a3211bc97cf42e8e094c075e327b78369c803d9285
Instruction ID: 10fa5d71fd09eca79de46179b75407a176c66eb220b4c4af09f9115ca35e58d2
Opcode Fuzzy Hash: cf23342c5812746ab9c243a3211bc97cf42e8e094c075e327b78369c803d9285
Instruction Fuzzy Hash: DBE072B02042002BCB10DF15DC80ED73BA8DF80220F00869EFC8C1B202C430E815CBB0

Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1

Function 0041A672 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67e33203cce9a5c70dca0f4ff4d11a9de5640cfa35b9787a2ee3cd1fe0cc37a4
Instruction ID: 73edbf807fc889e79d05f059e8b0fb32a9d626e56c1561a227b34c352e94c2c9
Opcode Fuzzy Hash: 67e33203cce9a5c70dca0f4ff4d11a9de5640cfa35b9787a2ee3cd1fe0cc37a4
Instruction Fuzzy Hash: 3DE0C2B56042007FD320CF68CC89FC73BA8DF0C790F1180AAB91CAB681C631E601CBA1

Function 01992C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992C24

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1b1dbf69886bb0a4e3875b6d154bc86f8c3c1f5e01a82d1a03a1e498a1f7177
Instruction ID: f17e8227c5267afb2f1580da677366825ee390bcf95788be75c043e2c35ef6b8
Opcode Fuzzy Hash: f1b1dbf69886bb0a4e3875b6d154bc86f8c3c1f5e01a82d1a03a1e498a1f7177
Instruction Fuzzy Hash: E0B09B71D015C5D5DF11E7A4460C717794477D0702F55C061D2070651F4738D1D5E2B5

Non-executed Functions

Function 019D2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 019D25A0
minkernel\ntdll\ldrinit.c, xrefs: 019D3187
UnloadEventTraceDepth, xrefs: 019D24C0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 019D3176
@, xrefs: 019D2942
TracingFlags, xrefs: 019D2549
ShutdownFlags, xrefs: 019D24A1
DisableExceptionChainValidation, xrefs: 019D275F
MaxLoaderThreads, xrefs: 019D24EC
GlobalFlag2, xrefs: 019D2FC0
DisableHeapLookaside, xrefs: 019D246D
RaiseExceptionOnPossibleDeadlock, xrefs: 019D2579
CFGOptions, xrefs: 019D2967
@, xrefs: 019D2B74
GlobalFlag, xrefs: 019D2F3F, 019D3059
MaxDeadActivationContexts, xrefs: 019D2D82
UseImpersonatedDeviceMap, xrefs: 019D251C
FrontEndHeapDebugOptions, xrefs: 019D2489
LdrpInitializeExecutionOptions, xrefs: 019D317D
MinimumStackCommitInBytes, xrefs: 019D2BB0

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: e5daf48fb83f56187231b9ba7321497dee928d0115f10d79a6a227ccafa18a72
Instruction ID: 529d6bd2368081f1b7c4dc013a1bd2a5f064883e30270dad054ff459a9a9eba4
Opcode Fuzzy Hash: e5daf48fb83f56187231b9ba7321497dee928d0115f10d79a6a227ccafa18a72
Instruction Fuzzy Hash: 3F926B75608342ABE721DF28C880F6BB7E8BF84755F04892DFA98D7251D770E944CB92

Function 01988620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Address of the debug info found in the active list., xrefs: 019C54AE, 019C54FA
8, xrefs: 019C52E3
double initialized or corrupted critical section, xrefs: 019C5508
Critical section address., xrefs: 019C5502
Invalid debug info address of this critical section, xrefs: 019C54B6
Thread is in a state in which it cannot own a critical section, xrefs: 019C5543
undeleted critical section in freed memory, xrefs: 019C542B
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019C540A, 019C5496, 019C5519
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019C54E2
Critical section address, xrefs: 019C5425, 019C54BC, 019C5534
Critical section debug info address, xrefs: 019C541F, 019C552E
Thread identifier, xrefs: 019C553A
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019C54CE
corrupted critical section, xrefs: 019C54C2

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: aa3c1c9fa5db81255b8f4c10092a32588403bcafe042201a919dc5bb5b2b3424
Instruction ID: 68bdf453857d56accfd0a6c26c21330815da161834cfa2dfade54b6a4f4e8685
Opcode Fuzzy Hash: aa3c1c9fa5db81255b8f4c10092a32588403bcafe042201a919dc5bb5b2b3424
Instruction Fuzzy Hash: 08818AB0A00359EFEB20CF99C845FAEBBB9BB88B14F11415DF548B7641D371A941CB61

Function 019829F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 019C2506
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 019C2624
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019C24C0
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 019C2409
RtlpResolveAssemblyStorageMapEntry, xrefs: 019C261F
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 019C2602
@, xrefs: 019C259B
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 019C2412
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 019C2498
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019C22E4
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019C25EB

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 851744e9daa299507097018131b0f3af7ab3bf2f354451270f1bc8dac8bda855
Instruction ID: a2dfd6dd859d90e7ea75d82bf254c3d4707bbc969a7ac1d7941f470491203778
Opcode Fuzzy Hash: 851744e9daa299507097018131b0f3af7ab3bf2f354451270f1bc8dac8bda855
Instruction Fuzzy Hash: 1B026FF1D042299FDB21DB54CD80BAAB7B8AF54704F0045EAA64DA7241DB70AE84CF69

Function 019F8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

csrss.exe, xrefs: 019F8B80
DefaultBrowser_NOPUBLISHERID, xrefs: 019F8D00
lsass.exe, xrefs: 019F8BA1
runtimebroker.exe, xrefs: 019F8B73
SegmentHeap, xrefs: 019F8BE9
svchost.exe, xrefs: 019F8B68
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 019F8BD0
smss.exe, xrefs: 019F8B8B
services.exe, xrefs: 019F8B96
heapType, xrefs: 019F8BCB

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 28a66b0dc5af452a36201d9ef2a2dca2c7efbb3b1a82021d2802ab94e1be0c89
Instruction ID: 041d934a76c1003660e9f93da0244f78fc2d16b8ed98284dea52d78b116bd7d0
Opcode Fuzzy Hash: 28a66b0dc5af452a36201d9ef2a2dca2c7efbb3b1a82021d2802ab94e1be0c89
Instruction Fuzzy Hash: 6E51C071905315ABD769DF598884BABBBECEFD4340F14492DEA5C83284E770D504CB92

Function 01A00274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A004D3
HEAP[%wZ]: , xrefs: 01A00399, 01A004A8, 01A005D0, 01A00675, 01A006CC
RtlReAllocateHeap, xrefs: 01A002BF, 01A00362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A006EA
Just reallocated block at %p to %Ix bytes, xrefs: 01A005F1
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A0069F
HEAP: , xrefs: 01A003A6, 01A004B5, 01A005DD, 01A00682, 01A006D9
About to reallocate block at %p to %Ix bytes, xrefs: 01A003BA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: ffdd66bd1fcc2d9acd7e7995e65389ad33a252e35b022f07e19033ff734e5d87
Instruction ID: 10b3e7a2a3b8cd1a186d5c87c1386dd3be513a8073e44874e2cce7ed25d1e7eb
Opcode Fuzzy Hash: ffdd66bd1fcc2d9acd7e7995e65389ad33a252e35b022f07e19033ff734e5d87
Instruction Fuzzy Hash: 1CD1EF39500681EFDB22DFB8E540BA9BBF1FF8A754F098049F44A9B292C775D981CB14

Function 019D89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDebug, xrefs: 019D8CA5
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 019D8A3D
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 019D8A67
HandleTraces, xrefs: 019D8C8F
VerifierDlls, xrefs: 019D8CBD
VerifierFlags, xrefs: 019D8C50
AVRF: -*- final list of providers -*- , xrefs: 019D8B8F

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: faadf79c5113a6dda7eb22f707e3ebd6ce02112737f75b2dd4f0cbeed139507c
Instruction ID: 834664f6f252ea1a2272ae0d8187e7561c2527414014de65b137e866175573a8
Opcode Fuzzy Hash: faadf79c5113a6dda7eb22f707e3ebd6ce02112737f75b2dd4f0cbeed139507c
Instruction Fuzzy Hash: 33911576A45712EFD721EF688880F5B77E8ABD4714F058829FA4D6B282C730EC01C795

Function 0195EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Exit, xrefs: 0195EB6C
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0195EB58
, xrefs: 0195F299
R, xrefs: 0195EB62
{, xrefs: 019B4643
T, xrefs: 0195EB4E

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 8ff699238fbf0876c0e5333a42fda44f4f1112c0c94779c710566875b5f187be
Instruction ID: 15ef032c3c4f581b4cef1e2024cffe7cc605566e1c1c6e4fa4dff3642cad3129
Opcode Fuzzy Hash: 8ff699238fbf0876c0e5333a42fda44f4f1112c0c94779c710566875b5f187be
Instruction Fuzzy Hash: AFA25970A0562A8FDBA4CF18CD88BADBBB5BF45714F1442E9D90EA7251DB359E84CF00

Function 019863FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019C40E9, 019C414B, 019C420F, 019C4269
Delaying execution failed with status 0x%08lx, xrefs: 019C4258
_LdrpInitialize, xrefs: 019C40DF, 019C4141, 019C4205, 019C425F
Process initialization failed with status 0x%08lx, xrefs: 019C413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 019C41FE
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 019C40D8

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 2430057b2b913270db94cd201da69dfa7c422b6a7ef33eecce9081c3763828b8
Instruction ID: 0cc595ec0400ab9f93a181084bdc111abff5c21970e1847041c394f196a60cb5
Opcode Fuzzy Hash: 2430057b2b913270db94cd201da69dfa7c422b6a7ef33eecce9081c3763828b8
Instruction Fuzzy Hash: 0F912674B00315DBEB25EF6CD855BAE7BA6BFD1F25F00002CE98D6B281D7659802C792

Function 0194645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019A9A11, 019A9A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 019A9A01
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 019A9A2A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 019A99ED
apphelp.dll, xrefs: 01946496
LdrpInitShimEngine, xrefs: 019A99F4, 019A9A07, 019A9A30

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 0d44d37e04f875909cfd3cb47e76a5871ecfa9c94f3555aaa4ad75978207aad9
Instruction ID: c232185bc70ec0ebd3a94e504f62098e7e96d50e9189b8e77096fca77b932371
Opcode Fuzzy Hash: 0d44d37e04f875909cfd3cb47e76a5871ecfa9c94f3555aaa4ad75978207aad9
Instruction Fuzzy Hash: E0519E752083059FE724DF28D851EAB7BE8BFC5648F40491EF58D9B1A0E630E909CB92

Function 0198C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 019C8181, 019C81F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 019C81E5
minkernel\ntdll\ldrinit.c, xrefs: 0198C6C3
LdrpInitializeProcess, xrefs: 0198C6C4
LdrpInitializeImportRedirection, xrefs: 019C8177, 019C81EB
Loading import redirection DLL: '%wZ', xrefs: 019C8170

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 5baf8e90d49c2979ac0d3184fbc082a8b5bca9a02e1da655f950b7add203b4a9
Instruction ID: 7d62a70c81a9444187d7ad6a823e9437172f13b6a438515e55afbe1202cf9e91
Opcode Fuzzy Hash: 5baf8e90d49c2979ac0d3184fbc082a8b5bca9a02e1da655f950b7add203b4a9
Instruction Fuzzy Hash: 7B3112716443069FC224EF28D946E2ABBE4FFD0B14F04056CF98DAB291E621EC05C7A2

Function 01982674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 019C21BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 019C219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 019C2180
SXS: %s() passed the empty activation context, xrefs: 019C2165
RtlGetAssemblyStorageRoot, xrefs: 019C2160, 019C219A, 019C21BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 019C2178

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 3b4214097cd09cfd470847a5ec96499c9ff2d5d4003ff55be0cdf6676844eca8
Instruction ID: 33b253ca8a20ff191d1fe30528e77fc68752d5ef52bd7d12138c37a3ee13372a
Opcode Fuzzy Hash: 3b4214097cd09cfd470847a5ec96499c9ff2d5d4003ff55be0cdf6676844eca8
Instruction Fuzzy Hash: C431487AF402157BE721AF9A8C81F6B7B79EBD5E40F05405DBB0DA7140D270AA01C3A2

Function 0199096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01992DF0: LdrInitializeThunk.NTDLL ref: 01992DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01990BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01990BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01990D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01990D74

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 7b76cb6da5161b1d765a70295a099b926554fab02f024a896596907b9ee524ab
Instruction ID: 50a3ce6cd5263aa510fa0f55a650a4b788b7c2ccd6be9698410236eda2477658
Opcode Fuzzy Hash: 7b76cb6da5161b1d765a70295a099b926554fab02f024a896596907b9ee524ab
Instruction Fuzzy Hash: 8D426B71900715DFDB21CF68C880BAAB7F9BF44314F1445A9E99DEB241E770AA84CF61

Function 0195A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 0195A3E7
LdrResFallbackLangList Exit, xrefs: 0195A3FF
LdrResFallbackLangList Enter, xrefs: 0195A3EF
6, xrefs: 0195A3F7

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 6e3db188975d8d6956ebb4b1fd31d3bd3d11c19598cf82be4387cc402c73ccf5
Instruction ID: 9829956f087804f5adceb662bab791acf8dd0aca6c9100854c6bdeb56deef695
Opcode Fuzzy Hash: 6e3db188975d8d6956ebb4b1fd31d3bd3d11c19598cf82be4387cc402c73ccf5
Instruction Fuzzy Hash: CBC1B070508382CFD751CF58C140B6ABBE4FF84704F044A69FD99AB251E734D946CB5A

Function 01988402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0198855E
minkernel\ntdll\ldrinit.c, xrefs: 01988421
LdrpInitializeProcess, xrefs: 01988422
@, xrefs: 01988591

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: eec698214eeb4343b84f4bcf2facd205f3012e322062a7c2fd667a6c5035c66f
Instruction ID: 350a538b866b3ff9f6221a2ff22014ca8152a68d50a1c637055b6ab8fa622b17
Opcode Fuzzy Hash: eec698214eeb4343b84f4bcf2facd205f3012e322062a7c2fd667a6c5035c66f
Instruction Fuzzy Hash: 81915E71609345AFEB21EB65CC40E6BBAECBFD4654F80092EFA8C96151E334D904CB62

Function 0198273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 019C21DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 019C21D9, 019C22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 019C22B6
.Local, xrefs: 019828D8

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 9ca18901a368ef1b65c7871fec210435007c0fab040f1543ae885351890b505d
Instruction ID: 6a54b32e3e4e1ef73b1d6d6a2d2d9b0047837136ff630aba790810ac2a626a3f
Opcode Fuzzy Hash: 9ca18901a368ef1b65c7871fec210435007c0fab040f1543ae885351890b505d
Instruction Fuzzy Hash: F2A1D035900229DBDB25DF68CC84BA9B3B9BF58714F2441EAD94CAB251D731AE80CF91

Function 01984AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid flags 0x%08lx, xrefs: 019C342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 019C3437
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 019C3456
RtlDeactivateActivationContext, xrefs: 019C3425, 019C3432, 019C3451

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: e6863ed359deb4cf00486ca052ebee6e931f5da842c8e22b3d13a4c575581f73
Instruction ID: 127420f80fa60b37fc8cd017fb29f376fe6767e042c61a00e0cb7f5288e8f90a
Opcode Fuzzy Hash: e6863ed359deb4cf00486ca052ebee6e931f5da842c8e22b3d13a4c575581f73
Instruction Fuzzy Hash: 37610036A40B129BD722DF1DC841B2AF7E9BF94F11F15852DE9AD9B240D730E901CB92

Function 019564AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 019B0FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019B10AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 019B1028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 019B106B

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: a4bde851ce28650cad51ce8a354d77dfc9762ae0d2c8b3f309c83436e2d376c6
Instruction ID: 925d9e9dbf0d8de2001f2b994d6b3d90f0e2d9246151b609d2d4a1ff86f27403
Opcode Fuzzy Hash: a4bde851ce28650cad51ce8a354d77dfc9762ae0d2c8b3f309c83436e2d376c6
Instruction Fuzzy Hash: FA71ECB1944305AFCB61DF18C884F9B7BA8AF94768F800868FD4D8B246D734D589CBD2

Function 0197245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019BA9A2
apphelp.dll, xrefs: 01972462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 019BA992
LdrpDynamicShimModule, xrefs: 019BA998

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 2b2347f5c30a53ea078da8d291936fa5650dab783055e54ae562b1673ce311c7
Instruction ID: d3b590b658bd3acfc776f1703ea7c3fe73ccca6b5dbbe68af5e79b1cfc331691
Opcode Fuzzy Hash: 2b2347f5c30a53ea078da8d291936fa5650dab783055e54ae562b1673ce311c7
Instruction Fuzzy Hash: 6C31577DA00201EBEB36DF5DC981EAABBB9FFC4B00F250019F90967245C7719942C790

Function 019629A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01963255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0196327D
HEAP: , xrefs: 01963264

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 23e09a6180f109a369d615fb7e1154e1b189b0688c976ee3ebba212f298c6212
Instruction ID: d4c58e80195d7014bf6b02d0eb2715b2c1ac1a25474837abd4af5ad5d3e8fb4f
Opcode Fuzzy Hash: 23e09a6180f109a369d615fb7e1154e1b189b0688c976ee3ebba212f298c6212
Instruction Fuzzy Hash: B592BB71A042499FDB25CF68C444BAEBBF9FF49300F188469E84DAB391D735AA45CF60

Function 01960770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019B50AE
(UCRBlock->Size >= *Size), xrefs: 019B50CA
HEAP: , xrefs: 019B50BD

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: e2bacca1a9f86a1548ca0fd417b288a63d2935f4c32492742d5b2fe393e96bc7
Instruction ID: ca419e63329eca0bc6e6239be77dfdf3079695a7fca0b70adad1e5855d8f6f0d
Opcode Fuzzy Hash: e2bacca1a9f86a1548ca0fd417b288a63d2935f4c32492742d5b2fe393e96bc7
Instruction Fuzzy Hash: 31F1BF34A00606DFEB15CF68C9D4FAAB7B9FF44304F184569E51A9B381D734E981CBA1

Function 01976962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01976C24
, xrefs: 019BCA51

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: bc2eb4078c172f4719aa0982268f95c72e51fbdf0036490a3cbef5795d4bedd4
Instruction ID: 9bc2dc7c90c3d5023a6ffd78e05d9cd2b079a4f2bd0c015cad2d3466ce581b80
Opcode Fuzzy Hash: bc2eb4078c172f4719aa0982268f95c72e51fbdf0036490a3cbef5795d4bedd4
Instruction Fuzzy Hash: DEC27E716087419FEB29CF68C885BABBBE9AFC8754F04892DF98D87241D734D805CB52

Function 0194A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 0194A1C1
\??\, xrefs: 019AC1E4
FilterFullPath, xrefs: 019AC2E6

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: e0c1cd7ad9b12eed26d2e5bfb38ebcaf34edd76639458dfbb2a5abc21b519817
Instruction ID: 073cec6fa0f638dee11d03b9931ec2352cef58679fd085fa2f3be295ff15fd24
Opcode Fuzzy Hash: e0c1cd7ad9b12eed26d2e5bfb38ebcaf34edd76639458dfbb2a5abc21b519817
Instruction Fuzzy Hash: 38A16C769112299BDB31DF68CC88BEAB7B8EF44711F1001E9E90DAB250D7359E84CF90

Function 01970BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 019BA117
minkernel\ntdll\ldrinit.c, xrefs: 019BA121
Failed to allocated memory for shimmed module list, xrefs: 019BA10F

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: e7e8a27f367e4b2bd09ed88ad07a62bfbef51ca884d5c14d28b56214ed2d9720
Instruction ID: 1c76976333e10ec4fa59eba42125ea9d40ad4aca369d8cefbeaf1fe5028f3e0e
Opcode Fuzzy Hash: e7e8a27f367e4b2bd09ed88ad07a62bfbef51ca884d5c14d28b56214ed2d9720
Instruction Fuzzy Hash: 9271C378E00205DFDB19DF68C981AAEB7F4FF89704F18442DE40AD7251D735A942CB50

Function 01960A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019B5335
HEAP: , xrefs: 019B5342
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 019B534D

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: c06c497a1fc6b87688b0ff0a5c0a2e7e40f99c7a0bebd8a937aec966b97cbeee
Instruction ID: 8ffa6ade1b1c7a2ce00ee8ed967b1a02a420c974c810033b10c28231190e56a5
Opcode Fuzzy Hash: c06c497a1fc6b87688b0ff0a5c0a2e7e40f99c7a0bebd8a937aec966b97cbeee
Instruction Fuzzy Hash: 7B61B171600301DFEB29CF28C584BAABBE9FF45704F198559E45E8B396D770E881CBA1

Function 0198C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 019C82DE
minkernel\ntdll\ldrinit.c, xrefs: 019C82E8
Failed to reallocate the system dirs string !, xrefs: 019C82D7

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: e9501d0d92cd62fde945c06f9b4a9cd71bda8fa805af2867d78bd0e09f98d789
Instruction ID: 9a8b0e369a196dba52cc9440fa21aae882d444e71a7cd0d96880e201ab439011
Opcode Fuzzy Hash: e9501d0d92cd62fde945c06f9b4a9cd71bda8fa805af2867d78bd0e09f98d789
Instruction Fuzzy Hash: 8D41D079544311ABDB21FB68D844F9B77E8EFC9A50F00492AF94DD7250E771D801CBA2

Function 01A0C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A0C1C5
@, xrefs: 01A0C1F1
PreferredUILanguages, xrefs: 01A0C212

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: f891c2eb4bbb5066266342af96a618277b5a25c1ae1c496edc60aa3104749f02
Instruction ID: eef0aa22f500318a61f9e32b6561d4f5ef89779a24c6ead69fd78e3b68680ca5
Opcode Fuzzy Hash: f891c2eb4bbb5066266342af96a618277b5a25c1ae1c496edc60aa3104749f02
Instruction Fuzzy Hash: 5C418671D00209EBDF12EBD8D841FEEB7BCAB58710F1441AAE609F7684D7749A44CB50

Function 019E4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 019E4160
@, xrefs: 019E4225
LdrpResValidateFilePath Exit, xrefs: 019E4172

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 74a0b50c630c08f96c2ec9d3a5528d7049cad6c4b9b59059725ba6adaeecca0f
Instruction ID: 2f96b9fa41b8cd49de2742fcb1f7f2cb8a011511005b166108622c842c47def7
Opcode Fuzzy Hash: 74a0b50c630c08f96c2ec9d3a5528d7049cad6c4b9b59059725ba6adaeecca0f
Instruction Fuzzy Hash: CB410471A00258CBEF26DBD9C858BADBBF8FFA5340F14045ADA09EB791D7349901CB10

Function 019D4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 019D4899
LdrpCheckRedirection, xrefs: 019D488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 019D4888

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 9ff25ddbdb1447171062baea022a6fc88a1500b51b93631137701d270cad216f
Instruction ID: 07bd0f858da3fb3dd8d92cfc8a0db15f191af061df7ebc076fae7f4e80cc8191
Opcode Fuzzy Hash: 9ff25ddbdb1447171062baea022a6fc88a1500b51b93631137701d270cad216f
Instruction Fuzzy Hash: 4D41D236A043519FCB21CE5CD841E267BE9AF89A91F06856DED8DE7B11D731D800CB92

Function 01960BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019B5431
HEAP: , xrefs: 019B543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 019B5449

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: cee900026cb53862e511a992806b60715c4f59eed00c270bf66fa4d7d0e971f9
Instruction ID: 1d58c9c165e61af4b78bc66933532bbc22e170166495ac6329c3085c719becfc
Opcode Fuzzy Hash: cee900026cb53862e511a992806b60715c4f59eed00c270bf66fa4d7d0e971f9
Instruction Fuzzy Hash: 6F11D231315102DFEB29CA28C5C1FB5B3AAEF80A1AF198569F40ECB295DB34D841C760

Function 019D20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019D2104
Process initialization failed with status 0x%08lx, xrefs: 019D20F3
LdrpInitializationFailure, xrefs: 019D20FA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: a8fa850cfca4be0130943e99414c4f246b7eff2058c2bb2dc6c41c06bdeecb87
Instruction ID: eb92f64f11e728bbd93a6b711bc13d320b630289a151629eea9baaaf241f1882
Opcode Fuzzy Hash: a8fa850cfca4be0130943e99414c4f246b7eff2058c2bb2dc6c41c06bdeecb87
Instruction Fuzzy Hash: C5F0F679640318BBEB24E75DDC46FA93B7CFBC0B54F104069FA4877685D6B0A901C691

Function 019603E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019B4D8A

Strings

#%u, xrefs: 019B4D82

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: b009340e2c5f22bc26de3fbf37d6192f236313aadea1bb720354831bb100a632
Instruction ID: 684517c5295cd76ed2f655bba3366537145da62ad43eee0b29c0570dc03e49bf
Opcode Fuzzy Hash: b009340e2c5f22bc26de3fbf37d6192f236313aadea1bb720354831bb100a632
Instruction Fuzzy Hash: 5C714A71A0014A9FDB11DFA9C994FAEB7F8FF58744F144065E909E7251EA34EE01CBA0

Function 0195A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0195AA25
LdrResSearchResource Enter, xrefs: 0195AA13

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 22e4410ef8ca7cfd066c16534535d59d40d411d64d4eab738e41e5a060ef0dde
Instruction ID: 118415a34b41aa85a4740055e82630ea60479d6577c0efe0ae87b0fb266baf15
Opcode Fuzzy Hash: 22e4410ef8ca7cfd066c16534535d59d40d411d64d4eab738e41e5a060ef0dde
Instruction Fuzzy Hash: 9CE16E71E00219ABEB62CF99CA84BEEBBBEFF54310F144626ED09E7251D7349940CB54

Function 01A1A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01A1A44B
`, xrefs: 01A1A551

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 63f2ec7c7455425d7326538b12b83d5f20a7a168e7c1266a31ea46735ee9891e
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 8AC1F3312053829BEB25CF28C940B6BBBE5BFC4318F084A2DF69ACB299D775D505CB41

Function 019CE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 019CE75A
UEFI, xrefs: 019CE751

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: c3b177824f754f428f15040d7b40688ce22861cae7ad3589bdd75c9ba8a7f61c
Instruction ID: f5397eb755c560ec8737d51513376452ee8fdf79b5bd8f983ad7a4f00c06e33a
Opcode Fuzzy Hash: c3b177824f754f428f15040d7b40688ce22861cae7ad3589bdd75c9ba8a7f61c
Instruction Fuzzy Hash: 66614E71E003199FDB15DFA8C940BAEBBB9FB44B40F14446DE68EEB251D731A900CB52

Function 019F43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 019F4437
MUI, xrefs: 019F4525

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 694e119a2dda19d0725e894e4f3c5ac0811176fbabae88e4f02b0b9205b7cb6b
Instruction ID: eb585e9423e000c3c16284938b057157085dcfc965fe678998bc0195844e657f
Opcode Fuzzy Hash: 694e119a2dda19d0725e894e4f3c5ac0811176fbabae88e4f02b0b9205b7cb6b
Instruction Fuzzy Hash: 7E510971D0021DAFDF11DFA9CC84AEFBBBDEB44754F100529EA19BB290D6309A05CB60

Function 019504E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0195063D
kLsE, xrefs: 01950540

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 62d2c2c12e30bb39fb003f5a52e429426bdeb456bc81630cf337c0b4baa624bf
Instruction ID: bb41c2faf21ef16f34d761f43fd13ab65e6e6740541a81847f5991578df3a7eb
Opcode Fuzzy Hash: 62d2c2c12e30bb39fb003f5a52e429426bdeb456bc81630cf337c0b4baa624bf
Instruction Fuzzy Hash: A751DD715007428FD764EF29C4406A7BBE8AF84305F18893EFAAE97241E730D546CBA2

Function 0195A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0195A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0195A309

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 85abf7c92ec58ed7682a7bd9912177e36701a4cd943521f9b697f53c9d5859bc
Instruction ID: d9f77276f99f583d3e4303b5b0ad74c62d931bbe0a4d2edcbb7fe6fbe694bfb3
Opcode Fuzzy Hash: 85abf7c92ec58ed7682a7bd9912177e36701a4cd943521f9b697f53c9d5859bc
Instruction Fuzzy Hash: 3141FF31A04259DFEB15CF59C980BAEBBB8FF85304F1445A5ED08EB292E7B5DA00CB54

Function 0198A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0198A5E9
Cleanup Group, xrefs: 0198A5E4

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 33c3a25452f0c76a4108f211bb762b2e7872d27aa5387ee1dcf4bccf5c042b0c
Instruction ID: 3c1d2d9c91b4a7fce5a08af1b568f9cb2e186335042a2be8f9c83a0739d3fdfb
Opcode Fuzzy Hash: 33c3a25452f0c76a4108f211bb762b2e7872d27aa5387ee1dcf4bccf5c042b0c
Instruction Fuzzy Hash: DC01D1B6251704AFE311EF14CD45F2677E8E7C5729F01893AA64CC7194E334D804CB4A

Function 0195C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0195C8C3, 0195CA40

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 5663bfac011f493d7b5597cfe4e451ce75117ad9fb8b9c402ec8b76598020b01
Instruction ID: bad628e1a8e0e5618bf2ca227e6b673a14b0bd537aff20387156c111ed988281
Opcode Fuzzy Hash: 5663bfac011f493d7b5597cfe4e451ce75117ad9fb8b9c402ec8b76598020b01
Instruction Fuzzy Hash: 95824A75E003199BEB65CFA9C880BEDBBB9BF48710F148169ED1DBB291D7309981CB50

Function 019D6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 019D65C1

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f62976eebbbe807d4e60384b4192a78a9abb8adff843d639479ca3503e2463f9
Instruction ID: b653d8f9a8dff510c7c439d3f826b8e957127430faa20e80c15c29585ba1a064
Opcode Fuzzy Hash: f62976eebbbe807d4e60384b4192a78a9abb8adff843d639479ca3503e2463f9
Instruction Fuzzy Hash: 74917371900219AFEB21DF99CD85FAEBBB8EF58B50F504065F608AB190D775AD00CBA0

Function 019FE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 019FE1FA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1387ccc236d82a5aa8f2dc228a337627a6cec85f9c6b514853145239e5660aa6
Instruction ID: 2bd91c8b62ea350edfdaf0dfea3dd90af2c521e23da5f54c609d856b4c7f28a1
Opcode Fuzzy Hash: 1387ccc236d82a5aa8f2dc228a337627a6cec85f9c6b514853145239e5660aa6
Instruction Fuzzy Hash: 60918E36A01609BBDB22ABA5DC44FEFBBB9EF85744F110029F609A7260E7749901CB51

Function 0198A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 019C67C9

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 51a01394deda4ac91a0178b292b48a05976e2f4548b623431859042707a97770
Instruction ID: e8247fa0ac42deb32891d60a7e9e3bdeedb9e8abd79c7000ae7236aa72f2a15a
Opcode Fuzzy Hash: 51a01394deda4ac91a0178b292b48a05976e2f4548b623431859042707a97770
Instruction Fuzzy Hash: 36718FB5E0030A9FDF28CF9CC590AAEBBB5BF88B11F14852EE549A7341E7359901CB51

Function 019F4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 019F4A7F

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 4ed744773829d26345c9cf5340f32978b904c5d22ee6a75d78a8422b86b8e1b7
Instruction ID: ce9805e3761377ebbc450e63dc2328e941f5b12a9aa519d9934ca0b8caa58d2d
Opcode Fuzzy Hash: 4ed744773829d26345c9cf5340f32978b904c5d22ee6a75d78a8422b86b8e1b7
Instruction Fuzzy Hash: 1B51A172D0022AABDF11DF99D840AAFBBB8BF44B11F05412DEA19BB240D3349905CFE4

Function 0196E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0196E6A4

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: ce22522dca1e5b236c67b0350651b7f4eac43693dd2cb9109eb80785c16c21a2
Instruction ID: d1653528dcddc0326b566087fd54116114899274068a73943981b3ff6d61f122
Opcode Fuzzy Hash: ce22522dca1e5b236c67b0350651b7f4eac43693dd2cb9109eb80785c16c21a2
Instruction Fuzzy Hash: 15419076518312ABD711DA75C840F6BBBECAFC8714F44092DFA8CD7180E678DA04C7A6

Function 019CC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 019CC77F

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 9378095f90f1b64579f76d681103e5a91505897d9af14e43517da70962c1481a
Instruction ID: e3d3778dc5b25abf4e3f68b64fc4640f78e47c8231ede5e7250b9ce312f72255
Opcode Fuzzy Hash: 9378095f90f1b64579f76d681103e5a91505897d9af14e43517da70962c1481a
Instruction Fuzzy Hash: B14145B1D0112DABDF21DB54CC84FDFBB7CAB45714F0045A9AA4CAB140DB709E898FA5

Function 019E6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 019E6B91

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 03d588c84579b0eb52a3516fd7454e012884cfd063a1c79ecc49b7ff9b71f442
Instruction ID: 27f719d2a977cbc294aaae3c2b532d7b5b0e323dfabbe6a53681b18f1ed2df84
Opcode Fuzzy Hash: 03d588c84579b0eb52a3516fd7454e012884cfd063a1c79ecc49b7ff9b71f442
Instruction Fuzzy Hash: BC311831E007099BEB23CB69C858BEE7BECDF69704F144068EA48AB282D775D815CB50

Function 019CCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 019CCAA2

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: a14ac89eacc73362dad646d136ce3d8d218ed129528573018a3ef2e1939ddbb8
Instruction ID: 388e07bc10a8d6f66e180bf00d58e826002d508f05e9c40c2da129e246483546
Opcode Fuzzy Hash: a14ac89eacc73362dad646d136ce3d8d218ed129528573018a3ef2e1939ddbb8
Instruction Fuzzy Hash: 6D31F436900519AFEB16DB99C845E6BBFB8EB80B50F01416DA90DA7250D730AE00E7E1

Function 019D892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 019D895E

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 91fcfb381b0a887e57db3ded1f03093eafb6a0747f0ff040db90b5f575997715
Instruction ID: 5340f538e6205fb6b92dd0b854a03e3c9c295b9aedf7072d53d5749d37fba2c7
Opcode Fuzzy Hash: 91fcfb381b0a887e57db3ded1f03093eafb6a0747f0ff040db90b5f575997715
Instruction Fuzzy Hash: 1D01F73A200301BBE720AF598884E5A7B69EFC56A4F04441DF68926553CB31A841C792

Function 019F2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dc4ee051e1801bd0cae4abedbf101fa79d20483c3cdabde81bb4e918ff6cb4
Instruction ID: acb36731edda2be1e1be076f56256aaf033eca641a6f330ccd7c18474da9b8d2
Opcode Fuzzy Hash: 01dc4ee051e1801bd0cae4abedbf101fa79d20483c3cdabde81bb4e918ff6cb4
Instruction Fuzzy Hash: F942B175608341ABE725CF68C890B6BBBE9BFC8700F58092DFB8A97250D771D845CB52

Function 019E8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521ded01436ba95bcaa43017aed4b80553800fcdb99c217fc6cc2d88f22042f6
Instruction ID: 0e8c24f96bdce6714549651da625380ce2f3fd0629ff4437a6cf9879e91fa0dd
Opcode Fuzzy Hash: 521ded01436ba95bcaa43017aed4b80553800fcdb99c217fc6cc2d88f22042f6
Instruction Fuzzy Hash: 65426E75E002199FEB25CFA9C845BADBBF5BF88301F148099E94DEB242D7349985CF60

Function 01962840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbe25cf5499f0628a91548b5b68c7b7f97712c2b01b6a5903150d50b6eef333
Instruction ID: 16e9645f9f7bb0282fcbfdb8e9ca53c1e01c7e4e458283e57ae240f3dbd67edc
Opcode Fuzzy Hash: fcbe25cf5499f0628a91548b5b68c7b7f97712c2b01b6a5903150d50b6eef333
Instruction Fuzzy Hash: 6132DC70A007598BEB25CF69CA84BBEBBF6BF84700F24451DD58E9B285D735B802CB50

Function 019FA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b314a93f38762da57a614d86333ef8e13afb5e1717f7f0f252b9972f0fcca4
Instruction ID: 8113ec3e31d4559b3ecc69b944ac2d823834e8df6ce853e8ccac49c7ffad0852
Opcode Fuzzy Hash: 61b314a93f38762da57a614d86333ef8e13afb5e1717f7f0f252b9972f0fcca4
Instruction Fuzzy Hash: 8222EF74604661AFEB25CF2DC094B76BBF5AF44341F08885EDB8E8B286D375E452CB60

Function 01978DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8756af3823878658a5469b0028dbb603a9d69024e1db1b8fb3272c92c491c7ff
Instruction ID: b83f6a01348a5802f1176e4b72b922bf4f89818d6aeb4ccc83ce3749937dfdca
Opcode Fuzzy Hash: 8756af3823878658a5469b0028dbb603a9d69024e1db1b8fb3272c92c491c7ff
Instruction Fuzzy Hash: 9D225F70E0021A9BCB15CF99C5809FEFBF6FF88719B14845AE9499B241E734ED41CBA4

Function 01956A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db906fef655a3e5f832101d90b285346570ae8d453537358860191cfd63ca60c
Instruction ID: 4be32b74cd4655947bedd29368b5acbf9a41c08aa042b0b46de79c35d1665e8d
Opcode Fuzzy Hash: db906fef655a3e5f832101d90b285346570ae8d453537358860191cfd63ca60c
Instruction Fuzzy Hash: 9F32FF70A05205CFDB65CFA8D590BAEBBF5FF88300F548969E94AAB391D734E841CB50

Function 01974A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 915393ece1649804f9e525435f4be93ffabefa2618b3257d9abe39691a47bcb1
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: F0F17171E0020A9BDF15CF99C580BEEBBF9AF48710F098529E949AB351E774EC41CB60

Function 019E892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3210621326b802d2bdc1277d4f4befdc14e78546ec262ef8bc1c91894f0b0a2
Instruction ID: 8a984d1ccd86672271d8f8b875add9f9a5cc3035b94a88ea4dccf79db352efca
Opcode Fuzzy Hash: a3210621326b802d2bdc1277d4f4befdc14e78546ec262ef8bc1c91894f0b0a2
Instruction Fuzzy Hash: E6D10071E0060A9BDF06CFA8C845AFEB7F5BF88304F188569D959E7241E735E902CB60

Function 019565D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9aa732f4aa22057d8177e59a5420ba225560e6b85f52bd1efd1ae02ce2e413
Instruction ID: 0fa37482e93cdd86cc64da776420d1749b6d6530e3389fade60feaa8aca5d5fd
Opcode Fuzzy Hash: 5f9aa732f4aa22057d8177e59a5420ba225560e6b85f52bd1efd1ae02ce2e413
Instruction Fuzzy Hash: DDE1AE71608342CFC755CF28C190A6ABBF4FF89314F448A6DE9999B351EB31E905CB92

Function 01948397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeb3204d7f65b88dc3c3f146d5b88cbbcca4ed47e8f8eb283071c8e1e3c2ec
Instruction ID: e4883e8455696a5787930eb4add8d00f9e37d57623253da76d53eae2625da61a
Opcode Fuzzy Hash: d4aeb3204d7f65b88dc3c3f146d5b88cbbcca4ed47e8f8eb283071c8e1e3c2ec
Instruction Fuzzy Hash: 92D1F571A0020A9BDB14DFA8C890FBA77F5BF94714F05862DE91EDB281E730D955CB90

Function 019D8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 0c318baea7c43b32b3b4c0be53b563f62fb59d3174cddc516906deea27e125ba
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 88B19374A00609AFDB24DF99C940FABBBB9FF84354F10C45DEA0A97796DA34E905CB10

Function 01960535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: da9b58afeb9160f0af7f2b5008d24f0005c7a4054c36cf8991fb0f9785c74345
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 54B1F831600646AFDB15DBA8C9D0BBEBBFABF84300F180555E65E97282D730ED41DB60

Function 019583C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113a6244949263a88e1a019b7a739cfa7b25f424f40fe2222d75cd76106460c2
Instruction ID: 978d8062ea37280355c2a3241ca162dd40ed49bed8cad15e207c095ee5f564bc
Opcode Fuzzy Hash: 113a6244949263a88e1a019b7a739cfa7b25f424f40fe2222d75cd76106460c2
Instruction Fuzzy Hash: 52C17874608341CFD764CF19C494BABBBE8BF88308F44496DE98997291D774E909CF92

Function 0194C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bfa55a87f2b5c67a3c986655a5d76d4fbdde776f8e33bc5cf37e180a63cf81
Instruction ID: d6bf5db57a4fddc63e91c37bc4901e0324db1c394f975b4bac345abc26f68154
Opcode Fuzzy Hash: 49bfa55a87f2b5c67a3c986655a5d76d4fbdde776f8e33bc5cf37e180a63cf81
Instruction Fuzzy Hash: 65B17070A042668FDB25DF68C890BADB3B5EF84700F0485EAD50EE7291EB309D85CB61

Function 0197E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a59bb60ae392503be730032b940e95e273f25df9a90c8283ff8078c45839592f
Instruction ID: 840b9208b61fcb860d971f087782bbf77381be31f5be5311e35b0504aa956f0e
Opcode Fuzzy Hash: a59bb60ae392503be730032b940e95e273f25df9a90c8283ff8078c45839592f
Instruction Fuzzy Hash: 6BA12431E00659AFEB22DB9CCD84FEEBBB8AF41714F050165EA08AB291D7749D41CBD1

Function 01990185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018b9069c99650e29cb176a2f254a53e53607c0bd9d1540bb280f9b04c37fadd
Instruction ID: 5bc9d4fda6c5688639c1bd9f5bb08b0257f7989d5da3ff4b91e79050bcbec050
Opcode Fuzzy Hash: 018b9069c99650e29cb176a2f254a53e53607c0bd9d1540bb280f9b04c37fadd
Instruction Fuzzy Hash: 0EA1F270B00616DBDF25CF6DC590BAAB7B9FF54719F084029EA5D97281EB34E811CB90

Function 01A24500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4028a0e2c9ae58c1640316e22265c7e5d2478160c79b118876de1fa2778fceb
Instruction ID: e7cf5f214e2364b5eeb79299da047c0aedaeff6265071494f57767475bbf0563
Opcode Fuzzy Hash: c4028a0e2c9ae58c1640316e22265c7e5d2478160c79b118876de1fa2778fceb
Instruction Fuzzy Hash: 8FA1ED72A14622EFD726DF2CC980B2ABBE9FF88704F050528F5899B651D374ED01CB91

Function 019D60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cee21f05cb88b55bfd9a5ff341326ad08f971ea348c9f604fb774ad5ac5777c
Instruction ID: 9e56dd1ab5233e67791b7af0489f7aded1769ea2e43f63f48741ec94ba7267d1
Opcode Fuzzy Hash: 7cee21f05cb88b55bfd9a5ff341326ad08f971ea348c9f604fb774ad5ac5777c
Instruction Fuzzy Hash: 22919671D0021AAFDF15CFA8D884BBEBFB9AF49710F158169E618EB341D734D9009BA0

Function 0196E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50202963bcb7f33c72efa2c5cbb6e52fd3435f2e2aa4297b3453cdaedb1fc01
Instruction ID: 3c0ddc963f37161c4f1df38d38adbbe2e3be3d81e15501d8fb0ac1009b0da79b
Opcode Fuzzy Hash: c50202963bcb7f33c72efa2c5cbb6e52fd3435f2e2aa4297b3453cdaedb1fc01
Instruction Fuzzy Hash: 5E914579A00616CBEB24DB6CC580BBDBBA9EF94B15F148469EE0D9B380E634D901C761

Function 019A6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eae8dc067aa83bf63954a8b344ca3cb8fdc48c9fa013fa8b1ff82d75d4b1a79
Instruction ID: d49151b2535bac8e268ab24ebdfce62e58ab5dd26ff7e155d49603a3fe196ffa
Opcode Fuzzy Hash: 5eae8dc067aa83bf63954a8b344ca3cb8fdc48c9fa013fa8b1ff82d75d4b1a79
Instruction Fuzzy Hash: 3781A471E006169FDB25CF69C940ABEBBF9FB48700F08852EE549E7640E334E945CBA4

Function 01A1AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 9efeac167d637a38d6ab9e661a262c5422353c6f4a4c67e9261628e13f053ca3
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 5A81B236A016459FDF19CF99C580ABEBBF2FF84310F188569D9169B349D734E905CB80

Function 0198E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738d81c8a977c1c342fa937e629bc20b33acb1ef8e17653c65bcdd60b72fee71
Instruction ID: ffff4f2a8260d03f696d0c847fa523850823f0dec64bbed07665e98a4e08f184
Opcode Fuzzy Hash: 738d81c8a977c1c342fa937e629bc20b33acb1ef8e17653c65bcdd60b72fee71
Instruction Fuzzy Hash: A2817E71A00609AFDB25DFA9C890BEEBBF9FF88754F10442EE559A7250D730AC05CB60

Function 0196C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09939d8b8e721e036bd477e6dca970fc7889a37140b1fe45516cac41c9950512
Instruction ID: daa55449468bf2df9fdcc1309447d6130aeaae40f3ec8203158804380ad0b264
Opcode Fuzzy Hash: 09939d8b8e721e036bd477e6dca970fc7889a37140b1fe45516cac41c9950512
Instruction Fuzzy Hash: DF71D179C01626DBCB258F58C590BFDBBB8FF8C710F14451AE989AB350D774A801CBA0

Function 01A047A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efa5d1fce4a13993cf20ece151d67aa144f5275659ff6f5bbce155e2717ae62a
Instruction ID: 56582003018581dd72cf13610a562050bbfb1c2dc255170ffee0bf9a7d93634c
Opcode Fuzzy Hash: efa5d1fce4a13993cf20ece151d67aa144f5275659ff6f5bbce155e2717ae62a
Instruction Fuzzy Hash: 377192B8D00305EFDB21CF59E944A9ABBF8FFC9710F14416AE71897298C7728985CB54

Function 0196260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d53cd4062194688e157085d1a3a1f6989eadd050123baed0d8ff81071cde0b3
Instruction ID: 455fd7d4e448264016cb09e9f7efb3da7f6abc60ef40ce08483830b9121d085b
Opcode Fuzzy Hash: 3d53cd4062194688e157085d1a3a1f6989eadd050123baed0d8ff81071cde0b3
Instruction Fuzzy Hash: 3971B2756046428FD312DF28C484B6AB7E9FF84311F0485AAE89DCB351DB38ED46CBA1

Function 019D035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: d65e9362b276a85a9f4aac15da906c74cf4cd24017fc63fbc595f77fc9a4b5f7
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: B6714F71E00619AFDB10DFA9C944EDEBBB9FF98700F148569E909A7250DB34EA41CB50

Function 019E62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba44c95e68fc064cbe14ceaa360203a850feab5bbd8c273abc805c40510a560e
Instruction ID: 9ceba52d9830e81aad2f6f89f9ea3d0068b239406ab3ae43ddbe627818d1ebbd
Opcode Fuzzy Hash: ba44c95e68fc064cbe14ceaa360203a850feab5bbd8c273abc805c40510a560e
Instruction Fuzzy Hash: 1871D532140701AFEB33DF18C848F5ABBEAEF94761F154818E65E872A1E775E944CB50

Function 01958AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1c043ff2170842b4f0aedc3acc3d3045e92bc81f1a10a418040a5806f15889
Instruction ID: a93d5dc158fca4ef0bd6f1ba9a54eb74d1dcfa8ba285d959e4cda888035201b2
Opcode Fuzzy Hash: 1a1c043ff2170842b4f0aedc3acc3d3045e92bc81f1a10a418040a5806f15889
Instruction Fuzzy Hash: FB81EF76A04306CFDB29CF99C684BADBBB9FF88711F154129D908BB281D735AD41CB90

Function 0198CDB1 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3206078f01a85b4672a22c69a9984f40cf1dbfaba8d78f9fc69638106032f31
Instruction ID: 9a09a796002cd2c5797e4f21f042ff1cb19184801a09d0b8c51dfbe22249c7ac
Opcode Fuzzy Hash: f3206078f01a85b4672a22c69a9984f40cf1dbfaba8d78f9fc69638106032f31
Instruction Fuzzy Hash: 9E61B171A00206DFCB19EF68C880AAEB7B9FF48714F14456EE61AEB291D7319D01CB61

Function 01A0A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da092e2419272bb8dff412cfbc9721b221432b6cf2706e5a220d9b4a14306049
Instruction ID: 7562ed8ad8d53f4f2645c9f7f8f4ae2703f6e9ed613677f9c6d2928fd6ec3aaf
Opcode Fuzzy Hash: da092e2419272bb8dff412cfbc9721b221432b6cf2706e5a220d9b4a14306049
Instruction Fuzzy Hash: CE51F176504702AFD723DF68D844E5BB7E8EBC8750F020929BA45DB190D735ED05C7A2

Function 01A18DAE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791a86da8d8ca5b484c0613251ba7fd750158d32a0fde93159fe4a8aa6780a87
Instruction ID: f8fd9be677f6b81945f99c14d3a2a21b1b06cceb66bfbdf892e24bd7eb5ad0bf
Opcode Fuzzy Hash: 791a86da8d8ca5b484c0613251ba7fd750158d32a0fde93159fe4a8aa6780a87
Instruction Fuzzy Hash: B751C1726047029FD712DF28C840BABB7E6FF94350F04892CF99997295D738E909CB95

Function 019F8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e236f6b98ebdf845924860f854faaf4c699f23c6061bd68342412714354ffbc
Instruction ID: 78cad131b922c26c6e12ba383b6f41b050a6d824c84a70cecdd1c6804afe61c3
Opcode Fuzzy Hash: 5e236f6b98ebdf845924860f854faaf4c699f23c6061bd68342412714354ffbc
Instruction Fuzzy Hash: DB51C070900705EFDB61DF5AC884AABFBF8FF95710F104A1ED25A976A0C7B0A541CB90

Function 0198E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f447b7d12ff0fa41770ad86006c2f191b7a5d4db1fe0af597608c50bbdb033e
Instruction ID: 183bd01e4d1af27efaefee86ee9648976e897d144a37f36f286413014017bda2
Opcode Fuzzy Hash: 0f447b7d12ff0fa41770ad86006c2f191b7a5d4db1fe0af597608c50bbdb033e
Instruction Fuzzy Hash: 37516D71600A05EFCB22EF69C990E6AB3FDFF94B54F40082AE54E97260D734E941CB61

Function 019F4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2231d3acc730c08821276b8ae4f8c698d7a8028dd24d10d6ffd8ebb38b46da4
Instruction ID: cf23de43699bf803a953b584df29996c61597ff837549dc272bdb1fa198ccb72
Opcode Fuzzy Hash: b2231d3acc730c08821276b8ae4f8c698d7a8028dd24d10d6ffd8ebb38b46da4
Instruction Fuzzy Hash: 4C517B71608346AFD754DF29C980A6BB7E9FFC8208F54492DF689C7250E770D905CB92

Function 019745B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 9f87a70a5080561230c99ab1b5dc493d7e84093a2e9a2e6a3e2ff4a2049afab6
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 0A519171E0021EABDF15DF98C480BEEBBB9BF85754F054069EA09AB251D734DD44CBA0

Function 019DE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: c7febb76c73c2a8a6118d8d69a063926b1a0618bd3b59f43d4d9ab099ca79679
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 3F51A531D0020AEFEF21DF95C884FAEBB79AF40365F158665D91A7B190D734AE40CBA1

Function 01A18B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b5c739ffb6bf9585c29fb57c035082edf4b4aa464fa7638ab1860ccecece45
Instruction ID: c8e2e72d862b15629729f381dad144b757050a5f626dd1e62e298f8071446daf
Opcode Fuzzy Hash: 56b5c739ffb6bf9585c29fb57c035082edf4b4aa464fa7638ab1860ccecece45
Instruction Fuzzy Hash: CC41E4707056119BD729DB2DC994B7FBBAAFF91260F088219F959CB288DB3CD801C691

Function 019DCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2e66b972b6ff9ba2ffd2aab8210fc059238b71fd7054e3e4be84114c89d497
Instruction ID: 5253a61415bc81db406943697bb4d877152e9e2f62ba2108b90563321741384c
Opcode Fuzzy Hash: 0a2e66b972b6ff9ba2ffd2aab8210fc059238b71fd7054e3e4be84114c89d497
Instruction Fuzzy Hash: 58518FB9D00216DFDB20DFA9C9809AEBBB9FF89355B618919D60DA3305D731AD01CF90

Function 0198A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4de50f3c0dd489d0a62a388f7ac6942478a9a1d6e282750b5371d6a69c17752
Instruction ID: e4a7d5e2cec6cd48e7d9d666594eec1cfed00c16abcd4d2f727b832c7a43ca32
Opcode Fuzzy Hash: b4de50f3c0dd489d0a62a388f7ac6942478a9a1d6e282750b5371d6a69c17752
Instruction Fuzzy Hash: 6B4108796402019BDF25FF7CA981F6F3768ABD9B08F00042DED0E9B242D77298628761

Function 01A1A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 582a2725de42e86bc5a427481867f8bbb76c5fd49610b722b76e138cf99927b6
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 25410A726067569FD725CF68C990A6BB7A9FF80310F09462EE95687248EB30FD14C7D0

Function 019801F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b848096a783b31e37e8b12561831d989e7a5f5d6187840e8125168e14a6f32
Instruction ID: 74f88f615cc0ef4cb668f28bc88fcaaa599ef538ec90d641a7114e68e825cfec
Opcode Fuzzy Hash: a6b848096a783b31e37e8b12561831d989e7a5f5d6187840e8125168e14a6f32
Instruction Fuzzy Hash: D341BF36D00219DBDB14EF98C440AEEBBB8BF88710F19825AF819F7250D7759D49CBA4

Function 0197EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76454b2dfed1c69826b1da7c9e2d72290c20628ec2f5442a43395fc455b7e879
Instruction ID: 5ae26b1ce10bdb78813df9e6f386a5307c33f78ce024b43bed8b2192509a98e7
Opcode Fuzzy Hash: 76454b2dfed1c69826b1da7c9e2d72290c20628ec2f5442a43395fc455b7e879
Instruction Fuzzy Hash: 9241D1B56043028FDB25DF28C980A6BB7E9FFC8324F14496AE55EC7611EB31E844CB60

Function 01992750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 7861c3cb67e274e4efeda4186f79ff52a25e6ffddf13140febef72a03cdd908c
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 68516A75E00219CFDB15CF98C580AAEF7B6FF84B10F2481A9D959A7351E730AE42CB91

Function 01956154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678182049b429b55fba629769176a1b9c719f7b055bc83b66e3dc9bc4c30b5b8
Instruction ID: ee7557b4e443c3813d0eccb98b192c80a1e83239cb0d95bca166446c32c55d90
Opcode Fuzzy Hash: 678182049b429b55fba629769176a1b9c719f7b055bc83b66e3dc9bc4c30b5b8
Instruction Fuzzy Hash: A451F770900206DBEB66CB68CD44BE9BBB5FF52315F1482A5E91DA72D1D7349981CF40

Function 01950BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0450b885d060491fcc68cacfabc1c0345359469fee5028a3412506298a919f41
Instruction ID: ff286b5c2246f409e09557d5fe8040f8ee5c3ca82ae5a97fc50d3e9c4c14f39e
Opcode Fuzzy Hash: 0450b885d060491fcc68cacfabc1c0345359469fee5028a3412506298a919f41
Instruction Fuzzy Hash: AC41AE35E002289BDF61DF68C940BEE7BB8EF85740F4500A5E90CAB241D7349E85CBA1

Function 01A1866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 88cc009d4a6027df74acd9c7b676c9169f3410bf03fb8ce3b3fd6df6fbfa4a21
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 2441D775B00205ABDB15DF99CD94ABFBBBAAF88240F184069E914E7349D778DD00C760

Function 01950887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e711d2089fb89f2a7f2d7ff8126fe5b515e84377e3fb6f14288a5cf5796e57f
Instruction ID: c85638f959062634847ce5969378bbcbc5e12cd299b8d40146f3c180bcc2f413
Opcode Fuzzy Hash: 2e711d2089fb89f2a7f2d7ff8126fe5b515e84377e3fb6f14288a5cf5796e57f
Instruction Fuzzy Hash: 8841D3B16007029FE765CF28C4A0A26B7F9FF89314B184A6DE94F97A54E731E845CB90

Function 0197A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0093afd7e1169edbcdc4d7a6c9d6de5813f8fde490a7b4bbccec280e9dd2451e
Instruction ID: 09b667f47b2ac5f1505b309398173d9002a10bb0beefef4a056ef8acb0308cde
Opcode Fuzzy Hash: 0093afd7e1169edbcdc4d7a6c9d6de5813f8fde490a7b4bbccec280e9dd2451e
Instruction Fuzzy Hash: 21411136A00205CFDF25CF68C884BED7BB8FF98B25F284555D419AB281DB35D901CBA0

Function 01958BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64294a24636b4671dacafbfdad7e8b5e10166fcf9e5ec3f405dd53cb8900cb
Instruction ID: 1c58e0c2bcb6313080b4e5fd7d97642fc328a477ddeaab2268c6dd049ce06a36
Opcode Fuzzy Hash: 4e64294a24636b4671dacafbfdad7e8b5e10166fcf9e5ec3f405dd53cb8900cb
Instruction Fuzzy Hash: 0A411639901202DBD725DF49C980BAABBF5FFD8B14F158029D909AB255D736D842CF90

Function 01948918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cffcb0ca606413db8cfa2f9b7e444d2f47966997ce893ea13e8f57d2c00e04
Instruction ID: d02b27264945bd5c881a01dc608da6e4a848934a9aec1ffdec6de3b5ca32cecd
Opcode Fuzzy Hash: 47cffcb0ca606413db8cfa2f9b7e444d2f47966997ce893ea13e8f57d2c00e04
Instruction Fuzzy Hash: 00417C355087469FD312DF69C840E6BBBE9AF84B54F40092AF988D7250E770DE098BE3

Function 0194A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 17f0d9dc2d43e72a94f6aa23f03d1edcee6515cbae68b10bbcc215d57e517c66
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 9C418E31A00211DFDB15EE1D8454FBABB7DEB91756F59806AE94F8B240D6378D80CBD0

Function 019509AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12ec6d00cb458d55dfabba1d38e5eef06855dde7749e598b2a343e86a9b84fc
Instruction ID: fec1365c186c49d4f58e30c1f43ff336e8cdc1a16b00236c2bd14fd711c0a2c3
Opcode Fuzzy Hash: c12ec6d00cb458d55dfabba1d38e5eef06855dde7749e598b2a343e86a9b84fc
Instruction Fuzzy Hash: FE416A71A00601EFD761DF18C840B26BBF8FF94715F688A6AE84D9B251E771E942CB90

Function 01980710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 09894ac5e6282fc59bd3735fac37f7cbff7798ec5b185cd9ad3c53cf258ca8b4
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 4F412971A00705EFDB25EF98C990AAABBF8FF18700B14496DE55AD7650D330EA48CF90

Function 0195262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4561c151ffad82b9e0b1df70da4e336b78b88d93025e97a7d2a661422912cc
Instruction ID: 905f89f99aa253910d46aac82da3bc88319daafb8478514f8491a4f6f36d06e8
Opcode Fuzzy Hash: ea4561c151ffad82b9e0b1df70da4e336b78b88d93025e97a7d2a661422912cc
Instruction Fuzzy Hash: 1841E671501705CFCB62EF28C940B69B7F5FF95311F14856AC90EAB2A1DB30A941CF91

Function 0198C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c711d62db26d6fa2d88666010f89e9d9761bf3bcf8097c5448555d33be1948
Instruction ID: 2008b692b19c0f4c96932cfc555f9c3c385433c458bbb44d80b7247537f3665a
Opcode Fuzzy Hash: d2c711d62db26d6fa2d88666010f89e9d9761bf3bcf8097c5448555d33be1948
Instruction Fuzzy Hash: F3319EB1A00345DFDB11DF98C440B99BBF4FB49B25F2185AED119DB251D3329902CFA0

Function 019D07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9ca764a8f026e75347d8f2f1dda08d67f6032e6ebd651af34058b54146a104
Instruction ID: 21ce02aa9adf694f4668bbe52931bcdb7ebcabee7c6ba7bcafd83cb5607ac10d
Opcode Fuzzy Hash: ec9ca764a8f026e75347d8f2f1dda08d67f6032e6ebd651af34058b54146a104
Instruction Fuzzy Hash: 62416A719043419BD720DF29C845B9BBBE8FFC8614F008A2EF59C87251D7719905CB92

Function 019D05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7531a1a6b7928b8f7b67839afa6fcdd8d861935315b359a5f2c479109759d6d
Instruction ID: a54023b4c1a20a725b7d1050c3e5aa1956a2d5179be4b6d05554c50225ad4801
Opcode Fuzzy Hash: d7531a1a6b7928b8f7b67839afa6fcdd8d861935315b359a5f2c479109759d6d
Instruction Fuzzy Hash: 5241C3726047429FD320DF6DC840AAAB7E9FFC8700F18861DF95897680E730E915C7A6

Function 01954859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a4519f172b9acd62f39a34af4cd45f8455f6d6221e5dcfd904988280cff49b
Instruction ID: 7514430c785d0457fbe2a9bc89cd4537935bbe120ef0b4ca824278b1684c62ae
Opcode Fuzzy Hash: f9a4519f172b9acd62f39a34af4cd45f8455f6d6221e5dcfd904988280cff49b
Instruction Fuzzy Hash: 4841E3302003028BD7A5DF18D8A5B26BBF9EFC0B51F14442DEE4DAB291E730D991CB51

Function 019602E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 2f74e93bd13b5aabf760470a2ae418993ab6c196e0274e5a35b2fd464c6a5caa
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 18311531A04244AFDB128B68CC80FEABBECAF54350F0845A5F85EE7352D2749944CBA4

Function 019FE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae1c34e0783f3581070b51a19374a96c0a94d1b91df2dc431138d02610ab2a7
Instruction ID: 28f750bc081ff13a975eb8676c10ed9a3b200a4e47a368e04f176bd80f4af7a2
Opcode Fuzzy Hash: 1ae1c34e0783f3581070b51a19374a96c0a94d1b91df2dc431138d02610ab2a7
Instruction Fuzzy Hash: 42318835750716BBD722DF698C41FAB76B9AF99F50F01002CF708AB2A1DAA4DD01C7A0

Function 01A04B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468cb7d7811ec95a898814e83b1ce9f5638831906db46b70b588916637d67196
Instruction ID: 19f318091a9b69a5e935b39910b47e627a9c200d9a5e5769946ce45b9029eb9a
Opcode Fuzzy Hash: 468cb7d7811ec95a898814e83b1ce9f5638831906db46b70b588916637d67196
Instruction Fuzzy Hash: 6531C1366056018FC322DF19E880E26B7E5FBCA360F09446EEA998B295D731A815CB91

Function 01954260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67aa6b1f1ee7893d780aeb9a73a0230f3462eb8a4baa0b0976cbb7744f0fb744
Instruction ID: 9323df6cb7a45ef57e3914181ee9c6d70847e5594980101de8115c56268c94e8
Opcode Fuzzy Hash: 67aa6b1f1ee7893d780aeb9a73a0230f3462eb8a4baa0b0976cbb7744f0fb744
Instruction Fuzzy Hash: 8241BD35200B459FD766CF28CA81FDBBBE8AF89354F044829EA5D9B261D734E844CB60

Function 01A04BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f3401b19d5638cbeacc7edd6d1d810e9a6257e2a6353b93debea8c05567471
Instruction ID: 6df1c42e71cba3649714fa6adfda8d34788af22cbd6afb2f6bb9389a01729140
Opcode Fuzzy Hash: 22f3401b19d5638cbeacc7edd6d1d810e9a6257e2a6353b93debea8c05567471
Instruction Fuzzy Hash: 4631CB356047018FD321DF29E880A3AB7E5FBC9720F09492DFA998B290E730EC05CB91

Function 019CEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60d58851b74f620bdb8c995b3acef120c430b304312126f5608297575d98daf
Instruction ID: e6e490b28010ef4f1da55eb441eacc54627d4182fd0782a0098344fcc7d10296
Opcode Fuzzy Hash: b60d58851b74f620bdb8c995b3acef120c430b304312126f5608297575d98daf
Instruction Fuzzy Hash: 3331A1316416829BF322575EC958B357FDCBB80F85F1D00A8AB8F9B6D1DB28D840C232

Function 01A161C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98034f160ad3289377ece0e3e2cdafb021796cbdb675301ee2dc6e84cff1304b
Instruction ID: de42c8acf726e5b54fd9822c6231b550fc8a4f59244f770b4d4660c8f33e81a0
Opcode Fuzzy Hash: 98034f160ad3289377ece0e3e2cdafb021796cbdb675301ee2dc6e84cff1304b
Instruction Fuzzy Hash: B431C475E0016AABDB15DF98CD40BAEB7B9FB44740F454169E908EB248D7B0ED01CBA4

Function 019F483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e632e807c559eebafa355086ea502042a282bde932e24d6b5b0e3f1ee659c2
Instruction ID: 5db35bce23584fd5ace74c9a73a7e7cc0de242192141d555415fa5feb4cc799e
Opcode Fuzzy Hash: a7e632e807c559eebafa355086ea502042a282bde932e24d6b5b0e3f1ee659c2
Instruction Fuzzy Hash: 25316576A4012DBBDF21DF55DC84BDE7BB9AB98750F1000A5AA0CA7250DA30DE91CF90

Function 0197EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfaa5c3684b611a6c1a0397d2e722481652e2627f84c59529292e2312324bd6
Instruction ID: fcea9e56b8ba8c7b365b9df33cb389a203aaa8da3821b402d6b211080d173e9a
Opcode Fuzzy Hash: 1dfaa5c3684b611a6c1a0397d2e722481652e2627f84c59529292e2312324bd6
Instruction Fuzzy Hash: 10318476E00219AFDB21DFAACD40BAEBBB9EF44750F114565E919E7250D6709A008BA0

Function 01A160B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edad13c86182a03e53f27533df412c8197eb28db7c6c32937f53b4af071f9951
Instruction ID: 68e182f2470646f1d328b2b3513416ad65eb06a21945bf52155a4602ba7498e7
Opcode Fuzzy Hash: edad13c86182a03e53f27533df412c8197eb28db7c6c32937f53b4af071f9951
Instruction Fuzzy Hash: FE312735B00312AFDB229FA9CC50B6EB7B9BF84750F044069E50DDB346DAB0DD008B90

Function 019507AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8798ee04cce3439e1b8a4ff2d519eb4b8a0d198e4a111f3688e20888a50141
Instruction ID: b35677dbc12931ba517683499b020c7cc879ae4614f0c621a44b2c30bee663c2
Opcode Fuzzy Hash: 7d8798ee04cce3439e1b8a4ff2d519eb4b8a0d198e4a111f3688e20888a50141
Instruction Fuzzy Hash: 7931C532E04616EBC752DE288880E6BBBB5AFD4750F094929FE5DB7310DA31DC0587E2

Function 01958550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff0a22d05609a850c720ff7196f1733c9a4062b6dd0936c53e51db6a6c462ad
Instruction ID: 2b75153dccbaababecc1bf1cc2e4ae3d0824e2e01cd69791aa7d9b774a9994b9
Opcode Fuzzy Hash: cff0a22d05609a850c720ff7196f1733c9a4062b6dd0936c53e51db6a6c462ad
Instruction Fuzzy Hash: 5A31AE716093019FE360CF19C980B6ABBE9FB88705F0449ADF988AB351D770E844CB91

Function 0198A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: ceb6ec316d37384af81ec25f3d019fd482c40a7721801e068a2ea35d68ad5713
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 0B312EB2B00B01AFD761EF6DCD40B57BBF8AB48A50F04092DA59EC3650E630E900DB65

Function 019FEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9091ffac472d55b20039a13c25f59cd150b80642ca6a243003ad0c9ed0454e
Instruction ID: 14014a232d5fc92a69867985020e65d3de8830eb5ad8dbe112905c4e2062c0f7
Opcode Fuzzy Hash: fb9091ffac472d55b20039a13c25f59cd150b80642ca6a243003ad0c9ed0454e
Instruction Fuzzy Hash: E531DAB1909341AFCB20DF19C540A5ABBF9FFC9205F0549AEF58C9B221D331D944CB92

Function 0197438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ae99a41a02c4a13711cd3872d1620e9c76fa3fbec9b57099e793752208c0a6
Instruction ID: ffc783d5d018dfb2d9130b2679d3734427b6f48ddf784398e408134cad86496b
Opcode Fuzzy Hash: a9ae99a41a02c4a13711cd3872d1620e9c76fa3fbec9b57099e793752208c0a6
Instruction Fuzzy Hash: 6E31B131B00206DFD721DFA8C980AAABBF9BF84744F008529D54ED7295D730E941CB91

Function 0194CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: d338f9bc1d35f69153e8860b6124b55e642b89cbd0d27b8754977fc55e0978e3
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: AA21F236E0125AABDB10DFB98800FAFBBB9AF54740F058436AE19E7340E670D904C7E4

Function 0194C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1739f6578b9c0491050aa7517c7bba4bc828364feaf5d4e1086e963f136f6e5f
Instruction ID: f0d4cb72fba7956d84486db9fc772fa20ea1b2a07b0b7421c8f8da2b5b494bca
Opcode Fuzzy Hash: 1739f6578b9c0491050aa7517c7bba4bc828364feaf5d4e1086e963f136f6e5f
Instruction Fuzzy Hash: CF315BB55002018BD735AF58CC40B697BF8BF91314F9481A9DD4D9B742EA34D98ACBE0

Function 01A0C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 994b4002aeee593a3c7ff2d63da513af4fa9289abe42c9bbb0325a3dc465410d
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 32214B3A600652B7CB16AB959C04BBBBBB4FF80720F00815AFA99876D3E635D940C360

Function 0194E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c26640689613010e899ec5913f2bc26b5dc5a01161537efc7e5201bf7a5ab52
Instruction ID: b31085d8e2214402ab75283c9e1b325f6371c74beaef999660e61bad87289b1c
Opcode Fuzzy Hash: 5c26640689613010e899ec5913f2bc26b5dc5a01161537efc7e5201bf7a5ab52
Instruction Fuzzy Hash: B431D631A0011C9BDB31DF18CC41FEE77BDBB55B50F0104A1E64DA7290D678AE818FA0

Function 01984588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: cc859b2a644da527701934dfba23e8627d28b10beccaafa6fe406344a5716f35
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: FF217131A0070AEBCB15DF58C984A8EBBB9FF48718F118069EE199B241D675EA05CB90

Function 019844B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b2ca4703070f5dec8dad0af33f46d96c078fca3428241391f9934506b236a2
Instruction ID: af91c10a13ca39977d35d99acccd3d84671a0826c863ae51028f360a347df166
Opcode Fuzzy Hash: e5b2ca4703070f5dec8dad0af33f46d96c078fca3428241391f9934506b236a2
Instruction Fuzzy Hash: 272181726047469BCB22DF58C840B6F77E8FF88761F054919FD5D9B641D730E9018BA2

Function 0194E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: d60afbe0861d8d5d4bd0a16cba8a5337d0529a8391f5bd20e655cbd3b9ab4688
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: F931AB31600605EFD721CFA8C984F6AB7F9FF85354F1049A9E65A8B681E734EE01CB50

Function 019CE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697d13f1c5f30f72d6229e6d46edf2ad2c9ab8e13bf2550211a0351ff00150df
Instruction ID: 7a3c371a7b058479d8a7142d984df38d4cc257494bbf8e8126b4e9cca8b92167
Opcode Fuzzy Hash: 697d13f1c5f30f72d6229e6d46edf2ad2c9ab8e13bf2550211a0351ff00150df
Instruction Fuzzy Hash: BB317C79A102469FCB15CF18C9849AEBBB5FF84704B15445DF88E9B391E731EA40CB92

Function 019D06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae0b6fa5fc7a8596d2479aeddacd7ca2e6ff8d43026cde8a589f76850bbde55
Instruction ID: 6342c522e49018785f10a3fbf10fcd923de023aaabe3c11483c45af67f0fbba8
Opcode Fuzzy Hash: 5ae0b6fa5fc7a8596d2479aeddacd7ca2e6ff8d43026cde8a589f76850bbde55
Instruction Fuzzy Hash: 5B219175A00129ABCF11DF59C881ABEB7F8FF88740F554069F945EB250D738AD42CBA0

Function 019D019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9526c0119a46f9812752c2bcb0c03dc137773efdc843038962a07a17b07c60a
Instruction ID: 7a082fe33d0c327d859d29f1038128c40b15aca0eb86fa3fa1701e160329d2bb
Opcode Fuzzy Hash: f9526c0119a46f9812752c2bcb0c03dc137773efdc843038962a07a17b07c60a
Instruction Fuzzy Hash: 17219C75A00645BFDB15DB6DC844F6AB7ACFF98740F184069FA08D76A0D634ED40CB68

Function 019D0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e0b55abe88540ab364c3e491d13790bb93f830346351fdf925e6fb26152bf6
Instruction ID: a459231ab2ec4fdb85be4bbe56d6ec5ebf02284a10305fbdbe34bcd5d7d21214
Opcode Fuzzy Hash: f4e0b55abe88540ab364c3e491d13790bb93f830346351fdf925e6fb26152bf6
Instruction Fuzzy Hash: 2521A1729053469BD711EF5AD848B5BFBECAFE0240F0C8856BE8887251DB34DA04C6A2

Function 01972835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5551fe86b2e6f5ff780e7472711055e675e41b8874844d3190a2277acc2cc1
Instruction ID: 65ba8c47439dbf259650ded48f6421aaf0c855b307dac26a6d4a1fd9a710a786
Opcode Fuzzy Hash: 1e5551fe86b2e6f5ff780e7472711055e675e41b8874844d3190a2277acc2cc1
Instruction Fuzzy Hash: 0C2138317146C2ABE322976D8D54FA43B98BFC1775F280364FA2C9B7E2DB69D8018211

Function 0198A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f041461cb0f6ee728027aa3686e9bd2abdaac21fc185a411661a751595c343
Instruction ID: 6507b19c5aba7a7a3c43d1f2b68a3744398970b4d12c95860d9edff0c143b098
Opcode Fuzzy Hash: 21f041461cb0f6ee728027aa3686e9bd2abdaac21fc185a411661a751595c343
Instruction Fuzzy Hash: 3621AC79200641AFC725DF29CC00B4677F9BF98B04F24846DA54DCB761E335E842CB94

Function 01A0A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d63f447c077bddfdc0aa4c654a07178f8a7b14a08db97d127e23ec4b42aad2
Instruction ID: c725beae79153d637dd471354267f13050aa0077c0e47db87200c2cd6ae88e11
Opcode Fuzzy Hash: 89d63f447c077bddfdc0aa4c654a07178f8a7b14a08db97d127e23ec4b42aad2
Instruction Fuzzy Hash: A9110673380B11BFE7235A69AC01F677699EBD4B60F550028BB18DB2D1EBA1EC018795

Function 019D0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ce4f2c6fa5d98c627deffe4fc01eb4da9999451d6e67c2881b2916ee72ce1b
Instruction ID: 65c1b028f1359e332cbac9b2d2cb24480a41c97aa1d908324660b986e3b2b842
Opcode Fuzzy Hash: d9ce4f2c6fa5d98c627deffe4fc01eb4da9999451d6e67c2881b2916ee72ce1b
Instruction Fuzzy Hash: B521E9B5E00219ABCB24DFAAD9859AEFBF8FF98600F10412EE409A7254D6709941CB64

Function 019E80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: b9bd9b05d7e8782900fd8c8c02b5ab7bea34880e6f9e52a217371494ad5b4e74
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 53216A72A0020AAFDF139F98CC44BAEBBFAFF88310F214819F908A7251D734D9508B50

Function 01980124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: bcff70dc432c064ceb66f0313ddf4640b1c070ecdd81a43fc5be91a2aa2e00ff
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 50110173600609BFE722AF48CC81F9ABBBCEF80764F144029F6088B190D671ED48CB60

Function 01958770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e354d957974ba8033fcce7e55d2f9d89b7f07eec535d4f151f2ca14e86bb907
Instruction ID: c8229ca4fee20e9b180e1f3b71711acc8e55721ce07ae5b4d57dbfb204581ccc
Opcode Fuzzy Hash: 6e354d957974ba8033fcce7e55d2f9d89b7f07eec535d4f151f2ca14e86bb907
Instruction Fuzzy Hash: 1611C471700611DBDB91CF5FC4C0A26BBE9EF9AB51B19406DEE0CAF205D6B2E901C790

Function 0198AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 65e344a5bc1ebd8fc286eceba61467fcee134628484aa20a10b0efc38e0be0b1
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 07218B72600A41DFDB35AF49C940E66FBEAEB94B51F15887EE94E87620C730ED01CB90

Function 019580E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b656805b1edf83d8b419ae138013453bf7f37d232d6d230f8b0e189b086f49
Instruction ID: 95f159c1c2037e42becdea30258496f71823b14adfa0a03a59df1b0f573daf9f
Opcode Fuzzy Hash: 65b656805b1edf83d8b419ae138013453bf7f37d232d6d230f8b0e189b086f49
Instruction Fuzzy Hash: A9216D75A00206DFCB14CF99C581AAEBBF9FB89318F24456DD509AB311DB71AD06CBD0

Function 0198674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9337f7a97c68b57509e45fde2fb9afd9c5f8285fafdd830aa18cab884ad6dd9a
Instruction ID: 7081d3fb8d84d19b685f9211c548fadd7fbdb7186ec440eb17269e5a4c2274b4
Opcode Fuzzy Hash: 9337f7a97c68b57509e45fde2fb9afd9c5f8285fafdd830aa18cab884ad6dd9a
Instruction Fuzzy Hash: B1218C75610B01EFD721AF68C880F66B7E8FF84351F00882DE59ECB250EA30A840CBA1

Function 0197E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1561d314cafd99ccc05400c4054ef7644c407858fbdc1017d60aaa531c46a7e6
Instruction ID: d20487fa5952c4894b643dfdfdf0ffea6d72d3ea293cf9614599dc79814cf425
Opcode Fuzzy Hash: 1561d314cafd99ccc05400c4054ef7644c407858fbdc1017d60aaa531c46a7e6
Instruction Fuzzy Hash: 2B1126337041159FCB19DB29CD85E6B726AEFD6374B254969E92ECB290EA309C02C390

Function 019E6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e74d9c80e2d32b5cd26cb5417ecd54829b60337efcf2790c4ac963149a285a
Instruction ID: 7722b464ba3550fdddd3863dcb5a31b3ae39fe92cd74dde30fb026aecb170786
Opcode Fuzzy Hash: e4e74d9c80e2d32b5cd26cb5417ecd54829b60337efcf2790c4ac963149a285a
Instruction Fuzzy Hash: 21119E32240614EBD723DB5DCD48F9A77ECEFA9B61F114025F6499B261DA70ED01C7A0

Function 019866B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5bdf3d392fb2c134a4d13e5787b73d448c0eee275c0a0b11664551a005f016
Instruction ID: b0dacd757e48da9c36676619fd5981acf8cc00689e5657b303936d3e4f31076e
Opcode Fuzzy Hash: 1d5bdf3d392fb2c134a4d13e5787b73d448c0eee275c0a0b11664551a005f016
Instruction Fuzzy Hash: B9118C7AA013459BCB25EF99C580E5ABBE8AB94750B05407EE90DAF311EA34DD01CBE0

Function 01A1A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: a28ed75a1c3ceb37643202bbf974bb69c96e668fef0082341ce2f233c3a700e2
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: BE110436A00905AFDB19CB58C811B9EBBB6EF84310F098269E855D7344E635AE41CB80

Function 01950AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 4953954d87d1b3a2d8abefa9c0aa0974dff0d3ff290f9144871ffd8f493e5c76
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 102106B5A00B059FD7A0CF29D481B56BBF4FB48B10F10492EE98AC7B50E371E814CB90

Function 019DE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: ca818b8a2b855cd19f01d38a847fb57da4e25b3e9ebcc5c2e49b8d81a115c221
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: DC119E32600601EFEB219F48C842B5ABBA9EBA5799F05C42DEA0D9F160DB31DC40DB91

Function 019727ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbbd601f08f970169ab546f04583088eb1633d9f69ed5b31a5fd48382253fa3
Instruction ID: 3973ddb7cdde53d5a8329212f3f4bc464f592b11c20ea9dd78ced4f0dc191874
Opcode Fuzzy Hash: dbbbd601f08f970169ab546f04583088eb1633d9f69ed5b31a5fd48382253fa3
Instruction Fuzzy Hash: B7012231705645ABE326A36ED894FA77BCCEFC0395F090465FA0C8B241DA25EC00C2B2

Function 01954690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c5d204be4ca4f5fe13f376d9bab32ec0b8894eb9c08e618476ed36c9b5705f
Instruction ID: cb334b38eaf0f438095e235ca25a0f751febceba6a021cff7dd899f8ea66bb11
Opcode Fuzzy Hash: 29c5d204be4ca4f5fe13f376d9bab32ec0b8894eb9c08e618476ed36c9b5705f
Instruction Fuzzy Hash: E2110236241644AFDBA5CF59C840F567BA8EB86B65F004129FD0CAB250E330E880CF60

Function 01986620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af98d9a6c7b2692972bae2e5e29417031a13acc3615da5351c2694b995a2c358
Instruction ID: 6600dfa69a571482bd0eb3e6fe4e5b4e0ebfa42c258aefbe764184d99b44c776
Opcode Fuzzy Hash: af98d9a6c7b2692972bae2e5e29417031a13acc3615da5351c2694b995a2c358
Instruction Fuzzy Hash: 4011C276A00656ABDB21EF59C980F5EFBBCFF84745F510055EA09BB201D734AD018B60

Function 0197EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5cbea81b02d597717688f49bdd4ecfd1ed76e4ddf0df810814a787020b5c42
Instruction ID: 34f21c5e0c67736aecf7e1eb841c2faefd0e330f671b3bdef9f6359f4d426348
Opcode Fuzzy Hash: 3e5cbea81b02d597717688f49bdd4ecfd1ed76e4ddf0df810814a787020b5c42
Instruction Fuzzy Hash: 4601B57590010A9FC729DF19D444F26BBF9FFD5718F2081AAE1098B661C7B0DC46CB94

Function 0197E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: edf1a2f625f5a25f598fe285dff22d6caa18dccd42462b9d8d2255c977a5f18c
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: BB11E5722016CA9BEB23972CCEA4B653BDCAF41789F1904E0DE4D87642F328D942C260

Function 019DE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 8d3c130e27357ff3470a8b6b0a879e0aa7dc1c6da8c6cc88766c5765b44df265
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 03019236A00505EFE7619F58CC00F5A7AADEB85755F06C425EA0D9F260E771DD40D790

Function 0194A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: da87c52ccd84717707c67f5a7dcef1bc04ce0b73e0998319ff5eec7b6c7febb5
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 4E012631544722ABCB318F19D840E327BA8EF55761700892DFC9E8B281D335D400DB60

Function 019CE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af47ab00ef4a6506d897d988baa4c29855b9145c7d337a2e9a023fd22dc3f4f
Instruction ID: d064ca953b03365093ffd2d5771af5c30b0e187c039d1b4ee8d53e13e48c172a
Opcode Fuzzy Hash: 0af47ab00ef4a6506d897d988baa4c29855b9145c7d337a2e9a023fd22dc3f4f
Instruction Fuzzy Hash: 69118E31241241EFDB15EF19C980F16BBB9FF94B54F100069ED0A9B651C235ED01CAA0

Function 01956259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61dbc3778e2255e9a978554106872154decc99f052cd583269d27282e2348fe
Instruction ID: 95e968f51a5f375d5daeaedfce7a781cdb3f25a4b3574d3c6790516298132513
Opcode Fuzzy Hash: b61dbc3778e2255e9a978554106872154decc99f052cd583269d27282e2348fe
Instruction Fuzzy Hash: 5E115E70542229ABDF65EF68CD41FE9B2B8AB89710F504195A71CA60E0DA709E81CF94

Function 0195208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: b66995dd615a9a4e84fa0a4dcd130939598ae7932e8089a71aefa085c0d23196
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 2B01F132601210CBEF51DB2DD880E96B76ABFC4700F5944A9ED0D9F246DA71D881C7A0

Function 019D6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172e3c9a3a75f832c625be564ef3dba317069553a366895bec54515a710e6d42
Instruction ID: db6c4ee2da155c4da0b602795f162f56d8d27eb0cf2357ff264d4d8e05faf65d
Opcode Fuzzy Hash: 172e3c9a3a75f832c625be564ef3dba317069553a366895bec54515a710e6d42
Instruction Fuzzy Hash: F4111777900019ABCB12DB99CC84DDFBB7CEF88254F054166A90AE7211EA34AA55CBA0

Function 019E6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bfb3cf6a25f57a188da79e4c9b7a53af9dbc82c3d5ae5b78ec0738994b2da1
Instruction ID: ab335cd7db9798d2f97f17036525af2864ac28482002df2b7cb11ce14e76ffc9
Opcode Fuzzy Hash: 51bfb3cf6a25f57a188da79e4c9b7a53af9dbc82c3d5ae5b78ec0738994b2da1
Instruction Fuzzy Hash: 9811A5366441459FD712CF58D800BA5BBF9FBA6314F088159E8498B315DB32EC45CBA0

Function 019DC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0124a1d097093238a4d2aa0e7c98663f33d11ae3c34782a51c9a9adf2d8e77
Instruction ID: 504c2aa894dff2567db7ba75b8cbc1634ce2d27c6c6a8a6544abe28e41e4ec9e
Opcode Fuzzy Hash: de0124a1d097093238a4d2aa0e7c98663f33d11ae3c34782a51c9a9adf2d8e77
Instruction Fuzzy Hash: FD11E8B5E002499FCB04DFA9D541AAEBBF8FF58250F10806AA909E7351D674EE01CBA4

Function 019FEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48ded49ffd05a7a92b7defb7879f43b387a605effb4c4ae47d05d80ad05d2da
Instruction ID: dad83ff8e7f931b9df321dbf76ed674f048fa4c18fd96c457ab39383cae9f95e
Opcode Fuzzy Hash: b48ded49ffd05a7a92b7defb7879f43b387a605effb4c4ae47d05d80ad05d2da
Instruction Fuzzy Hash: DA01D431540211ABCB32EB298540D7ABBBDFF92692B46442EE74D5B221CB30DC45CBA1

Function 0040E483 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb00009f6a825d3679a41d93bef44202385354ad8d44b47355ba06977e77ea64
Instruction ID: d153bac1122272ab4c35090c4335f468c58802f86980d9cc968268f0ea520d3c
Opcode Fuzzy Hash: eb00009f6a825d3679a41d93bef44202385354ad8d44b47355ba06977e77ea64
Instruction Fuzzy Hash: 1101267760030467C719DA9AEC41ED7B3E8DB89324F40496EF71DE7281D234B9648BE8

Function 019920F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe3fcd7ca9a6de06c8981ebcde8ec013560ddf11cd3507790740f9438853a28
Instruction ID: d0271ff951eb20db539090b4ef9823a2c7970757d5de31b123b4adde158cba01
Opcode Fuzzy Hash: 7fe3fcd7ca9a6de06c8981ebcde8ec013560ddf11cd3507790740f9438853a28
Instruction Fuzzy Hash: CF118075A0020DAFCF15DFA8C851FAE7BB9FB88784F004059F90997250E635EE11CBA0

Function 0194C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 2704ea672aa5116d538bd07ecc0a2fb8397d70568dd1f92360e5b93b524b3924
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: DD0128322007059FEF22DAAAC800EA777EDFFC5210F448819E69E8B940DE70F405CBA0

Function 0198E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3108e52509c8b3b8009527c7e3a6df4de32c61d36a5e4d25a2888d1460c9b63b
Instruction ID: a94d78db3bff803d2a5b5105dc1a5278fe6bd6ef5d20aca745da1efd7efd278d
Opcode Fuzzy Hash: 3108e52509c8b3b8009527c7e3a6df4de32c61d36a5e4d25a2888d1460c9b63b
Instruction Fuzzy Hash: 0A018FB2601A42BBD711AB69CD84E57BBACFFD5BA4B00062AB50D83551DB24EC11C6B0

Function 019E69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4cab08a3719c6512337eda7bafc57196b9cbbb89a2d1fe617bbcab262538b0
Instruction ID: 10e47437331ab43ecb01bfec671b3d13520ba272175bc66c73ab807b5a787768
Opcode Fuzzy Hash: 5a4cab08a3719c6512337eda7bafc57196b9cbbb89a2d1fe617bbcab262538b0
Instruction Fuzzy Hash: E301FC326142029BD721DF7EC84C9ABBBECFFA8760F114529E95D87180E7309901C7E1

Function 019DC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f7619036f39cc00c825d37b4325eaf54ab6f7f1e78718d76d46f38823519dc
Instruction ID: 285e7e348c60b980ca544f190ec53a86735e1c9cd1d497448a3c0dbbe65a24b2
Opcode Fuzzy Hash: 84f7619036f39cc00c825d37b4325eaf54ab6f7f1e78718d76d46f38823519dc
Instruction Fuzzy Hash: 87115E75A0020DABDF15DF68C850EAE7BB9EB98644F008059F90597340DA35E911CB90

Function 019DC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978b4ff12f3938f6300b725f2957c6b3c90cb34e3066babf2e6b1d6d763e9640
Instruction ID: 9016c1b0d337dafe9df83a8c066735fc3ca01b59a0378551662d8428258894b8
Opcode Fuzzy Hash: 978b4ff12f3938f6300b725f2957c6b3c90cb34e3066babf2e6b1d6d763e9640
Instruction Fuzzy Hash: 57113C716153459FC700DF69D44195BBBE8EF98750F00851EB998D7351E630E901CBA2

Function 01A24A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: fda57cd4cfddeed0c6e4059f3d2cd7b83e82d9aa946a3b63916da85ef098c139
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: FF01F732200A11DFE725DB6DD844F97BBEAFFCA610F094819E6468B650DAB5F840C794

Function 019DCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcfa33424a630f18eebfeb201c8e1eb11d8fcc16e4c846a34aee0470f470890
Instruction ID: bba44c5a18e049b39fb6e96a6464ea59f50490f29c707625920b0373ca8f7f35
Opcode Fuzzy Hash: 9bcfa33424a630f18eebfeb201c8e1eb11d8fcc16e4c846a34aee0470f470890
Instruction Fuzzy Hash: BC1127B56183099FC710DF69D44195ABBE8AF99750F00891EB958D73A0E630E901CBA2

Function 0196E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 513298093767eb05cd42474478626756b0d09a0695b37ee10eaa447c4bfab240
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 25017C32208580DFE322C61DC948F367BECFB94754F0904A1F90DDB691DA29DC40C661

Function 0194826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420ff8c3801090228759d69e091f043c7b27a62306dc931dce59f9ec48441bd2
Instruction ID: a2d45d4b0a5707d5bbcca54cb84461741b92b659d0e3da35211a0d74de72f2df
Opcode Fuzzy Hash: 420ff8c3801090228759d69e091f043c7b27a62306dc931dce59f9ec48441bd2
Instruction Fuzzy Hash: 0D01A236B00615EFDB14EFAAD804DAEBBEDFFC0650B158029D909A7644EE60ED02C791

Function 019FEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b26e14347e5b62945db865d5181c6d474f3de3394d4817dbad7532c9b49e41c1
Instruction ID: 556d38ce58bff928ab699998b4dd906c84ea0543fd29c8f29df578b28e6ebf1d
Opcode Fuzzy Hash: b26e14347e5b62945db865d5181c6d474f3de3394d4817dbad7532c9b49e41c1
Instruction Fuzzy Hash: F501D471280615AFD731DB1AD800F02BBA8AF95B51F11042EA3498B3A0C6B198418B64

Function 01952582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df3f0bda640c9dfbeba8bed6dc6125e024ab5b6d7206fa8434708f6aa07b055
Instruction ID: d2425622bd971cfdce73e8010ea47fbf7207c20ab50929c910bd76a371d2c2f3
Opcode Fuzzy Hash: 1df3f0bda640c9dfbeba8bed6dc6125e024ab5b6d7206fa8434708f6aa07b055
Instruction Fuzzy Hash: 2BF08132A41B11B7C736DB5A8D40F57BAADEBC4B94F154429AA0DA7650DA30EE01CBA0

Function 0197C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 444cfeca131474af9a02b3e9732b5387abd95c1a3b0399fe4050d31c4b53e27d
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 1BF0C2B2600A11ABE735CF4DDC40E67FBEEDFD1A80F058128A519C7220EA31ED04CB90

Function 0194C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 2f0ab353d3817378c9b598f8fd3cde861a0c04e5ac074f90575f0ca42f6ac7ea
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 05F02B33247A33AFDB365A9D4C40F2BAA998FD1B65F1A0076F60D9B204CA649D0297D0

Function 0198CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 33b67d0f76052e453430f5b41ec993ed2874e818b0a95798fadd1a235bee7385
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: D701F4322006859BD722A71EC805F99FB9CEF91B54F0844A9FA5C9B6A1D679C900C221

Function 01A261E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655508925e87536f26d8cc1476718576b4a6c755b09e0e10ddc6f36c49527402
Instruction ID: e366eb377496710502036afa1dfb8a6d09b54237838e682b705156f19d9a9cf2
Opcode Fuzzy Hash: 655508925e87536f26d8cc1476718576b4a6c755b09e0e10ddc6f36c49527402
Instruction Fuzzy Hash: 2F018F71E012599FCF00DFA9D851AEEBBF8BF58310F14405AE905A7280D734EA02CBA4

Function 019D63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 3cb12c3930949ef9cd5ce7179b6e6b15cdf21318fee5174ae77b0a0347bf0e14
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: CAF0F97220001DBFEF019F95DD80DAF7B7EEB996A8B104125FA1592160D635DE21ABA0

Function 019DA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12920d65765050fdb59baa85590329fe0201becb004b43ce41a03c6333613eda
Instruction ID: 60fe09c5b8e7a386a43eb7c5ac95fc9b4b4ee544d93f718fcfee080082b569f5
Opcode Fuzzy Hash: 12920d65765050fdb59baa85590329fe0201becb004b43ce41a03c6333613eda
Instruction Fuzzy Hash: 6201973A100209ABCF129F84DC40EDE3F6AFB4C764F068111FE1866220C336D971EB81

Function 0194C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbe2503f7b35a3ffd4493e8403c02e95c22bb383b00492bdb7677a710229d8f
Instruction ID: 628290f56b43d1047624b3dee81934036d855b70666d10c1b039125cad74f1ee
Opcode Fuzzy Hash: 7dbe2503f7b35a3ffd4493e8403c02e95c22bb383b00492bdb7677a710229d8f
Instruction Fuzzy Hash: 86F024712053519FF31896599C01F32B29AFBD8752F25802AEB0D9B2D1E970EC018394

Function 0198656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeaa296da4c814955f7c8d0a4697ac31f65ac99db1d76d34571942eb28b9a7ea
Instruction ID: ed972ae8da6821d55030d7fb8b751c1b000759832cc5d56d025feca5c5a86a10
Opcode Fuzzy Hash: aeaa296da4c814955f7c8d0a4697ac31f65ac99db1d76d34571942eb28b9a7ea
Instruction Fuzzy Hash: C401A4747006829BF323AB6CCD68F2637ACBB95B45F480594BA4D8F6D6D728D402C621

Function 019F437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: d4f41f3eb1365823a58f81c77bbb264b724f10ebee07016b13233538966e12a5
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: B1F0E93538191367EB76BA2D9A10B2BA6DDDFD0A52B05052C970DCB680EFA0D800C790

Function 019DC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d1fc09fae9fec73e32592f3187e6e876a37b7a60b95fbdfbe13e3fdb2fa109
Instruction ID: 23c0abb7e68eaafb70852b5ed5f76e61de71f2408465b016514af133437f110d
Opcode Fuzzy Hash: 11d1fc09fae9fec73e32592f3187e6e876a37b7a60b95fbdfbe13e3fdb2fa109
Instruction Fuzzy Hash: 5DF0AF706053449FC710EF69C942E1AB7E8FF98710F40865EB898DB390E635EA01CB96

Function 019DE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 6ced423e15dc76721a25028915a14059363d95cd182876878ec65390789cc1f9
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: CFF05E32B116529BE3219A4EDC81F16B7ACAFD5A60F194465AA0CAF264C760EC0187E1

Function 01980854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 4d038fe74d4a79fb23638aa7e01f2a4cb1db42a7224ac8428f04699848fdaae1
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 37F02472610204AFE714EB21CC00F46B6EDFF98340F188078A548C7170FAB1ED40C655

Function 019DC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973b647f193ae7327701dd699396fb90d77fc4beef9a1058c586e20b359bd89d
Instruction ID: 8c83db8898b6cf97376957d913a4b6b578a86caacdef4ba50bdf8f5ed559745d
Opcode Fuzzy Hash: 973b647f193ae7327701dd699396fb90d77fc4beef9a1058c586e20b359bd89d
Instruction Fuzzy Hash: 1EF06274A11249DFCB04EFA9C515E9EB7B8FF68300F108059B959EB385DA34EB01CB60

Function 019547FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a074d8b58dd96fef80e3a76c429a5525de10f9b21a38a73d108e6b01c93ddc48
Instruction ID: d833da587948958472a80dbde4539d728f7f26e0bc8619f5a39e74beafae1e4b
Opcode Fuzzy Hash: a074d8b58dd96fef80e3a76c429a5525de10f9b21a38a73d108e6b01c93ddc48
Instruction Fuzzy Hash: D8F090319166E19FE7E2CB5CC844F61BBDC9B00625F08496ADF6DA7502E724D8C0CB52

Function 01A10115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b461d6145ff28f567aa4d7a362f44cee73f25d3e47823039df9b34cb21ea0dca
Instruction ID: ec77a768a121d954a1463049ba5e1e905681f26789db1a8c6ca7c3fc991a7669
Opcode Fuzzy Hash: b461d6145ff28f567aa4d7a362f44cee73f25d3e47823039df9b34cb21ea0dca
Instruction Fuzzy Hash: 5FF0272E4167C01BCF336B2C76602D17F54A7C6214F091449D4A8A720AC5B988C3C320

Function 0198C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed77796056c0667b7391bb691d894a135369bd2031542da8c734a8d0fae39c2b
Instruction ID: a06ae45df897cbd4ac127f5a76cc7da21d10dce4d44b7b22c10e70d76a630ed7
Opcode Fuzzy Hash: ed77796056c0667b7391bb691d894a135369bd2031542da8c734a8d0fae39c2b
Instruction Fuzzy Hash: A4F0E2715116579FE322B72CC148BD5BBDCAB447AAF08983AD40E87512C664E880CA70

Function 01992619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: f898a68d1fe47573b66aba05b54b826ead1ae4769860c3f2521d5a25e99cd1c8
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: EBE092323006012BEB129F5D8C84F47776E9FD2B10F05007AB5085E251C9E29C1982A4

Function 019E6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 76c1df3eb0a23811ef56f9c60234df7c210d08a8f4362bbf7ec5dd7ea625eba4
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 75F03072104214AFE3229F0AD948F52BBFCEB55366F46C425E60D9B561D37AEC40CBA4

Function 01950710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: c9d52e5b099355e5e850ae800f3e398ca13132d93a51213d6b57f1d057b9948b
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 29F0ED3A2047459FEB16CF1AD450AE57BA8FB51360B080494FC4A8B341EB31EA82CB90

Function 019849D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 3ca6dcfb79b4e2b8bbfd82bc24bc535ec84f78ec1dbf3a4f2fe631b71320e6d9
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 6AE09232244146EBD7213A598800F66B6A99FD07A1F164429E24DCF150DB70DC40C7A8

Function 019F678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 3860adaf94da6818b3e04ffa075c70812672b78c4b52ff85742c37c72d0a3481
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: DFE0D832600214BBDB2197598D05F9A7EBCDB90E94F054054B704D7090D530EE00C790

Function 019525E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e2ebf5fa34d24caf53af5a6ed9600d02a0a1bc691df64452b0cce3bd4e989d0
Instruction ID: b826e34ad7e71f9b1f47b0f85a0805886cd9390f1b3a332bf584cc3fa962c3c7
Opcode Fuzzy Hash: 6e2ebf5fa34d24caf53af5a6ed9600d02a0a1bc691df64452b0cce3bd4e989d0
Instruction Fuzzy Hash: 37E02232000A80ABC322FB29CC01F8A77AAEBE0360F000125B41D57190CA30A800C798

Function 01A0A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: e0a57d20ff471124d41511aab9523f54e80d764c32e909064d691015b765efd8
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: CEE09231010711DFEB366F2AE848B567BE4FF90711F158C2DA09E024F1C77598C0CA40

Function 019D4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 74d6a079716163c8f4bbf6dfe69c0619af4fdb602c3d2bde54a4eb2e16e30495
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 47E0C2343003059FE715CF19C084B627BBABFD5A11F28C068A9488F605EB32E842CB40

Function 0198CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd5258ac3e50971b27bf343d1f8dc875c689f2da06aff0b1974bd3bcee7c2fe
Instruction ID: 963b754ec6837dd9988c814c7100aee27a79f9d71203f60c3f32d0ac54c9553c
Opcode Fuzzy Hash: 5fd5258ac3e50971b27bf343d1f8dc875c689f2da06aff0b1974bd3bcee7c2fe
Instruction Fuzzy Hash: 93D02E324810217ACF36F268BC08FE37A9DAB84260F068860F10CD2020D625EC82C2E4

Function 0194823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: ba1921034cae65dd777100d570dc7a69b4c0ca73d7ffc6ef367333034a690b0a
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 3EE08C32401A10EFDB322F59DC00F5176A9FB95BA1F104C2AE08E160A88674A881DA54

Function 01952050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df21fdeeccde4bcc85ac9fcf2cb8abd0cbeabadd2b57fc7abe9d9c81fb5560b
Instruction ID: fb634cd3c9b94dc32473469be0d5b3f184e206201f96de71c2aac1268dab4d27
Opcode Fuzzy Hash: 5df21fdeeccde4bcc85ac9fcf2cb8abd0cbeabadd2b57fc7abe9d9c81fb5560b
Instruction Fuzzy Hash: 0AE0C233100590ABC312FB5DDD11F4A73AEEFE5760F100122F95897294CA24AD41C7A8

Function 01988A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: e585201987a5e288dbd7a88a35eaa8abd7b4b55a32d1a7162c7ff94c8616587d
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 88E08633111A1487C728EE18D515B72B7ADEF45720F09463EA617477C0C534F544C7A4

Function 00407B1A Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2238409175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd396f08f9d549be79bf85d2776151beeb7f0039ca39661cb34d6c9a1036463
Instruction ID: 2c51566e30f64cac914dff946990afbd2cbff3ae81b85016355bd01ce4863934
Opcode Fuzzy Hash: 6bd396f08f9d549be79bf85d2776151beeb7f0039ca39661cb34d6c9a1036463
Instruction Fuzzy Hash: 5FC08C32E1961D46E6109D0DFA206F4F3B4EB97B31F1023B7EC1CA714085A3C8838A89

Function 019A6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 6038d18896f29e73d395e14ac8c4f7c93914b3e0bd1c6334c137e86d2d4fadde
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 8CD05E36511A50AFC3329F1BEA00C13BBFDFBC4B11709062FA54983924C670A806CBA0

Function 0198E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: c5ce8cb4981013f35e6f0ca1e9732b81d6a304603c3e710112769329ca16a413
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 8ED0A932614620ABD732AA1CFC00FC333EDBB88B21F06045AB04CC7054C364AC81CA94

Function 019CE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: de42425de40b893d252057406e2f897e4a9fbcead6a253b88f25d4a467e0fb05
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 7EE08C319106809BCF12DF59C640F9ABBB8BB84B00F140008A54D6B220C224A900CB40

Function 0194A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 570a9a22cbbfe5a4ff50dc58039abedddfeac606d84231fd688c53ec4a4ec0f3
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: F0D0223222B03093CB285A556800F636A09ABC1A94F0A002D780F93800C0088C42C2E0

Function 0198A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: c36d0142e659a4ba80b3b4ff18033decafdd0f047528e197b96f28189e6df9e2
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 8AD012371E054DBBCB119F66DC01F957BA9E7A4BA0F444021B908875A0C63AE950D594

Function 0198CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb918f3404fa867f5a0fc72db06ff47332ce3e5b513b7e6024757a14c5808e8
Instruction ID: 6d920812df45a715f8704636ebd52c7e8dfe889e4fcd3f12c46ebfedc0c9bf0d
Opcode Fuzzy Hash: 6eb918f3404fa867f5a0fc72db06ff47332ce3e5b513b7e6024757a14c5808e8
Instruction Fuzzy Hash: 0CD0C734555505DBDF1ADF59C510D6EF678FB54E41B40006CFB4D51520E32ADD01C660

Function 019602A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: b1c5f339428713bce54797b792f0adbce1785cad504b2fc706109ae29c6104f8
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 10D09235612A80CFD61A8B0CC5A4B5533A8BB44A45F850890E446CBB22D628D940CA10

Function 0198C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: e04d7ebb8a87ae73967d17449a48318402be6a65c629fe54dab275b23e6e3ca0
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 08C01232150644AFC7119A95CD01F0177A9E798B40F000021F60847570C535E910D654

Function 01970310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 8a049e5e4fda32720d13df2d8b8e97ab7d92a201811c4b9c5e175439fdd80207
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 35D01236100249EFCB01DF41C890D9AB72AFFD8710F148019FD19077108A31ED62DA50

Function 01950750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 939ca933886948464dba3c869c21c153fb0755470a498aa74d7160341f484ede
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 50C04C757015418FCF15DB1AD2A4F5577F8F754741F150890E909CB721E624E905DA10

Function 01A24DAD Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction ID: e5f1a19a75c4029a2b78098ea3e5bab6ab81e45f41a1f9fdca3786b618d31f58
Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction Fuzzy Hash: 11B01232222545CFC7026720CB00B1832A9FF417C0F0900F0650489C30D618C910E501

Function 01994340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d3dcad10b15cedd4fe97cda05804796d6b73921c65efec178d2d3a8faf61cc
Instruction ID: fc4d8a035ed713427e2a8fa5efa3172086ec4e2df31158b17ad1e5a38d326680
Opcode Fuzzy Hash: 91d3dcad10b15cedd4fe97cda05804796d6b73921c65efec178d2d3a8faf61cc
Instruction Fuzzy Hash: B5900271B05900129140719848985468049A7E0302B95C011E0464554CCA148A5A53A1

Function 01994650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca39f1a7a886c4b30d6b415d7b654252fd28d53cade2066afd14e23e0e6bef02
Instruction ID: 645df70e696363636452dfced04e56a2e357aa70282da6636a750bd637fc93cc
Opcode Fuzzy Hash: ca39f1a7a886c4b30d6b415d7b654252fd28d53cade2066afd14e23e0e6bef02
Instruction Fuzzy Hash: 139002A1B0160042414071984818406A049A7E13023D5C115A0594560CC618895993A9

Function 01992B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e20422b685b9ffb894c998bd2523c9a2b63ae463a6cacc2c7c693a889ac26c5
Instruction ID: 694540880c8400feb45abc9b438e96c2e27ffe64549117b76073a35c0483f889
Opcode Fuzzy Hash: 8e20422b685b9ffb894c998bd2523c9a2b63ae463a6cacc2c7c693a889ac26c5
Instruction Fuzzy Hash: 3A90027170150802D10471984818686404997D0302F95C011A6064655ED66589957271

Function 01992BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0226c9b13a1cffb5800a2b698c35909d594298f71c80358c90d6bd12eec5e482
Instruction ID: dd96507e127cac1bb0f03b473640b8df631da6d190c2cd986256cccd91290efc
Opcode Fuzzy Hash: 0226c9b13a1cffb5800a2b698c35909d594298f71c80358c90d6bd12eec5e482
Instruction Fuzzy Hash: AB900271B0550802D15071984428746404997D0302F95C011A0064654DC7558B5977E1

Function 01992BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43485e2e1a71f8bd74ea5c49ae41a4de4f2638cdb2030466cabc910b7da7df78
Instruction ID: e15a6f9a8b348e72eb563ea6484fa9a66d80e668a4e0fb1443147ba97c9de190
Opcode Fuzzy Hash: 43485e2e1a71f8bd74ea5c49ae41a4de4f2638cdb2030466cabc910b7da7df78
Instruction Fuzzy Hash: 8E90027170554842D14071984418A46405997D0306F95C011A00A4694DD6258E59B7A1

Function 01992AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80eae57173cd0d99de59e42b71ec29c86272df308d268f53b14878ec7548d502
Instruction ID: e9e9402074069fbf954fb892bde0737b9141287893d4e9693851af5c4dcc5c8d
Opcode Fuzzy Hash: 80eae57173cd0d99de59e42b71ec29c86272df308d268f53b14878ec7548d502
Instruction Fuzzy Hash: F39002E1701640924500B2988418B0A854997E0202B95C016E1094560CC52589559275

Function 01992AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d74df494ff591860931073a7b25cc664e226b1b7b8975ccccb281df9c18c59f
Instruction ID: ccf61aa14e93e5ccecca808769476358fee12aa5c07a3c54d36551d037d919ab
Opcode Fuzzy Hash: 9d74df494ff591860931073a7b25cc664e226b1b7b8975ccccb281df9c18c59f
Instruction Fuzzy Hash: FC900265721500020145B598061850B4489A7D63523D5C015F1456590CC62189695361

Function 01992DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3c13311ef6443898b5709cd3806ea0483bceb985aa9a10e1326aece70945fb
Instruction ID: babd470e20c118b0f00735328e00edf4797d12c7bbb66a5ebf543592a41d529d
Opcode Fuzzy Hash: 3d3c13311ef6443898b5709cd3806ea0483bceb985aa9a10e1326aece70945fb
Instruction Fuzzy Hash: AF90027174150402D14171984418606404DA7D0242FD5C012A0464554EC6558B5AABA1

Function 01992D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d25eda3bac0dbcbb619110ec56acc2ee6311a0f4e5c119ce9ed71a6c4a75f3
Instruction ID: 8f77c7f5b8f6c4afa24d2c204b2beba7bc973816d01737cf9e838fba26f88bf5
Opcode Fuzzy Hash: 97d25eda3bac0dbcbb619110ec56acc2ee6311a0f4e5c119ce9ed71a6c4a75f3
Instruction Fuzzy Hash: 8790026170554442D1007598541CA06404997D0206F95D011A10A4595DC6358955A271

Function 01992CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bc406efd63f08c19de69d1fc7ffe98f08b5a130667aaac925825b95426b02a
Instruction ID: 58ee03fd973147737b671596e3c1a854072c1a99c1abe7594d8b53fa206b6c4a
Opcode Fuzzy Hash: 08bc406efd63f08c19de69d1fc7ffe98f08b5a130667aaac925825b95426b02a
Instruction Fuzzy Hash: 54900261B0550402D1407198542C706405997D0202F95D011A0064554DC6598B5967E1

Function 01992CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3450048020c2e0dcf8e048dfcc6df701cc0d88cbf0d2ae105da7892a5713c90
Instruction ID: 9d1b6ed9db16871c235501a50bf209189b346c098986bb9ccdd2f05ca4f0b3fc
Opcode Fuzzy Hash: c3450048020c2e0dcf8e048dfcc6df701cc0d88cbf0d2ae105da7892a5713c90
Instruction Fuzzy Hash: D990027170150403D1007198551C707404997D0202F95D411A0464558DD65689556261

Function 01992C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2ad07cc096e4441dde588ed14216a0050666b9cce6322c1f6539c035f0f12d
Instruction ID: 533454700c8a3aedbc6d257f6238ca777c96445d83cf6ce3e50f90487fbbd28a
Opcode Fuzzy Hash: 4b2ad07cc096e4441dde588ed14216a0050666b9cce6322c1f6539c035f0f12d
Instruction Fuzzy Hash: B890027170150842D10071984418B46404997E0302F95C016A0164654DC615C9557661

Function 01992FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da14c71ba0a2ff8dccf51e14ecf65ab40b79b1473f5301cd01adae461bd034de
Instruction ID: 7dac568ba502abc8e045f1b13ac0dfeb71f50a9deb39bb6ad2b4276faf6323de
Opcode Fuzzy Hash: da14c71ba0a2ff8dccf51e14ecf65ab40b79b1473f5301cd01adae461bd034de
Instruction Fuzzy Hash: F490027170190402D1007198481C747404997D0303F95C011A51A4555EC665C9956671

Function 01992F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7ab84e89fccdef74031bdf5d9b20abba635e55746d0c405199e0eb6305ca56
Instruction ID: 318e7a4e7eeed4903f82a50fbda4cc919121457340f663d8512c0f65a85ccc80
Opcode Fuzzy Hash: ac7ab84e89fccdef74031bdf5d9b20abba635e55746d0c405199e0eb6305ca56
Instruction Fuzzy Hash: 5D9002A171150042D10471984418706408997E1202F95C012A2194554CC5298D655265

Function 01992EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71515cc16c0e1da65fbf1ac05c813dfd8319215c2fd113e3f9aedaf623353a8f
Instruction ID: 2b3fe38929ba2718d0338c9bc1f8d35fc3b30ed5977908a50e34551ce84d06ee
Opcode Fuzzy Hash: 71515cc16c0e1da65fbf1ac05c813dfd8319215c2fd113e3f9aedaf623353a8f
Instruction Fuzzy Hash: C09002A170190403D14075984818607404997D0303F95C011A20A4555ECA298D556275

Function 01992E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff513e69a756c484f365412e38ca16a1328d42b8f1a90373b5bac4d029aea0a9
Instruction ID: f87c383f2b9eb977250c61da6c67aa0b8af06b12a919ae42591bc5196adab9a8
Opcode Fuzzy Hash: ff513e69a756c484f365412e38ca16a1328d42b8f1a90373b5bac4d029aea0a9
Instruction Fuzzy Hash: 1C90026170150402D10271984428606404DD7D1346FD5C012E1464555DC6258A57A272

Function 01993090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189e760a3dd96a60b02992963ca8dc7f40f0d375519b6d94fca86b407222dd18
Instruction ID: e90cee68d54bd36a842a7d473d925389249043987d0d942cdc0dc270477fdf2d
Opcode Fuzzy Hash: 189e760a3dd96a60b02992963ca8dc7f40f0d375519b6d94fca86b407222dd18
Instruction Fuzzy Hash: 6A90026174150802D14071988428707404AD7D0602F95C011A0064554DC6168A6967F1

Function 01993010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff91f59bcce60e43eb46233ca1bae7492548aa2e025c9d5e842af956f09719aa
Instruction ID: 1771929bf270325f9787aed555c3cadbbe2070a4f7da8eeb6b8e047687b4aaf6
Opcode Fuzzy Hash: ff91f59bcce60e43eb46233ca1bae7492548aa2e025c9d5e842af956f09719aa
Instruction Fuzzy Hash: FC90026170194442D14072984818B0F814997E1203FD5C019A4196554CC91589595761

Function 019935C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3de9794eb52d3335c3cabf1c92996fd88c40af89f5a4c1056bb12960fa8a0d
Instruction ID: 7033bf1eb5001d1e620d0cc911df86463199244f585eb389b7fe089823abdc97
Opcode Fuzzy Hash: 0d3de9794eb52d3335c3cabf1c92996fd88c40af89f5a4c1056bb12960fa8a0d
Instruction Fuzzy Hash: 65900271B0560402D10071984528706504997D0202FA5C411A0464568DC7958A5566E2

Function 019939B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a563835287ad6084215633b5ebe1f53fba1d4caaabc8f837321f7418f3c758
Instruction ID: 91b65553716d49c4d39f0114b9986384998d59480bb7fb3fd1033f4d524c3ccb
Opcode Fuzzy Hash: 21a563835287ad6084215633b5ebe1f53fba1d4caaabc8f837321f7418f3c758
Instruction Fuzzy Hash: 8E90026174555102D150719C44186168049B7E0202F95C021A0854594DC55589596361

Function 01993D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc069dfd215bbd4ec962d12bf28fe7e9967305d2e943279bbd2c55f01e56333
Instruction ID: 736e3676dba4c4082f84199a456085fcf13b2446c8e296ad76bd00be6b94d3f7
Opcode Fuzzy Hash: 9fc069dfd215bbd4ec962d12bf28fe7e9967305d2e943279bbd2c55f01e56333
Instruction Fuzzy Hash: E290027170250142954072985818A4E814997E1303BD5D415A0055554CC91489655361

Function 01993D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5fa3752f525aece054d805bf149db48452b599f360a9587ee11a7bd03a7c42
Instruction ID: ed7bca458b97ddd118424414a178428893f73c936fe5ed040b41b0a568a9c94c
Opcode Fuzzy Hash: 9b5fa3752f525aece054d805bf149db48452b599f360a9587ee11a7bd03a7c42
Instruction Fuzzy Hash: B190027570150402D51071985818646408A97D0302F95D411A0464558DC65489A5A261

Function 01992C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 7a00fcf93b200d74de1a35d1a82e9d9337a02671a5a61cb5fd6d50638bfbeb86
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01992890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0199293C
___swprintf_l.LIBCMT ref: 0199295E
___swprintf_l.LIBCMT ref: 019929A3
___swprintf_l.LIBCMT ref: 019CA52E

Strings

ffff:, xrefs: 019CA504
::%hs%u.%u.%u.%u, xrefs: 019CA527
:%u.%u.%u.%u, xrefs: 019CA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 019CA54E

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: edb8e566cd565c9e0d591cd309ff1551d870964dc9dbd25027f07bba409dfa27
Instruction ID: db77bb7d7daef24a02b7ac60e4c6908c8c514864428081093c3fd8bd3e7ba19f
Opcode Fuzzy Hash: edb8e566cd565c9e0d591cd309ff1551d870964dc9dbd25027f07bba409dfa27
Instruction Fuzzy Hash: 9D51F7B1A00156BFDF11DFAD898097EFBB8BB58241754C529E4ADD7641E334EE0087E1

Function 01A02410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A024A6
___swprintf_l.LIBCMT ref: 01A024E2
___swprintf_l.LIBCMT ref: 01A0257D
___swprintf_l.LIBCMT ref: 01A025A3
___swprintf_l.LIBCMT ref: 01A025C8
___swprintf_l.LIBCMT ref: 01A02608

Strings

ffff:, xrefs: 01A0247D, 01A0249D
::ffff:0:%u.%u.%u.%u, xrefs: 01A024DA
:%u.%u.%u.%u, xrefs: 01A025FF
::%hs%u.%u.%u.%u, xrefs: 01A0249E

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b5c389d3347938a3be0dfbb0b565a3ca1278be796011d5f413acbfea1b6cfa7c
Instruction ID: fbc852d42ae8c59cc7cf82077202490277418d188cd8c9124e7b44a0df5dae2c
Opcode Fuzzy Hash: b5c389d3347938a3be0dfbb0b565a3ca1278be796011d5f413acbfea1b6cfa7c
Instruction Fuzzy Hash: 7C510671A00745AFDB32DF6DD894A7EBBF8EB44300B44846BE4DAD3682D675EA008760

Function 01987630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 019C4742
ExecuteOptions, xrefs: 019C46A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 019C4787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 019C4725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 019C4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019C46FC
Execute=1, xrefs: 019C4713

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 391e1708f85d4363476a0003d6ed807331fc49689e267b408236287d032880e7
Instruction ID: 4608478e919d7a887ce20e8e92a43c3558ab99a0c62a2e4124acd313fbf81557
Opcode Fuzzy Hash: 391e1708f85d4363476a0003d6ed807331fc49689e267b408236287d032880e7
Instruction Fuzzy Hash: 65513A35A0020A7BEF25BBE8DC95FAE77ACEF94704F1400A9D60DA7190D7719A41CF51

Function 0199B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0199B6BF

Strings

-, xrefs: 0199B650
+, xrefs: 0199B65A
0, xrefs: 0199B695
0, xrefs: 0199B66F

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 578a2b6046ab164701e0931806307f52b43271bfaadda4a10d4d4b369dbb9b11
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 7581F530E052499FEF25CE6CE890FFEBBB5AF44321F184619D85BA7681C7389840C752

Function 01A020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A0214F
___swprintf_l.LIBCMT ref: 01A02172

Strings

[, xrefs: 01A0212B
]:%u, xrefs: 01A02169
%%%u, xrefs: 01A02146

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 745756d6078297819b57e025f64f6ebb3eaa2cdaf3b6367c5df8a77f40649a9c
Instruction ID: 3fc74207dcbcacbb4ecb9c9e3b826f4ddc630259b6ee9fb670651c580cb2b720
Opcode Fuzzy Hash: 745756d6078297819b57e025f64f6ebb3eaa2cdaf3b6367c5df8a77f40649a9c
Instruction Fuzzy Hash: 6621657AE00319ABDB11DF79DC44AEE7BF8EF94744F440116E905D3240E730DA058BA1

Function 0197F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 019C031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019C02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019C02BD

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 76adfae4ad9759b958169cb58ed90c52f5050d5d61234feff2971450cb9b1cb9
Instruction ID: 5870da949871d91a95f338cac9b34b6825d89df7d9b52f6497c5b15cabc23f6c
Opcode Fuzzy Hash: 76adfae4ad9759b958169cb58ed90c52f5050d5d61234feff2971450cb9b1cb9
Instruction Fuzzy Hash: B6E1CD34604742DFDB25CF28C884B2ABBE4BF88714F180A2DF5A99B2E1D774D945CB42

Function 0198BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 019C7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 019C7B7F
RTL: Resource at %p, xrefs: 019C7B8E

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 19b944880fc121070f87a681ed099a10794cf9c3f09110fc84065520ea5365a2
Instruction ID: 4e3754661b592d163e694e4d21b0cca481da5f352fb3734eb6e0ef9f232e4489
Opcode Fuzzy Hash: 19b944880fc121070f87a681ed099a10794cf9c3f09110fc84065520ea5365a2
Instruction Fuzzy Hash: 6741E3357007029FD725EE29C841B6AB7E9EF98711F040A1DFA9E97281DB31E405CF91

Function 0198B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019C728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 019C7294
RTL: Re-Waiting, xrefs: 019C72C1
RTL: Resource at %p, xrefs: 019C72A3

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: dbc1af88f5d1d28db0ffa981eb34eb19a907260be05e0ff1a76017964b5d5af9
Instruction ID: 7aea5682d61da72ebc641fd8ceac6c318e3eb544581120667120c7e82a83b3f1
Opcode Fuzzy Hash: dbc1af88f5d1d28db0ffa981eb34eb19a907260be05e0ff1a76017964b5d5af9
Instruction Fuzzy Hash: ED410531700206ABD725DE69CC42F66B7A5FB94B11F140A1DF99ED7240DB20F802CBD1

Function 01A02300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A0238D
___swprintf_l.LIBCMT ref: 01A023B3

Strings

%%%u, xrefs: 01A02384
]:%u, xrefs: 01A023AA

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: cdec5ab30d6683d7999b69d1f918cec8b31aacad90eb5dc410a799da052b3334
Instruction ID: 6920219b5584d9f859aa499d5ea22f58edfeeeaeb5f5e50389b0908d68c19501
Opcode Fuzzy Hash: cdec5ab30d6683d7999b69d1f918cec8b31aacad90eb5dc410a799da052b3334
Instruction Fuzzy Hash: 78318676A002199FDB21DF2DDC54BEEB7F8EB44710F44455AE949E3280EB30AA458BA1

Function 01997D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01997E8B

Strings

+, xrefs: 01997DE8
-, xrefs: 01997DDD

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 7e7e5613dfe1c843749daa44f02b8367b4e722c457afef5b644856eb7c184780
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 4891A771E1020A9BEF28DFDDC881ABEBBA9AF45721F14451AE95DA72D0DF3099408F11

Function 01959126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01959191
@, xrefs: 01959175

Memory Dump Source

Source File: 00000003.00000002.2239793292.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_file.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 66ac6cf9b84cb825d1d3ede487155180eb64293030a8fb5bb55114cb94fd8504
Instruction ID: b9a0cb05a0a4d9a8225b12a7afee9a73c560b662bcf02dd94aadfa07a726a02d
Opcode Fuzzy Hash: 66ac6cf9b84cb825d1d3ede487155180eb64293030a8fb5bb55114cb94fd8504
Instruction Fuzzy Hash: 338109B5D00269DBDB71CB54CD44BEABAB8AB48754F0041EAAA1DB7240D7709E85CFA0

Analysis Process: explorer.exePID: 1028, Parent PID: 6580COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	15

Executed Functions

Function 1112BF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 1112C12E
setsockopt.WS2_32 ref: 1112C830
recv.WS2_32 ref: 1112C859

Strings

tion, xrefs: 1112C331
&br=, xrefs: 1112C509
Co, xrefs: 1112C323
ose, xrefs: 1112C33F
nnec, xrefs: 1112C32A
dat=, xrefs: 1112C290
&sql, xrefs: 1112C471
GET , xrefs: 1112C318
&un=, xrefs: 1112C4F1
: cl, xrefs: 1112C338

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: ea0ac61a05b0770b84fa54afacb2a186d2b952096574b59642adeaeaa13f55b0
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 14529D30618A498FDB19EFA8C4847EAF7E1FB54304FA0462EC59FC7142EE30A549CB85

Function 1112B232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 1112B449

Strings

`, xrefs: 1112B41D

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: f0f67f71d67a394cdfab6d7a6a2c9c9f859a55ced53e7c40312078cf4b66f48f
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 26225970A18A0A9FDB59DF28C4956AEF7E1FB98305F91022EE45ED3250DB30A451CB86

Function 1112CE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 1112CE67

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 0dc6c776c8ba1daaf17f387df7b75b5f6da7e2be99594c2f6b9e653fd25187f8
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 6101B534628B484F8788DF6CD48012AB7E4FBCD314F000B3EE59AC3250E774C5414742

Function 1112CE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 1112CE67

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 1538e73134467a22be1164a8dea3c52a4f3661dd1ca9ffd63cda3906c57efcd5
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: DB01A234628B884B8B48EF6C94412A6B7E5FBCE314F400B3EE9DAC3240EB25D5024782

Function 111268C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 111269A0

Strings

nt: , xrefs: 1112691E
on.d, xrefs: 11126902
urlmon.dll, xrefs: 11126959
User-Agent: , xrefs: 11126935, 11126948

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 41656b735b0acdb575ce1cf07d3a810631be5e4d5f31fefbaa56da75dc729127
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 4E31D131614A0D8FCF04EFA8C8847EDBBE1FB58209F90422AD44ED7250EE789645C789

Function 111268BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 111269A0

Strings

nt: , xrefs: 1112691E
on.d, xrefs: 11126902
urlmon.dll, xrefs: 11126959
User-Agent: , xrefs: 11126935, 11126948

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 6ff4082aacd7d201e904a83c21db454a611a506f96e606f71c57ffee3d9ab835
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: A321A270614A4D8FCF05EFA8C8847EDBBE1FF58209F90422AD45AD7250EF789645CB89

Function 11122B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 11122CCA

Strings

el32, xrefs: 11122BA0
kern, xrefs: 11122B99
.dll, xrefs: 11122BCD

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: ec19d6fe8c282554bdf16dfa415bb7f5e24706fb231fbda24ed495d6d718ca0e
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 64416A74918A088FDB44EFA8C8987EDB7F0FF58304F90417AC84ADB255EE349945CB85

Function 11122B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 11122CCA

Strings

el32, xrefs: 11122BA0
kern, xrefs: 11122B99
.dll, xrefs: 11122BCD

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: a92f91546bc7c676e68da1ba556f62f4d70f4825a4f89bfeadd4804744ba31d5
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: DC413974918A088FDB84EFA8C4987EDB7F0FB58304F50416AC84ADB255EE349945CB85

Function 1112872E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 11128791

Strings

ect, xrefs: 11128761
conn, xrefs: 1112875A

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 3b3281d80f88f505067552a3dd8555c439ac3b51b898575df2865b8aae5cee77
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 25015A70618B188FCB84EF1CE088B55B7E0FB58324F1545AEE90DCB226CA74D8818BC2

Function 11128732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 11128791

Strings

ect, xrefs: 11128761
conn, xrefs: 1112875A

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: b9f0e6bebdf01fa9b319e74ca72ea7032560c0b7ff846221f048ba1154aadefb
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: C0014F70618A1C8FCB84EF5CE088B55B7E0FB59314F1541AEE80DCB226CB74C9818BC2

Function 111286B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 11128713

Strings

send, xrefs: 111286DA

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 47268f9486db7c2f9ad30ad597b01b02baa540031a6e9a345847c3d09ae63fed
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 0F012570618A1D8FDBC4DF1CD048B15B7E0FB58314F5545AED85DCB266D670D881CB85

Function 111285B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 11128611

Strings

sock, xrefs: 111285D9

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: fb665d0427878bad232ee497b786b8ddc295dc8314770e8b26cebe596f16ed86
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 5E014F70618A1C8FCB84EF1CE048B54BBE0FB59314F1545AEE85ECB266D7B4C981CB86

Function 111202DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 1112032D

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 4f8a1b1e47f7c3eb5849cd7eea454ee4374d4accd8a857bdfd2665ba70579f54
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 54315C74618B4ADFDB58DF298088296F7A2FB54304FA4437EC95DCA106CB74A450CFD2

Function 11120412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 11120461

Memory Dump Source

Source File: 00000004.00000002.4638030924.0000000011090000.00000040.80000000.00040000.00000000.sdmp, Offset: 11090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11090000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 957fb75ebd91e97208db33acbeccbaeb3ae36fb4c221e9bf0774fcdb1360174a
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 4FF0F634268A494FDB88EF2CD48563AF3E0FBE8219F81463EE58DC3264DA79D5814716

Non-executed Functions

Function 10613D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

user, xrefs: 10613F03
el32, xrefs: 10613F27
M, xrefs: 10614082
32.d, xrefs: 10613F0B
ll, xrefs: 10613F13
wini, xrefs: 10613F72
net., xrefs: 10613F44
.dll, xrefs: 10613F2F
S, xrefs: 10614073
dll, xrefs: 10613F4C
kern, xrefs: 10613F5A

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 45b94776339d5ae5866e2a18bc6426fbb6e0ac487731278d1d2857cc4d8456c1
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 32E15C74518F488FC7A4DF68C4857AAB7E0FF98300F504A2EA59BCB255DF30A581CB89

Function 10616792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

rnam, xrefs: 106168B5
dPas, xrefs: 106168E2
swor, xrefs: 106168EA
name, xrefs: 1061687D
Subm, xrefs: 10616855
ypte, xrefs: 106168DA
itUR, xrefs: 1061685D
guid, xrefs: 106167CE
Fiel, xrefs: 10616884
encr, xrefs: 1061689D
form, xrefs: 1061684D
ypte, xrefs: 106168A5
e, xrefs: 106168BD
dUse, xrefs: 106168AD
user, xrefs: 10616876
encr, xrefs: 106168D2
d, xrefs: 106168F2

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: ccb11f9a660e68d2779b6e6a94380ced3b84612ce6ac28aad9664e3cb2f6d96e
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 4CB19C34518B488EDB54EF68C486AEEB7F1FF98300F50452EE49ACB251EF70A545CB86

Function 10614622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

i, xrefs: 1061469E
n, xrefs: 106146C1
c, xrefs: 10614697
n, xrefs: 106146BA
e, xrefs: 1061466D
l, xrefs: 10614682
w, xrefs: 106146B3
p, xrefs: 10614690
s, xrefs: 10614689
2, xrefs: 10614674
l, xrefs: 106146AC
u, xrefs: 10614661
d, xrefs: 106146CF
d, xrefs: 106146A5
d, xrefs: 1061467B
t, xrefs: 106146C8
l, xrefs: 106146D6

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 5f27b7572b09fc825868d249608d390621e9e2e0769c1e5a31ac0b5b6f1a7f47
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: D641B270A18B088FDB54DF88A44A6AD7BE2FB88700F40026EE409D7245DF75AD858BD6

Function 1061BAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

c, xrefs: 1061BC0B
[, xrefs: 1061BC90
], xrefs: 1061BC3D
[, xrefs: 1061BC66
l, xrefs: 1061BCE2
b, xrefs: 1061BC73
D, xrefs: 1061BCDA
[, xrefs: 1061BC2D
], xrefs: 1061BCA8
l, xrefs: 1061BC35
[, xrefs: 1061BBF6
e, xrefs: 1061BCA0
[, xrefs: 1061BCCD
n, xrefs: 1061BC98

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 8af887de6d30f051e4e4cbc9b21a0049d6274bdc75a03d24b662edef5ddd8eee
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 1BC15B74618B098FC798EF28D8866DAF7E1FF94304F40461EA59ACB210DF70E5558B8A

Function 1061BF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

c, xrefs: 1061BFC8
r, xrefs: 1061BFC0
., xrefs: 1061BF63
r, xrefs: 1061BFB0
r, xrefs: 1061BF90
0, xrefs: 1061BF5B
r, xrefs: 1061BF88
r, xrefs: 1061BFB8
r, xrefs: 1061BFA0
n, xrefs: 1061BF6B
r, xrefs: 1061BF98
r, xrefs: 1061BFA8

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: fc7603d497f5cfaed03c2f617b24a0d579cd46c9a8f174136109231e2fbf6c86
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 4251C4305187488FD749DF18D8816AEB7E5FBC5710F50192EE8CBCB246DBB4A946CB82

Function 106152F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 106154DB
dragon_s.dll, xrefs: 10615614
l, xrefs: 106154E2
cli., xrefs: 10615327
nspr, xrefs: 106154D4
opera_browser.dll, xrefs: 10615629
dll, xrefs: 1061532E
sspi, xrefs: 10615320

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 31e238955881bc57d58ddf968ba2bb6e19364dcc0a9e165dba3e6c86bbaa5ae9
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: B8C19174619A198FC788EF68D896AEAF3E1FBD4300F454369945ACB250DF30E98187C9

Function 106152F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 106154DB
dragon_s.dll, xrefs: 10615614
l, xrefs: 106154E2
cli., xrefs: 10615327
nspr, xrefs: 106154D4
opera_browser.dll, xrefs: 10615629
dll, xrefs: 1061532E
sspi, xrefs: 10615320

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 76cd700664564cb5153ad5386347ff7cee16d28384184c151afc6fc4c446485b
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 5AC19274619A198FC788EF68D896AEAF3E1FBD4300F454369945ACB250DF30E981C7C9

Function 10616CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

L: , xrefs: 10616D66
User, xrefs: 10616DAB
name, xrefs: 10616DB2
Pass, xrefs: 10616D97
word, xrefs: 10616D9E
2, xrefs: 10616DE1
UR, xrefs: 10616D5F

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 761d4c3e57da7b2d50d77922fd1d5ec57234b2b8354a2856eeed0ea1be7f5df1
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 8DA1BE746187488FDB58DFA894457EEB7F1FF98300F00462DE48ADB291EF7099858789

Function 10616CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

L: , xrefs: 10616D66
User, xrefs: 10616DAB
name, xrefs: 10616DB2
Pass, xrefs: 10616D97
word, xrefs: 10616D9E
2, xrefs: 10616DE1
UR, xrefs: 10616D5F

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: dede862ca584169070ead969f4d1956a6229857a8eb24f92c4b7e1d3d7f77166
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: E3919E746187488FDB58DFA8D444BEEB7F1FB98300F00462EE48ADB251EF7499858789

Function 10616352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

e, xrefs: 1061648E
n, xrefs: 106163E7
, xrefs: 1061647C
v, xrefs: 106164A0
., xrefs: 106163B0

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 7c268067536bd54585888f410be63e4afbc2b97259c75ba1a80de00e55125b09
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: C971B5356187498FD754EFA8C4857AEB7F1FF98304F00062EE44ACB261EB71E9458B85

Function 10611C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

shel, xrefs: 10611C90
l32., xrefs: 10611C97
2.dl, xrefs: 10611C64
ole3, xrefs: 10611C5D
dll, xrefs: 10611C9E

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 99ccfc81ca312587e440c99ac3ff994ab6a6b6a8fb4097ccc65051dede43c0f2
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 855140B4914B4C8FDB94DFA4C0456EEB7F1FF58300F40462EA49ADB214DF70A5818B89

Function 1061286F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

ion., xrefs: 106128EC
dll, xrefs: 106128F4
\, xrefs: 106129E0
vers, xrefs: 106128E4
4, xrefs: 106129E9

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 1171ec90c99148693eec7d43e3ef1ae9bc1a6661d63a11bb52bcd5cb37e53edb
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 99417F34219B498FDBA5EF2898457EA77E0FFD8311F41462E985ECB240EF30D9858782

Function 106144B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 10614515
user, xrefs: 106144D3
sspi, xrefs: 1061450E
dll, xrefs: 1061451C
32.d, xrefs: 106144DA

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 805439b729bd3a982c4ed103128554de46eacff8fcaddd2fd77c01419dd818ec
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 1E414E30A19E0D8FCB94EF6880957ED77E2FB98340F51456AA80EDB250DE71D9818BC6

Function 10612432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 1061252A
.dll, xrefs: 1061253F
h, xrefs: 1061251F
el32, xrefs: 10612537

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 3e3c8d92a8991e40ba56dda037447ab7bc1c6ef3b5f59749469ed6b28fe95182
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 2B4193B0608B4D8FD798DF28C0943AABBE1FBD8300F104A2E949EC7255DB70D985CB45

Function 106190B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 10619184
Snif, xrefs: 10619154
om:, xrefs: 10619146
f fr, xrefs: 1061913D

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 3f02e10fa4f1d2c867eea4e560284d488af1f3d779ccfde4b682bf53c56824ca
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 5231023550DB886FC75ADB28C4856DAB7D4FBD4300F50491EE49BCB252EE30A68ACB47

Function 106190C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 10619184
Snif, xrefs: 10619154
om:, xrefs: 10619146
f fr, xrefs: 1061913D

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 48d19b5a525c757158f55e9efd88c91f0568e71710b5a5372efd074f12fe9024
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 32310135409B486FC359DB28C485AEAB7D4FBD4300F40491EE49BCB241EE30E58ACB87

Function 10614FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 10614FFE
chro, xrefs: 10615023
hild, xrefs: 10614FF6
me_c, xrefs: 10614FEE

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 03f398ff2db099c01b340792aaef6521310b39a5041f4a9f030286d85892f55a
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 1C316B74219B488FC7C4EF688495BAAB7E1FFD8300F84466DA44ACB214DF30D985C796

Function 10614FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 10614FFE
chro, xrefs: 10615023
hild, xrefs: 10614FF6
me_c, xrefs: 10614FEE

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 9ab85b40caa300065a6f2a5f35b76d3cbed74d57859818ddfb13696cf7d569d7
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: BF317C74219B488FC7C4DF688495BAAB7E1FFD8300F84466DA44ACB254DF30D985C796

Function 106178C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10617935, 10617948
on.d, xrefs: 10617902
nt: , xrefs: 1061791E
urlmon.dll, xrefs: 10617959

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: a21327f238652d98799eda516b1633eb58f652d11782984a311788cf3972504d
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: E831B131614A4C8BCB44EFA8C8857EDBBE1FF98215F40422AE45EDB240DE789685C799

Function 106178BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10617935, 10617948
on.d, xrefs: 10617902
nt: , xrefs: 1061791E
urlmon.dll, xrefs: 10617959

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: f941697767e0afa113461a6217c9765d19afef5c3405e5a74185eb6faa783ab9
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 5B21E670A10A4C8BCB45EFA8C8857ED7BF1FF98245F40422AE45ADB240DF749685C799

Function 10618E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 10618EF4
l, xrefs: 10618F03
l, xrefs: 10618F26
., xrefs: 10618F1F

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 3be43249164254cc782e3ae46cefc780fc32c431e4d8a6e8414fe335f1bbaa9a
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 5E217C74A24A0D9FDB44EFA8D4457AEBAF0FF98310F50462EE009D7600DB74E5918B88

Function 10618E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 10618EF4
l, xrefs: 10618F03
l, xrefs: 10618F26
., xrefs: 10618F1F

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 56e7fe8320bf1d0b9f710557144c89eb2f07b54371b3d9f66440362017ac2e5b
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 7F218B74A24A0D9BDB48EFA8D4457EEBBF0FF98310F50462EE009D7600DB74E5918B88

Function 10618FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 10619022
logi, xrefs: 1061903C
auth, xrefs: 1061902F
user, xrefs: 10619015

Memory Dump Source

Source File: 00000004.00000002.4637169082.00000000105B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: b54f185b887cf57342b307f70be208cb6907ecc3c33901155136f59e9f50b898
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 5E21CD30614B0D8BCB45CF9998916DEB7E5FFC8354F004629E40AEB244D7B0E9948BC6

Analysis Process: svchost.exePID: 5328, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	0%
Total number of Nodes:	623
Total number of Limit Nodes:	75

Executed Functions

Function 032AA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 032AA19F

Strings

0, xrefs: 032AA227

Memory Dump Source

Source File: 00000005.00000002.4622052732.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_32a0000_svchost.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: f2615dac4286c443dec52dbf714f77c7ac8f97a1eb335752eac04c7432134154
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: A5F12174928E8D8FDBA5EF68C894AEEB7E0FF98304F40462AD44ADB250DF749541CB41

Function 032A9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 032A9C93
NtMapViewOfSection.NTDLL ref: 032A9CFF
NtClose.NTDLL ref: 032A9DC5

Strings

@, xrefs: 032A9C8B
@, xrefs: 032A9D0C

Memory Dump Source

Source File: 00000005.00000002.4622052732.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_32a0000_svchost.jbxd

Similarity

API ID: Section$CloseCreateView
String ID: @$@
API String ID: 1133238012-149943524
Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction ID: 1b25c180b8b1e974cd838327625ebc876be82c683c8d77bb08a5be7cb7053a02
Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction Fuzzy Hash: 59618070118B0D8FCB58EF6CD8856AABBE0FB98314F50062EE58AC3651DB75D481CB86

Function 032A9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 032A9C93
NtMapViewOfSection.NTDLL ref: 032A9CFF

Strings

@, xrefs: 032A9C8B
@, xrefs: 032A9D0C

Memory Dump Source

Source File: 00000005.00000002.4622052732.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_32a0000_svchost.jbxd

Similarity

API ID: Section$CreateView
String ID: @$@
API String ID: 1585966358-149943524
Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction ID: 0c88e4b79a795d6fdabc35908b738b45f6d223bb3fc6dd6732efcdd6c23f4fae
Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction Fuzzy Hash: 29517E70618B098FC758DF1CD8956AABBE0FB88314F50062EE98AD3651DF75D481CB86

Function 0090A2A3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.z`, xrefs: 0090A36D, 0090A378

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: .z`
API String ID: 0-1441809116
Opcode ID: 7212a5d963adee6ff241b84297e6b89c15a6e605597f0995087de2ee3110b9eb
Instruction ID: 8c03635a29f1691458b1d8727bde21d59603f28543d2ab68824b01f60c9d0b09
Opcode Fuzzy Hash: 7212a5d963adee6ff241b84297e6b89c15a6e605597f0995087de2ee3110b9eb
Instruction Fuzzy Hash: 765128B2210209AFCB18DF98DC85EEB77ADEF8C754F158259FA1D97241D630E811CBA4

Function 032AA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 032AA19F

Strings

0, xrefs: 032AA0CD

Memory Dump Source

Source File: 00000005.00000002.4622052732.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_32a0000_svchost.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: 04b8cd63c262f93f7879d4a55d5c5494fbfe4c48da85b9ef9895b2d5230ed3ed
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: 35514E74928A8C8FDB69EF68C8946EEB7F4FB98304F40462ED44AD7210DF709645CB41

Function 0090A330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00904BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00904BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0090A37D

Strings

.z`, xrefs: 0090A36D, 0090A378

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 6f6483aedd9dc81cdbb76e78d334ad0595870f2ec6d277b600521963c89ce434
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 02F0B2B2211208AFCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4

Function 0090A3DA Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00904D72,5EB65239,FFFFFFFF,00904A31,?,?,00904D72,?,00904A31,FFFFFFFF,5EB65239,00904D72,?,00000000), ref: 0090A425

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d13e00c1f6657e3b21b80af4dc18026b2258d55157fbf7133e6e4248a401b234
Instruction ID: faaf7eba521b5610405336221ad016b7f8c9d9f8fe3665c5f46f91f620116460
Opcode Fuzzy Hash: d13e00c1f6657e3b21b80af4dc18026b2258d55157fbf7133e6e4248a401b234
Instruction Fuzzy Hash: 6FF0FFB2210109AFCB14DF99DC80EEB77A9EF8D354F158249FE5D97291C630E811CBA0

Function 0090A3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00904D72,5EB65239,FFFFFFFF,00904A31,?,?,00904D72,?,00904A31,FFFFFFFF,5EB65239,00904D72,?,00000000), ref: 0090A425

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 177ba71f9bcf64292854e5cccc3614939239606dc105a69b1ca6c9578431469a
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 69F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241DA30E811CBA0

Function 0090A50A Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,008F2D11,00002000,00003000,00000004), ref: 0090A549

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1efae2e980684d38a3aebc590013a1db399dce769eae256027f130b4e774eee9
Instruction ID: 536210393c1078ecac676167f766ce03fefc3412c6b0b411dfa36674692c04e4
Opcode Fuzzy Hash: 1efae2e980684d38a3aebc590013a1db399dce769eae256027f130b4e774eee9
Instruction Fuzzy Hash: DDF082B6114149AFDB14DFA8DC85CAB77ACFF88224714865EF94C97202D634E815CBE1

Function 0090A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,008F2D11,00002000,00003000,00000004), ref: 0090A549

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 87ae6424408b6c3620a316988b5b2de5c9ffd488ec9838941f3ed1057947ef8e
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 35F015B2210208AFCB14DF89CC81EAB77ADAF88754F118149BE0897241C630F811CBE0

Function 0090A45A Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00904D50,?,?,00904D50,00000000,FFFFFFFF), ref: 0090A485

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 607e890920bd5f2d428ed4ea40f95587c4bbdddb528d958314eb13ec5f780734
Instruction ID: b708ff126e5bcbb0e1a324b32079409a6af4015f7b2e9a224ebfa76f439dedcd
Opcode Fuzzy Hash: 607e890920bd5f2d428ed4ea40f95587c4bbdddb528d958314eb13ec5f780734
Instruction Fuzzy Hash: 5EE08C762402006FE710DB989C84FEB7B99EF88360F104196BA1CDB291C530E5018690

Function 0090A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00904D50,?,?,00904D50,00000000,FFFFFFFF), ref: 0090A485

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: c559783184c404aa5c7ef36298a6e78e736464b3f753be938d668d5468842b86
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 9ED01776210314ABD710EB98CC85FA77BACEF88760F154499BA189B282C930FA0086E0

Function 03472B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472B6A

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
Instruction ID: 7696a08e5a0c48e97cb664b4b09091bd128144885373470c9bf44bae4d9bad19
Opcode Fuzzy Hash: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
Instruction Fuzzy Hash: 86900261202404034105B258445465A400BC7F0301B95C022E1014994DC72589916129

Function 03472BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472BEA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
Instruction ID: 5cb4092ec6905c91303e444233e23db69c8a7823047fe6b16d9bf8a262b4ba3a
Opcode Fuzzy Hash: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
Instruction Fuzzy Hash: 7F90023120544C42D140B2584444A8A0016C7E0305F95C012A0064A98D97258E55B665

Function 03472BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472BFA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
Instruction ID: bfb556593fc9188f6595328e0eef3940e6ea9b95108cc597480273b1cd83c652
Opcode Fuzzy Hash: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
Instruction Fuzzy Hash: 0F90023120140C02D180B258444468E0006C7E1301FD5C016A0025A58DCB158B5977A5

Function 03472AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472ADA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
Instruction ID: 69daad7016237f5548ded85334c572891d3c2dbd83542f723c1ab4b59bccc68d
Opcode Fuzzy Hash: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
Instruction Fuzzy Hash: EA900435311404030105F75C074454F0047C7F53513D5C033F1015D54CD731CD715135

Function 03472F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472F3A

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
Instruction ID: c14d874ccc1f0c1e00700b0332997a2ac578efca10b798a98b9ae6454404502b
Opcode Fuzzy Hash: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
Instruction Fuzzy Hash: F090026134140842D100B2584454B4A0006C7F1301F95C016E1064958D8719CD52612A

Function 03472FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472FEA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
Instruction ID: 8578209f691f6f6d3f36360c5e96c9e92a940fe244bfb2d04a34e426fd988201
Opcode Fuzzy Hash: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
Instruction Fuzzy Hash: 6B900221211C0442D200B6684C54B4B0006C7E0303F95C116A0154958CCB1589615525

Function 03472EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472EAA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7100db012def2b0bbbf263ce108f076d09d5a54425d3900cab2ba46494054c56
Instruction ID: 4abfbba142434adec4460873ee202493d5e6294d3ba8062f7428d1cf29506f5e
Opcode Fuzzy Hash: 7100db012def2b0bbbf263ce108f076d09d5a54425d3900cab2ba46494054c56
Instruction Fuzzy Hash: 2590027120140802D140B258444478A0006C7E0301F95C012A5064958E87598ED56669

Function 03472D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472D1A

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
Instruction ID: ffc033f7e1f6c6890b4aac20874f2776d581f4be96ba09313c4e47e33bd37ac5
Opcode Fuzzy Hash: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
Instruction Fuzzy Hash: D790022921340402D180B258544864E0006C7E1302FD5D416A001595CCCB1589695325

Function 03472DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472DDA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
Instruction ID: 59f5aeeb119ec5e2b9127aed687eddae7065d09bc08c4bfc827971450e953640
Opcode Fuzzy Hash: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
Instruction Fuzzy Hash: 60900221242445525545F258444454B4007D7F03417D5C013A1414D54C87269956D625

Function 03472DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472DFA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
Instruction ID: a81098e5722d36f428ef954467ae2455a47630f9ac59229d58944769b4d7c5f7
Opcode Fuzzy Hash: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
Instruction Fuzzy Hash: A890023120140813D111B258454474B000AC7E0341FD5C413A042495CD97568A52A125

Function 03472C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472C6A

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
Instruction ID: bac37f058a9e44e3df3b834c4ea919e15cc8c498e56e899edf1770c556259564
Opcode Fuzzy Hash: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
Instruction Fuzzy Hash: DA90023120140C42D100B2584444B8A0006C7F0301F95C017A0124A58D8715C9517525

Function 03472C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472C7A

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
Instruction ID: b67a08933cf5a815060eef9f3b48562ffb39c8f438640fc5365241e215c9c810
Opcode Fuzzy Hash: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
Instruction Fuzzy Hash: 5F90023120148C02D110B258844478E0006C7E0301F99C412A4424A5CD879589917125

Function 03472CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472CAA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
Instruction ID: 946a263a7d4d4efd4ba6c07d996a6645221cdf0dd07269b2c62c99fa2a5343fa
Opcode Fuzzy Hash: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
Instruction Fuzzy Hash: 4790023120140802D100B698544868A0006C7F0301F95D012A5024959EC76589916135

Function 034735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 034735CA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
Instruction ID: 4bca997d960333c53abf703bb35b18ff92955c10a8950eac8f555f58a6710de8
Opcode Fuzzy Hash: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
Instruction Fuzzy Hash: 2690023160550802D100B258455474A1006C7E0301FA5C412A042496CD87958A5165A6

Function 0090A632 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00904536,?,00904CAF,00904CAF,?,00904536,?,?,?,?,?,00000000,00000000,?), ref: 0090A62D
RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,008F3AF8), ref: 0090A66D

Strings

.z`, xrefs: 0090A65C, 0090A668

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: .z`
API String ID: 2488874121-1441809116
Opcode ID: 87f11f17c9e47369bcf62defdce248d39a183245fac82bbfd6175ab3ca7b6554
Instruction ID: 323b21507d6b48b6c266c7d1d83fed04b21d30507b3c4c109a5b27eb559b2a12
Opcode Fuzzy Hash: 87f11f17c9e47369bcf62defdce248d39a183245fac82bbfd6175ab3ca7b6554
Instruction Fuzzy Hash: FA01A9B62043096FCB14EF68CC40EAB77A8AF84324F048649FD28472C2CA30E8158AE1

Function 00909050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 009090F8

Strings

net.dll, xrefs: 009090C1, 00909147, 0090911F, 0090912B, 00909153
wininet.dll, xrefs: 009090AE, 009090B7

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 9c89d7d9e5cfb316b55cac00c15b0ecfec1baaef424c38821462143a894a7fd3
Instruction ID: c8421f484435ca5de7f776dbfed639f0cc3654c596278b55db6172b933548a57
Opcode Fuzzy Hash: 9c89d7d9e5cfb316b55cac00c15b0ecfec1baaef424c38821462143a894a7fd3
Instruction Fuzzy Hash: 6A3183B2600645AFC714DF64C885F67B7B8BB88B00F10851DF66E9B286DA30B650CBA4

Function 00909046 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 009090F8

Strings

net.dll, xrefs: 009090C1, 0090911F, 0090912B
wininet.dll, xrefs: 009090AE, 009090B7

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: ad523ccd17645837cb36c4b88b3aa0b3f853db068b506f359b6b4799966fa44f
Instruction ID: 38a2ee5eb5e5d6d53b5692c2f31bc527b127b740d2813013956b33e56134be0b
Opcode Fuzzy Hash: ad523ccd17645837cb36c4b88b3aa0b3f853db068b506f359b6b4799966fa44f
Instruction Fuzzy Hash: BD21A5B1A04745AFC714DF64C885F67B7B8FB88B00F108119F62D9B286D774A550CBA5

Function 0090A640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,008F3AF8), ref: 0090A66D

Strings

.z`, xrefs: 0090A65C, 0090A668

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: ee412f4f46668bb893c101bab27ef8eb869136d38a1c2c0436c1089f6e5676f6
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 0CE01AB12102046BD714DF59CC45EA777ACAF88750F014555BA0857241C630E9108AF0

Function 008F8309 Relevance: 3.1, APIs: 2, Instructions: 65
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008F836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008F838B

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ef2da66103b4a3d5a49156aef53fd6e375af0bb3d5397f9890b508c7931ce9fe
Instruction ID: dac814488a4d7316eadcb30e8b19884cf03b999b00920b71a05584ece425debe
Opcode Fuzzy Hash: ef2da66103b4a3d5a49156aef53fd6e375af0bb3d5397f9890b508c7931ce9fe
Instruction Fuzzy Hash: 2901D671A8021C7AE724A6A49C03FBE775CEB40F14F150159FF08FA1C1EAA5690542E6

Function 008F8310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008F836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008F838B

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
Instruction ID: d655fdb7883415f5dbd35a672105744882a7a5b0a8fbe21a53a0ebfc430dd7ca
Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
Instruction Fuzzy Hash: 0101A771A8022C7BE724A6A49C03FFE776CAB40F50F150115FF04FA1C1EAE4690546F6

Function 008FACE7 Relevance: 1.6, APIs: 1, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 008FAD62

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4ed6ad2336e631d943ccb6ad37d4b7ccb9270185f2795c60a41aaf75e0551ddd
Instruction ID: f6caf8c3a511689dc30db4d23a0ba246943441b72a13b549ee9e6fda34e0db2a
Opcode Fuzzy Hash: 4ed6ad2336e631d943ccb6ad37d4b7ccb9270185f2795c60a41aaf75e0551ddd
Instruction Fuzzy Hash: E50192B5E4020DAFDB14EAA0DC42FEDB374EB44318F0085A5EA0DDB281F671DA54CB92

Function 008FACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 008FAD62

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 3636e3a9751801566eaf6dfd273dd05dbb3e4ff0e807bdf2eb9b53839b04693d
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: 9E011EB5D4020DBBDB14EBE4DC42FADB378AB54308F0045A5AA0C97681F631EB54CB91

Function 0090A6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0090A704

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 5e13de818c711cf165b10ad711bb44a04af5d66f5582956758d09d6cf6bc0dda
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 1001B2B2210208BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Function 00909180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,008FF050,?,?,00000000), ref: 009091BC

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4f83902cf84bfe80aa8c7587155ab907079ac7fc6e7109164a14c7151b30a6b9
Instruction ID: adb64dea43c7e971f417c9b8145daf79c3029853870ea4031757bcaf1934e184
Opcode Fuzzy Hash: 4f83902cf84bfe80aa8c7587155ab907079ac7fc6e7109164a14c7151b30a6b9
Instruction Fuzzy Hash: 57E06D773802043AE2306599AC02FA7B29C9B81B60F140026FA0DEA2C1D595F80142A4

Function 00909173 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,008FF050,?,?,00000000), ref: 009091BC

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c2976d00fe64920a9b5f86674ee3cca860b3483cad6226dd2ab101817555c6ad
Instruction ID: 09c0edf3f34f8638a29bf4f504141b4bc87ac016ca4ffea86ef882544241b792
Opcode Fuzzy Hash: c2976d00fe64920a9b5f86674ee3cca860b3483cad6226dd2ab101817555c6ad
Instruction Fuzzy Hash: 93F0E5763883403AE33126689C53FEB7B988F91B14F24016DF689EBAC3C5D5B441476A

Function 0090A600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00904536,?,00904CAF,00904CAF,?,00904536,?,?,?,?,?,00000000,00000000,?), ref: 0090A62D

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 278977f848b4a79c885e5cc2c8cd3e7fdd6d5377a0098affdbe32171ac97c5d5
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 94E012B2210208ABDB14EF99CC41EA777ACAF88654F118559BA085B282CA30F9118AF0

Function 0090A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,008FF1D2,008FF1D2,?,00000000,?,?), ref: 0090A7D0

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: d553a47b9681dbb657e78b6dfcc3b3f75333649e066c95670f05e3c5ddb2fc9f
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 43E01AB12102086BDB10DF49CC85EE737ADAF88650F018155BA0857241C930E8118BF5

Function 0090A7A4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,008FF1D2,008FF1D2,?,00000000,?,?), ref: 0090A7D0

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 95edc98251146c3eae3d976603692798308fa1a3d9a6a8ebd5aa79df187121b2
Instruction ID: eeb5e0bf53ecb83e3f8f26758062d9ee520d95ebbd12a11f5fba4e0bac2a873e
Opcode Fuzzy Hash: 95edc98251146c3eae3d976603692798308fa1a3d9a6a8ebd5aa79df187121b2
Instruction Fuzzy Hash: 03E08CB52042546BDB10DF55DC85ED73BA8DF85250F148699FD895B242C930E815CBB1

Function 008FF6C9 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,008F8D14,?), ref: 008FF6FB

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0d23d70bb9baddb0af895e253005b98580830fc823e92a0481ed2e18bceac5c5
Instruction ID: e129a70119d6cdde30787ff8b9ffbef2ff6403df38c73f662b189b4054b69783
Opcode Fuzzy Hash: 0d23d70bb9baddb0af895e253005b98580830fc823e92a0481ed2e18bceac5c5
Instruction Fuzzy Hash: 66D02B717502042EE714FBB48C13FA27784FF54740F090478F648D62C3ED10E0024110

Function 008FF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,008F8D14,?), ref: 008FF6FB

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction ID: 966ee3bbf67ddc5b95ff64dec3c583bac6eed9ab21eb3c89b9124468d0e35376
Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction Fuzzy Hash: 0BD05E616503082AE610AAA49C03F263288AB54B00F490064FA48D62C3ED54E4004165

Function 0090A6AD Relevance: 1.5, APIs: 1, Instructions: 13processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0090A704

Memory Dump Source

Source File: 00000005.00000002.4620947600.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8f0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 2c13570853a0549ac4e63ff07224e047ddf061f3ffdaa3319d439306bec2269c
Instruction ID: 3c96f570c8ae9408f9039080417de0b50f267faddc97fbe97130119a413c4282
Opcode Fuzzy Hash: 2c13570853a0549ac4e63ff07224e047ddf061f3ffdaa3319d439306bec2269c
Instruction Fuzzy Hash: 7AC002B62141056F9714DE99AC40CB773ADAB882107148909B95DC2140C53698508B64

Function 03472C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472C24

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
Instruction ID: 8f8620567cc94c6ef084f93af80d3e55f75ec2df566e58a965bfb607d0785538
Opcode Fuzzy Hash: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
Instruction Fuzzy Hash: 91B09B719015C5C9DA11F760460875B7905A7E0701F59C463D3030A55E4779C1D1E179

Non-executed Functions

Function 00B34610 Relevance: 70.3, APIs: 38, Strings: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000008,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00B3466B
OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00B34672
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B3467C
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00B34696
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B346A0
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000005(TokenIntegrityLevel),00000000,00000000,?), ref: 00B346BE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B346C8
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000008,?), ref: 00B346F9
InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001), ref: 00B34716
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B34720
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001(TokenIntegrityLevel),00000014,?,?), ref: 00B3473A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B34744
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00B348F9
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000), ref: 00B3490F
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000), ref: 00B34925

Strings

', xrefs: 00B34654
', xrefs: 00B3463E

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: ErrorLast$Token$HeapInformation$FreeProcess$AllocCloseCurrentDescriptorHandleInitializeOpenSecurity
String ID: '$'
API String ID: 1987375396-2527190458
Opcode ID: 8289365657d1b076a523c3ea80d9316add8cba83d686f1f87ee54e99dacb1105
Instruction ID: 6c0ff9903c8e31cfc3710d66148c09c705e46b90e1a47b78488364b9892381df
Opcode Fuzzy Hash: 8289365657d1b076a523c3ea80d9316add8cba83d686f1f87ee54e99dacb1105
Instruction Fuzzy Hash: 5D915E31A40741EFEB209FA5DD89B6E7AE8FF05741F3504A4FA06E71A0DF70AD019A61

Function 00B333C0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 118memorynativeregistryCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(000000FF,00000036,?), ref: 00B333F3
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00B367D0), ref: 00B333FE
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001), ref: 00B33406
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00B3340C
InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(00B37384), ref: 00B33430
InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(00B37360), ref: 00B3343B
RegDisablePredefinedCacheEx.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00B33441
EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(00B3137C,00000000,00000000,00B373C8), ref: 00B33453
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00B33466

Part of subcall function 00B34190: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000064,00000000,?,?,00000004), ref: 00B341CA
Part of subcall function 00B34190: memcpy.API-MS-WIN-CORE-CRT-L1-1-0(00000064,00000000,00000000,?,?,00000004), ref: 00B341EA

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000052,?,00000090,?,?,?,?,00000004), ref: 00B334C8
NtSetInformationProcess.NTDLL(00000000), ref: 00B334CF

Part of subcall function 00B336F0: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00B334DC,?,?,00B334DC,?,?,?,?,00000004), ref: 00B33713
Part of subcall function 00B336F0: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00B334DC,00000000,00000000,?,?,00B334DC,?,?,?,?,00000004), ref: 00B33730
Part of subcall function 00B336F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000,?,?,00B334DC,?,?,?,?,00000004), ref: 00B33796
Part of subcall function 00B336F0: InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(00000010,?,?,00B334DC,?,?,?,?,00000004), ref: 00B337C7

Part of subcall function 00B33690: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000000,00B334E1,?,?,?,?,00000004), ref: 00B336B3

HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,00000004), ref: 00B33502
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00000004), ref: 00B33527
ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B33531

Part of subcall function 00B33540: RpcMgmtSetServerStackSize.RPCRT4(?), ref: 00B33581
Part of subcall function 00B33540: I_RpcServerDisableExceptionFilter.RPCRT4 ref: 00B3358D
Part of subcall function 00B33540: RtlSetProcessIsCritical.NTDLL ref: 00B3359F
Part of subcall function 00B33540: SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000002,00B334EE,00000004,?,?,?,?,00B334EE,?,?,?,?,00000004), ref: 00B335BA
Part of subcall function 00B33540: SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000008,?,00000004,?,?,?,?,00B334EE,?,?,?,?,00000004), ref: 00B335D2
Part of subcall function 00B33540: SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000006,?,00000004), ref: 00B335F9
Part of subcall function 00B33540: SetProtectedPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(NoUrlMimeFilters,00000001,00000000), ref: 00B33608
Part of subcall function 00B33540: HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,00B334EE,?,?,?,?,00000004), ref: 00B33616
Part of subcall function 00B33540: NtSetInformationProcess.NTDLL(000000FF,00000034,00000004,00000008), ref: 00B33668

memset.API-MS-WIN-CORE-CRT-L1-1-0(?,00000000,00000090), ref: 00B33489

Part of subcall function 00B34130: _vsnwprintf.NTDLL ref: 00B34161

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000001), ref: 00B36409
SetProcessAffinityUpdateMode.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00B36410

Strings

[%ws] [%ws], xrefs: 00B36425
[%ws], xrefs: 00B334A8

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Process$Heap$InformationPolicy$AllocInitializeLockMitigation$CurrentDisableExceptionFilterFreeModeServer$AffinityCacheCloseCommandCriticalErrorEventExitLineMgmtOpenPredefinedProtectedRegisterSizeStackUnhandledUpdate_vsnwprintfmemcpymemset
String ID: [%ws]$[%ws] [%ws]
API String ID: 452972043-2631382080
Opcode ID: 5c5cbec477cc50aaeb0b2aaea0e6f4820abcb707c28fb56dcd3473863240a2b9
Instruction ID: f6c49e4449dd51cf67e21353a98c8e92e2bef429290051c96f9c0a823cbf8049
Opcode Fuzzy Hash: 5c5cbec477cc50aaeb0b2aaea0e6f4820abcb707c28fb56dcd3473863240a2b9
Instruction Fuzzy Hash: 8D41B3B5684700BBD720AF70AC4AF5F3BE8EB84B11F300498F905D72A1DF7099099B66

Function 00B33540 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 106memorynativeCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 00B33574
RpcMgmtSetServerStackSize.RPCRT4(?), ref: 00B33581
I_RpcServerDisableExceptionFilter.RPCRT4 ref: 00B3358D
RtlSetProcessIsCritical.NTDLL ref: 00B3359F
SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000002,00B334EE,00000004,?,?,?,?,00B334EE,?,?,?,?,00000004), ref: 00B335BA
SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000008,?,00000004,?,?,?,?,00B334EE,?,?,?,?,00000004), ref: 00B335D2
SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000006,?,00000004), ref: 00B335F9
SetProtectedPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(NoUrlMimeFilters,00000001,00000000), ref: 00B33608
HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,00B334EE,?,?,?,?,00000004), ref: 00B33616
NtSetInformationProcess.NTDLL(000000FF,00000034,00000004,00000008), ref: 00B33668

Strings

NoUrlMimeFilters, xrefs: 00B33603

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Process$Policy$Mitigation$InformationServer$CriticalDisableExceptionFilterHeaderHeapImageMgmtProtectedSizeStack
String ID: NoUrlMimeFilters
API String ID: 586916691-2399580893
Opcode ID: 5e3103a8c31c5d5e8a0231bed0441d8e9af3aee63eb9711f4628c41f64d5db91
Instruction ID: d04a1998c69b4558798dd8fec54103fcd98d81d50ddba0d2b716d2e24c62a953
Opcode Fuzzy Hash: 5e3103a8c31c5d5e8a0231bed0441d8e9af3aee63eb9711f4628c41f64d5db91
Instruction Fuzzy Hash: 0C41A470640704AFE7209B64DD4ABAB77F4FB00B05F2444A9FA06D65D0DFB1EA44CB51

Function 00B36BB0 Relevance: 9.0, APIs: 6, Instructions: 23COMMON

Download Yara Rule

APIs

RpcServerUnregisterIfEx.RPCRT4(?,00000000,00000001), ref: 00B36BBD
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00B3743C), ref: 00B36BCA
RpcMgmtStopServerListening.RPCRT4(00000000), ref: 00B36BDB
RpcMgmtWaitServerListen.RPCRT4 ref: 00B36BE1
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00B3743C), ref: 00B36BEC
I_RpcMapWin32Status.RPCRT4(00000000), ref: 00B36BF3

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Server$CriticalMgmtSection$EnterLeaveListenListeningStatusStopUnregisterWaitWin32
String ID:
API String ID: 3168261810-0
Opcode ID: b39e84e670da12f2561bff404bde1e2c23ba641231fa7e3e2febe37a87a07425
Instruction ID: 38b1713e123101593230c1ef307d88acfe9bd93c28af8591d4f866438800d777
Opcode Fuzzy Hash: b39e84e670da12f2561bff404bde1e2c23ba641231fa7e3e2febe37a87a07425
Instruction Fuzzy Hash: 00E01A72288714ABD7652BA1AD0EB8D3FA4EB04762F304010F205971B0CFB195169BA6

Function 00B36B60 Relevance: 9.0, APIs: 6, Instructions: 23COMMON

Download Yara Rule

APIs

RpcServerUnregisterIf.RPCRT4(?,00000000,00000001), ref: 00B36B6D
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00B3743C), ref: 00B36B7A
RpcMgmtStopServerListening.RPCRT4(00000000), ref: 00B36B8B
RpcMgmtWaitServerListen.RPCRT4 ref: 00B36B91
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00B3743C), ref: 00B36B9C
I_RpcMapWin32Status.RPCRT4(00000000), ref: 00B36BA3

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Server$CriticalMgmtSection$EnterLeaveListenListeningStatusStopUnregisterWaitWin32
String ID:
API String ID: 3168261810-0
Opcode ID: 31712ef35fb46e39a086aa0bb6cc74e981fb4e75e5d7188b42aef18577ce4f8f
Instruction ID: 44fd780d65a0d6ce7c96ea88a0d74d89621ca51f85c8c75fb82c211694a024ef
Opcode Fuzzy Hash: 31712ef35fb46e39a086aa0bb6cc74e981fb4e75e5d7188b42aef18577ce4f8f
Instruction Fuzzy Hash: FCE04FB2284714BBD7242BA1ED0EF9D3FA4EB04762F304010F209971B0CFB155169BA6

Function 00B357B0 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00B357DD
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B357EC
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B357F5
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00B357FE
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00B35813

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: e0d8aa848ade116dcee3fe88f1bca8568daf689e4c4d00e22d2badd140fae1d9
Instruction ID: a5459be04da812a279a7faec77a7154d6d5f32380f69f18d52a9cf592504fdb6
Opcode Fuzzy Hash: e0d8aa848ade116dcee3fe88f1bca8568daf689e4c4d00e22d2badd140fae1d9
Instruction Fuzzy Hash: 4B111CB5D00608EFCB24DBB4D98859EB7F4EF48314F714495E401E7250EF309A04DB11

Function 00B36AF0 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00B3743C), ref: 00B36AFB

Part of subcall function 00B36A38: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00B36A64

RpcServerListen.RPCRT4(?,00003039,?), ref: 00B36B29
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00B3743C), ref: 00B36B40
I_RpcMapWin32Status.RPCRT4(00000000), ref: 00B36B47

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: CriticalSection$AllocEnterLeaveListenLocalServerStatusWin32
String ID:
API String ID: 3342318003-0
Opcode ID: beb2e95eb068203e162a9d485bf2ebb7ff1d9ceaf7b03ed13c5611c42f889f3f
Instruction ID: aeed66a9fe1224ad3e9a508eaac7d035a3af55443cd6681b2f3b83dc93db405d
Opcode Fuzzy Hash: beb2e95eb068203e162a9d485bf2ebb7ff1d9ceaf7b03ed13c5611c42f889f3f
Instruction Fuzzy Hash: 0FF0E2B26446246BC7219B60DC4D89E3BA8EB14360B308140FC45EB250CF709D028BD1

Function 00B35848 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00B3597E,00B31008), ref: 00B3584F
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00B3597E,?,00B3597E,00B31008), ref: 00B35858
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00B3597E,00B31008), ref: 00B35863
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00B3597E,00B31008), ref: 00B3586A

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 48aca8391383e4689bb6bea1f1312177c517609e28716517e3cc218cc251f4e5
Instruction ID: 53c6fc5617334c9951a807028ca99aa7ee99834f1349b9296e25b489814e3990
Opcode Fuzzy Hash: 48aca8391383e4689bb6bea1f1312177c517609e28716517e3cc218cc251f4e5
Instruction Fuzzy Hash: A1D0CA32000308BFCA082BE1EC0CA8E3E2AEB88212F204400F30EC3020CE31884D8B62

Function 00B33360 Relevance: 4.5, APIs: 3, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 00B333C0: NtSetInformationProcess.NTDLL(000000FF,00000036,?), ref: 00B333F3
Part of subcall function 00B333C0: SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00B367D0), ref: 00B333FE
Part of subcall function 00B333C0: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001), ref: 00B33406
Part of subcall function 00B333C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00B3340C
Part of subcall function 00B333C0: InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(00B37384), ref: 00B33430
Part of subcall function 00B333C0: InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(00B37360), ref: 00B3343B
Part of subcall function 00B333C0: RegDisablePredefinedCacheEx.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00B33441
Part of subcall function 00B333C0: EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(00B3137C,00000000,00000000,00B373C8), ref: 00B33453
Part of subcall function 00B333C0: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00B33466
Part of subcall function 00B333C0: memset.API-MS-WIN-CORE-CRT-L1-1-0(?,00000000,00000090), ref: 00B33489
Part of subcall function 00B333C0: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000052,?,00000090,?,?,?,?,00000004), ref: 00B334C8
Part of subcall function 00B333C0: NtSetInformationProcess.NTDLL(00000000), ref: 00B334CF
Part of subcall function 00B333C0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,00000004), ref: 00B33502

I_RegisterSvchostNotificationCallback.API-MS-WIN-SERVICE-PRIVATE-L1-1-3(Function_00006760), ref: 00B33373
StartServiceCtrlDispatcherW.API-MS-WIN-SERVICE-CORE-L1-1-0(00000000), ref: 00B3337A
ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B333B3

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Process$HeapInformationInitializeLockRegister$CacheCallbackCommandCtrlCurrentDisableDispatcherErrorEventExceptionExitFilterFreeLineModeNotificationPredefinedServiceStartSvchostUnhandledmemset
String ID:
API String ID: 721293443-0
Opcode ID: e70a3c75eb44563dfa8145c996b9c9d6b72bf01ca38742d7b5be0d51f1e97e81
Instruction ID: d931843ae00a84720a319d76697ed56b117ae08b5142ede02e7531b899f714fd
Opcode Fuzzy Hash: e70a3c75eb44563dfa8145c996b9c9d6b72bf01ca38742d7b5be0d51f1e97e81
Instruction Fuzzy Hash: EFE04F31685714ABD32537A8AE0EF4E39E19B40F06F344190F9067B1E0CFB4990696AF

Function 00B32330 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 312registryCOMMON

Download Yara Rule

APIs

CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,00000000,000000FF,00000001), ref: 00B3238F
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-00B37380,?,?,000000FF,00000000,000000FF,00000001), ref: 00B323CF
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00B37360,00000000,00000000,00000002,?,?,000000FF,00000000,000000FF,00000001), ref: 00B3241C
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00B37360,?,?,000000FF,00000000,000000FF,00000001), ref: 00B32435
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-00B37380,00000000,00000000,00000002,?,?,000000FF,00000000,000000FF,00000001), ref: 00B32472
EtwEventEnabled.NTDLL ref: 00B324CB
EtwEventWrite.NTDLL(00B31A10,00000001,?), ref: 00B32521
EtwEventEnabled.NTDLL ref: 00B32558
EtwEventWrite.NTDLL(00B31A00,00000001,?), ref: 00B325A8

Part of subcall function 00B366F0: RegisterServiceCtrlHandlerW.API-MS-WIN-SERVICE-WINSVC-L1-1-0(?,00B35650), ref: 00B36735
Part of subcall function 00B366F0: SetServiceStatus.API-MS-WIN-SERVICE-CORE-L1-1-0(00000000,00000030), ref: 00B36744

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-00B37380,?,?,000000FF,00000000,000000FF,00000001), ref: 00B325DF
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Services,00000000,00020019,?,?,?,000000FF,00000000,000000FF,00000001), ref: 00B3260D
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000001,00000000,00020019,00000000,?,?,000000FF,00000000,000000FF,00000001), ref: 00B32627
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,Parameters,00000000,00020019,00000000,?,?,000000FF,00000000,000000FF,00000001), ref: 00B32645
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,000000FF,00000000,000000FF,00000001), ref: 00B3266C
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,000000FF,00000000,000000FF,00000001), ref: 00B3267A
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,ServiceDllUnloadOnStop,00000000,?,00000000,00000004,?,?,000000FF,00000000,000000FF,00000001), ref: 00B32699
ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,?,?,?,000000FF,00000000,000000FF,00000001), ref: 00B326C1
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,000000FF,00000000,000000FF,00000001), ref: 00B326D1
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,?,?,?,000000FF,00000000,000000FF,00000001), ref: 00B326E1
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-00B37380,?,?,000000FF,00000000,000000FF,00000001), ref: 00B326EB
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,000000FF,00000000,000000FF,00000001), ref: 00B326F9

Strings

Parameters, xrefs: 00B3263D
System\CurrentControlSet\Services, xrefs: 00B325F5
ServiceDllUnloadOnStop, xrefs: 00B32691

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: ExclusiveLock$Event$AcquireCloseOpenRelease$EnabledServiceWrite$ActivateCompareCtrlDeactivateFreeHandlerLibraryOrdinalQueryRegisterStatusStringValue
String ID: Parameters$ServiceDllUnloadOnStop$System\CurrentControlSet\Services
API String ID: 1435729891-2925796325
Opcode ID: 06a36b28acf69835f10b1eb12c6335ff0e497a11e81c50beb3297c15967f0be1
Instruction ID: 7b4ed9e2c51b3712a8dd231fcefd09a21d123a193be5379f8cdf8d4fe697e69a
Opcode Fuzzy Hash: 06a36b28acf69835f10b1eb12c6335ff0e497a11e81c50beb3297c15967f0be1
Instruction Fuzzy Hash: 82C14775A40208AFCB21CFA4DD89BAEB7F9FF48700F244159F912A7260DF31A905DB60

Function 00B33060 Relevance: 42.2, APIs: 28, Instructions: 175memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00B37454,00000000,-00B37390,00000001,00B32430,?,?,000000FF), ref: 00B33094
RtlLengthRequiredSid.NTDLL(00000001), ref: 00B330A8
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,?,?,000000FF), ref: 00B330BA
RtlInitializeSid.NTDLL(00000000,00B31014,00000001), ref: 00B330D4
RtlSubAuthoritySid.NTDLL(00B374A4,00000000), ref: 00B330E4
RtlSubAuthorityCountSid.NTDLL(?), ref: 00B33122
RtlLengthRequiredSid.NTDLL(?), ref: 00B33130
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(000000FF,00000000,00000000,?,?,000000FF), ref: 00B3313F
RtlCopySid.NTDLL ref: 00B33154
RtlSubAuthorityCountSid.NTDLL(00000000), ref: 00B33167
RtlSubAuthoritySid.NTDLL(00B3747C,?), ref: 00B33174
RtlLengthRequiredSid.NTDLL(00000002), ref: 00B3318D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,?,?,000000FF), ref: 00B3319F
RtlInitializeSid.NTDLL(00000000,00000000,00000002), ref: 00B331B9
RtlSubAuthoritySid.NTDLL(00000000), ref: 00B331C7
RtlSubAuthoritySid.NTDLL(00000001), ref: 00B331DB
RtlDeriveCapabilitySidsFromName.NTDLL ref: 00B331F6
RtlLengthRequiredSid.NTDLL(00000006), ref: 00B33212
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,?,?,000000FF), ref: 00B33224
RtlInitializeSid.NTDLL(00000000,00000000,00000006), ref: 00B3323E
RtlSubAuthoritySid.NTDLL(00000000), ref: 00B3324D
RtlSubAuthoritySid.NTDLL(00000001), ref: 00B33261
RtlSubAuthoritySid.NTDLL(00000002), ref: 00B33271
RtlSubAuthoritySid.NTDLL(00000003), ref: 00B33281
RtlSubAuthoritySid.NTDLL(00000004), ref: 00B33291
RtlSubAuthoritySid.NTDLL(00000005), ref: 00B332A1
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00B37454,?,?,000000FF), ref: 00B332AE

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Authority$AllocHeapLengthRequired$Initialize$CountExclusiveLock$AcquireCapabilityCopyDeriveFromNameReleaseSids
String ID:
API String ID: 4098953902-0
Opcode ID: 637f56bd91231cc30285042f2bef837e1a8c79ebe281d5da769f5a943ddc7acd
Instruction ID: 0b5847b5d80adca32a93c0fa7987a0aed7717f7cef96a56bcce8c744a54cba80
Opcode Fuzzy Hash: 637f56bd91231cc30285042f2bef837e1a8c79ebe281d5da769f5a943ddc7acd
Instruction Fuzzy Hash: 286128B1684705AFD7119FA4ED59B6EBBB8FB08741F204068F6019B2B0CFB1AD14DB61

Function 03472890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0347293C
___swprintf_l.LIBCMT ref: 0347295E
___swprintf_l.LIBCMT ref: 034729A3
___swprintf_l.LIBCMT ref: 034AA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 034AA527
ffff:, xrefs: 034AA504
:%u.%u.%u.%u, xrefs: 034AA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 034AA54E

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
Instruction ID: 3849aca05d3806e097de92d7cbcdbed50a850603cac0f28d50e16cbdd20129d1
Opcode Fuzzy Hash: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
Instruction Fuzzy Hash: 9451D5B5B00516BFCB10DB9888909BFF7B8BB49200758866BE4A5DF641D274DE40CBA8

Function 034E2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 034E24A6
___swprintf_l.LIBCMT ref: 034E24E2
___swprintf_l.LIBCMT ref: 034E257D
___swprintf_l.LIBCMT ref: 034E25A3
___swprintf_l.LIBCMT ref: 034E25C8
___swprintf_l.LIBCMT ref: 034E2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 034E24DA
ffff:, xrefs: 034E247D, 034E249D
:%u.%u.%u.%u, xrefs: 034E25FF
::%hs%u.%u.%u.%u, xrefs: 034E249E

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: df8015578d5ce0c1207ff2c21403b7b39f91ed7d01cbd03e19274029ffcee20e
Instruction ID: 97e8ef6250846bd1b8a2d9286162a4ba371e19dff54597d02794e0bb82712c4c
Opcode Fuzzy Hash: df8015578d5ce0c1207ff2c21403b7b39f91ed7d01cbd03e19274029ffcee20e
Instruction Fuzzy Hash: B45115B5A00645AECB60EF5CC99087FBBFCEB44201B448C5BE4A6DF641E7B4EA008764

Function 00B35330 Relevance: 15.1, APIs: 10, Instructions: 130memoryregistryCOMMON

Download Yara Rule

APIs

CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,00000000,000000FF,00000001), ref: 00B35393
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-00B37380), ref: 00B353C2
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008), ref: 00B353DC
RegisterWaitForSingleObjectEx.API-MS-WIN-CORE-THREADPOOL-PRIVATE-L1-1-0(00000000,Function_00002170,00000000,000000FF,?), ref: 00B3540D
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-00B37380), ref: 00B3542F
TpAllocWait.NTDLL ref: 00B35454
TpSetWait.NTDLL(00000000,00000000,00000000), ref: 00B3546A

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Wait$AllocExclusiveLock$AcquireCompareHeapObjectOrdinalRegisterReleaseSingleString
String ID:
API String ID: 2793058030-0
Opcode ID: 8c963394538ea76db3554e9a974d84aae3d1e773f692c6476ccdbb566ca3360e
Instruction ID: 093e35a94f9573ce6ea0ca97c2adb822706efe08bef9d8b6a7191b2276f3c3e6
Opcode Fuzzy Hash: 8c963394538ea76db3554e9a974d84aae3d1e773f692c6476ccdbb566ca3360e
Instruction Fuzzy Hash: 9141AAB5A44714EBCB258F64DC45BAE7BF5EB08351F3081A8F916E73A0CB309941DB51

Function 03467630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 034A46A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 034A4742
CLIENT(ntdll): Processing section info %ws..., xrefs: 034A4787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 034A46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 034A4655
Execute=1, xrefs: 034A4713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 034A4725

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
Instruction ID: 6633c514fc4ea3ec2782d37d2437d68f5bea1f8772490947faf64e61b3f56107
Opcode Fuzzy Hash: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
Instruction Fuzzy Hash: F5513B756003096EDB20EFA9DC85FEE7BB8AF14314F1400ABD505AF390E771AA458B59

Function 00B321D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000004,?,?), ref: 00B321F5

Part of subcall function 00B32290: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Services,00000000,00020019,?,00000004,?), ref: 00B322C2
Part of subcall function 00B32290: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,00000000,00020019,00000000), ref: 00B322DC
Part of subcall function 00B32290: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,Parameters,00000000,00020019,00000000,?,00000000,00020019,00000000), ref: 00B322F7
Part of subcall function 00B32290: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00B32313
Part of subcall function 00B32290: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00B32321

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,ServiceDllUnloadOnStop,00000000,00000000,00000000,00000004), ref: 00B32222
ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,?), ref: 00B3224A
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?), ref: 00B3225A
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,?), ref: 00B3226F
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000004), ref: 00B32276
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00B32286

Strings

ServiceDllUnloadOnStop, xrefs: 00B3221A

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: CloseOpen$ExclusiveLock$AcquireActivateDeactivateFreeLibraryQueryReleaseValue
String ID: ServiceDllUnloadOnStop
API String ID: 875000390-2673481689
Opcode ID: 7ee7897e400267cf3d154e41227ab565cfeb7e423278a862fac6c738056b7035
Instruction ID: 2bebbfd4d0b69993d6f261af8951953d5bd6ebb1682ec9b037b2b341be5e004a
Opcode Fuzzy Hash: 7ee7897e400267cf3d154e41227ab565cfeb7e423278a862fac6c738056b7035
Instruction Fuzzy Hash: A9211835900208EFCB20DF94DD49B9FBBF8EF08705F2045A9E915A3161DB70AA15DB62

Function 00B34A50 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

RtlQueryHeapInformation.NTDLL(00000000,00000004,?,00000140,00000140), ref: 00B34AC9
qsort_s.API-MS-WIN-CORE-CRT-L1-1-0(?,?,00000014,00B35660,00000000), ref: 00B34B01
bsearch_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,00000014,00B35660,00000000), ref: 00B34B99
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000140), ref: 00B34D1E
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00B34D42

Strings

#, xrefs: 00B34AD7

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Heap$AllocFreeInformationQuerybsearch_sqsort_s
String ID: #
API String ID: 3529558078-1885708031
Opcode ID: a8ae1a0a01bc23d0a39a0bd3a3be30f42c9de4f3010f925e1c78002bdc3a132a
Instruction ID: 34604eb19a4ae34c427707ff4a44d3eef427f24645b4657aff6caffc74103139
Opcode Fuzzy Hash: a8ae1a0a01bc23d0a39a0bd3a3be30f42c9de4f3010f925e1c78002bdc3a132a
Instruction Fuzzy Hash: AB9118B1A006199BCB24CF29DC8479AB7F5FB88304F6481E9E50D97350EB71AE95CF84

Function 00B336F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00B334DC,?,?,00B334DC,?,?,?,?,00000004), ref: 00B33713

Part of subcall function 00B33800: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00B334DC,?,00000000,00020019,00000000,00000007,00B37394,?,00000000,00000000,00000000), ref: 00B3389A
Part of subcall function 00B33800: RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B338D7
Part of subcall function 00B33800: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00B33923

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00B334DC,00000000,00000000,?,?,00B334DC,?,?,?,?,00000004), ref: 00B33730
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000,?,?,00B334DC,?,?,?,?,00000004), ref: 00B33796
InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(00000010,?,?,00B334DC,?,?,?,?,00000004), ref: 00B337C7

Strings

Software\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 00B33706

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: AllocHeapOpen$CloseEnumInitializeLock
String ID: Software\Microsoft\Windows NT\CurrentVersion\Svchost
API String ID: 4187173433-3825988276
Opcode ID: 49b1e35587e2f726f691dcdf2fdd3c2a329fd5977f027061e3f9d938762daa25
Instruction ID: ca19b59c99fea60506c79e787f4e92a7e644d97ed449d9d3bdbddae70192921e
Opcode Fuzzy Hash: 49b1e35587e2f726f691dcdf2fdd3c2a329fd5977f027061e3f9d938762daa25
Instruction Fuzzy Hash: C341EFF5900301EBCB249F28DC85A6B77F8FB84B40F354599EC4697250EBB1AE92C780

Function 00B36A38 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00B36A64
RpcServerUseProtseqEpW.RPCRT4(ncacn_np,0000000A,00000000,00000000), ref: 00B36A9D
RpcServerRegisterIf.RPCRT4(?,00000000,00000000), ref: 00B36AB8
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00B36AC1
I_RpcMapWin32Status.RPCRT4(00000000), ref: 00B36AC8
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00B36AD1

Strings

ncacn_np, xrefs: 00B36A98

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Local$FreeServer$AllocProtseqRegisterStatusWin32
String ID: ncacn_np
API String ID: 1007250533-272970834
Opcode ID: 375bb87cfa817cb4c64c9e6381ef1eafe6212fe3687207deef4d312b28deb326
Instruction ID: 19ac137780166ebe8605b24c59a2e5ca6b5e1d2d3aa7a7b82e89e83e13675c21
Opcode Fuzzy Hash: 375bb87cfa817cb4c64c9e6381ef1eafe6212fe3687207deef4d312b28deb326
Instruction Fuzzy Hash: 5A113236B003207BD3295B185C49B6E7BE8DBC9760F318094FD0AF3260EE709D0991E5

Function 00B32290 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Services,00000000,00020019,?,00000004,?), ref: 00B322C2
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,00000000,00020019,00000000), ref: 00B322DC
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,Parameters,00000000,00020019,00000000,?,00000000,00020019,00000000), ref: 00B322F7
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00B32313
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00B32321

Strings

Parameters, xrefs: 00B322EF
System\CurrentControlSet\Services, xrefs: 00B322AD

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Open$Close
String ID: Parameters$System\CurrentControlSet\Services
API String ID: 3083169812-135649160
Opcode ID: 9c3f2a1e6e67836dfb0c1e947eafade89e89f483aa486cdc30971402e0075503
Instruction ID: c6b86c5764d58d2fa5cf121fe5b753638204c22cf23663e8531deef45a5599a8
Opcode Fuzzy Hash: 9c3f2a1e6e67836dfb0c1e947eafade89e89f483aa486cdc30971402e0075503
Instruction Fuzzy Hash: 7B114FB5E40318BFDB21DB659C89B9EBBF8EB48751F2005A4F805F3250DA709E0096A0

Function 00B340B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RtlGetDeviceFamilyInfoEnum.NTDLL(00000000,?,00000000,00000000,?,?,?,?,00B33D92), ref: 00B340C3
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Control\SCMConfig,00000000,00020019,00B33D92,?,?,?,?,00B33D92), ref: 00B340EA
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00B33D92,EnableSvchostMitigationPolicy,00000000,?,?,?,80000002,System\CurrentControlSet\Control\SCMConfig,00000000,00020019,00B33D92), ref: 00B34110
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00B33D92,00B33D92,EnableSvchostMitigationPolicy,00000000,?,?,?,80000002,System\CurrentControlSet\Control\SCMConfig,00000000,00020019,00B33D92), ref: 00B34120

Strings

EnableSvchostMitigationPolicy, xrefs: 00B34108
System\CurrentControlSet\Control\SCMConfig, xrefs: 00B340E0

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: CloseDeviceEnumFamilyInfoOpenQueryValue
String ID: EnableSvchostMitigationPolicy$System\CurrentControlSet\Control\SCMConfig
API String ID: 3374871968-1194725368
Opcode ID: 31c0f6c2e4c7782439f681961e8dc2b1ceb1fd8d61b784b1b1bf66933796647c
Instruction ID: 9b1572c09d81b6421fdc3850cc47c3e243517e9ae4596b54c80726cb4e08d944
Opcode Fuzzy Hash: 31c0f6c2e4c7782439f681961e8dc2b1ceb1fd8d61b784b1b1bf66933796647c
Instruction Fuzzy Hash: 56014034A4060DBFEB20DA948D86BAEB7FCEB14314F3045A6FA04F2151E770AE549A61

Function 00B356A0 Relevance: 9.1, APIs: 6, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,00B345DF,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00B345DF,00000000), ref: 00B356CF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00B345DF,00000000,00000000), ref: 00B356DD
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000008,?,?,?,?,?,00B345DF,00000000,00000000), ref: 00B35704
MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,00B345DF,?,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 00B35747
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,?,?,?,?,00B345DF,00000000,00000000), ref: 00B366B5
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,?,?,?,?,00000000,?,?,?,?,00B345DF,00000000,00000000), ref: 00B366CA

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: AbsoluteErrorHeapLastMake$AllocFree
String ID:
API String ID: 2337675216-0
Opcode ID: a47a0dd5d811e6aef1e93bdf10d33088f990f9b132b14404612ab695b22fc914
Instruction ID: 9f5dd71b34b05190b96236fe4623d1dc74fa5677539c7e3e152127421b44afb0
Opcode Fuzzy Hash: a47a0dd5d811e6aef1e93bdf10d33088f990f9b132b14404612ab695b22fc914
Instruction Fuzzy Hash: 9E311A76900609EFDB14CB94CC85FFEB7B8EB44704F240599F616E7240EA70AE05DBA1

Function 0347B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0347B6BF

Strings

0, xrefs: 0347B695
0, xrefs: 0347B66F
+, xrefs: 0347B65A
-, xrefs: 0347B650

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 190be8e3f855835c29307f5b229531a12148b597511bb2a7c84519a7f6e38254
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 6E81BF74E052499EDF24CE68C8917FEBBB6EF45320F1C425BD861AF390C73498418B69

Function 034E20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 034E214F
___swprintf_l.LIBCMT ref: 034E2172

Strings

[, xrefs: 034E212B
]:%u, xrefs: 034E2169
%%%u, xrefs: 034E2146

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 2abc2a3a806469cc8f8aaf93d28063420656eff0cb853e7cedf292695f2956b2
Instruction ID: 2de098c7f43c84dfcf31680264796f141dd8ba1b8a7cbc2bd271a2415915b8fb
Opcode Fuzzy Hash: 2abc2a3a806469cc8f8aaf93d28063420656eff0cb853e7cedf292695f2956b2
Instruction Fuzzy Hash: DA21747AA00219AFCB10EF69D8409EFF7FCAF54640F48051BE915EB200E670DA058B95

Function 00B35E50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Control\SCMConfig,00000000,00020019,?,00000000,00000000,?,?,00B33642,?,?,?,?,00B334EE), ref: 00B35E73
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,SvchostHeapReportingThresholdInKB,00000000,?,00000000,00B33642,00000000,?,?,00B33642,?,?,?,?,00B334EE), ref: 00B35E9A
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00B33642,?,?,?,?,00B334EE,?,?,?,?,00000004), ref: 00B35EB4

Strings

SvchostHeapReportingThresholdInKB, xrefs: 00B35E92
System\CurrentControlSet\Control\SCMConfig, xrefs: 00B35E64

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: SvchostHeapReportingThresholdInKB$System\CurrentControlSet\Control\SCMConfig
API String ID: 3677997916-55033843
Opcode ID: 8b4355c1d0108560adfd14c087e985edf97dc34fe0316f86de90cfe1fa7bb1dc
Instruction ID: ae4974a28cc6e09758b958f85f8b24e1e236f97bd86dec4ae891ab3e1a197366
Opcode Fuzzy Hash: 8b4355c1d0108560adfd14c087e985edf97dc34fe0316f86de90cfe1fa7bb1dc
Instruction Fuzzy Hash: BC016D76E40628BBDB21CA95DC05FEEBBBCEB44751F2000A6F901B2050DA709B01DA51

Function 0345F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034A02BD
RTL: Re-Waiting, xrefs: 034A031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034A02E7

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
Instruction ID: 500a430ecd6e8a603e56fcd3d3d0ca1709eda35d9053f14df8333e05cd389bdd
Opcode Fuzzy Hash: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
Instruction Fuzzy Hash: D8E18C31A04B41DFD724CF28C884B6AB7E4BB44314F180A5EF9A58F3A1D775D949CB4A

Function 0346BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 034A7B8E
RTL: Re-Waiting, xrefs: 034A7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 034A7B7F

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
Instruction ID: 744f114dd1256efbd74b17aaf5c9c18e0a9d0bafc8693eca25f5ba6320665f04
Opcode Fuzzy Hash: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
Instruction Fuzzy Hash: 7D41E5353007029FC728DE2ACC40B6BB7E9EB98710F14091EE956DF790D731E4058B9A

Function 0346B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 034A728C

Strings

RTL: Resource at %p, xrefs: 034A72A3
RTL: Re-Waiting, xrefs: 034A72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 034A7294

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
Instruction ID: 86e0366dad6b11ba8a6465968d3d7410d6f35a5f7bbe669803305ce7843c7ec0
Opcode Fuzzy Hash: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
Instruction Fuzzy Hash: 3D41E136700A06AFC720DE6ACC41B6ABBA5FB94714F14462BF855DF380DB21F81687D9

Function 034E2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 034E238D
___swprintf_l.LIBCMT ref: 034E23B3

Strings

%%%u, xrefs: 034E2384
]:%u, xrefs: 034E23AA

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: b0146996803802a83e754bd73ab7b51cb62b26f66613fe196d1bac977cc80252
Instruction ID: ac3f79e54ec17273eec9ba140ff6464a800a307ab674f1da6943ac1236a0ae5d
Opcode Fuzzy Hash: b0146996803802a83e754bd73ab7b51cb62b26f66613fe196d1bac977cc80252
Instruction Fuzzy Hash: 86317576A002199ECB60EF39CC40BEFB7BCAB44611F44095BE849EB200EB709A458F64

Function 00B35590 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(WLDP.DLL,00000000,00000800), ref: 00B3559C
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,WldpIsAllowedEntryPoint), ref: 00B355B1

Strings

WldpIsAllowedEntryPoint, xrefs: 00B355AB
WLDP.DLL, xrefs: 00B35597

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: WLDP.DLL$WldpIsAllowedEntryPoint
API String ID: 2574300362-3624529204
Opcode ID: e14bf74a01ddf731328b79393a6f7acf31c975bbc1ee67cb1a1a2e033613e61f
Instruction ID: 201204fcd0eab8d00d2aa3ee895bb94d55833c29378c05839b77b3b78d448379
Opcode Fuzzy Hash: e14bf74a01ddf731328b79393a6f7acf31c975bbc1ee67cb1a1a2e033613e61f
Instruction Fuzzy Hash: 06D0C9B4A81702AED3646B29AC0AB4E3AD8EB15B11F308465B809D32E1DFB49444DF19

Function 00B33FC0 Relevance: 6.1, APIs: 4, Instructions: 80registrymemoryCOMMON

Download Yara Rule

APIs

RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00B334DC,00000000,?,0000FFFF,00000000,00000000,00000000,00000000,00B334DC,00000000,?,00000000,00000000), ref: 00B33FFE
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00B34029
RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,?,0000FFFF,00000000,00000000,00000000), ref: 00B3404A

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Value$AllocHeap
String ID:
API String ID: 1008940825-0
Opcode ID: 442e0674d31427db0548e05167a18d3970591b477cb1dace4eedf3b1acc1ab10
Instruction ID: 62acb899acea08b305439c66ed25c6658c81542d7304fa5f1ebf96609e8b1e84
Opcode Fuzzy Hash: 442e0674d31427db0548e05167a18d3970591b477cb1dace4eedf3b1acc1ab10
Instruction Fuzzy Hash: D4211D75704209AFEB24CF99DC85BAEB7F8EB54310F30406AFA01E7290EB71AD549B51

Function 03477D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03477E8B

Strings

-, xrefs: 03477DDD
+, xrefs: 03477DE8

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 3797f2461f9603d70e8fd521aef8a8712ad08115261ae9cbbc3048cfe937b5e3
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 9B918170E002169EDB24DF69C981AFFBBA5AF44720F98451BE865EF3D0D73099428B58

Function 03439126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 03439175
$, xrefs: 03439191

Memory Dump Source

Source File: 00000005.00000002.4622151761.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000005.00000002.4622151761.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4622151761.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
Instruction ID: ab6d1f0bf04d725aa5249a3fc28d94c7fe4129c2b41d4a5fb15b4e3b71714d27
Opcode Fuzzy Hash: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
Instruction Fuzzy Hash: D5814B76D002699BEB31CF54CC44BEEB6B4AB09710F0445EBE919BB290D7709E85CFA4

Function 00B359EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B32290: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Services,00000000,00020019,?,00000004,?), ref: 00B322C2
Part of subcall function 00B32290: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,00000000,00020019,00000000), ref: 00B322DC
Part of subcall function 00B32290: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,Parameters,00000000,00020019,00000000,?,00000000,00020019,00000000), ref: 00B322F7
Part of subcall function 00B32290: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00B32313
Part of subcall function 00B32290: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00B32321

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,LegacyCOMBehavior,00000000,00000001,000000FF,?,000000FF,00000001), ref: 00B35A25
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00B35A40

Strings

LegacyCOMBehavior, xrefs: 00B35A1D

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: CloseOpen$QueryValue
String ID: LegacyCOMBehavior
API String ID: 3523390698-682057670
Opcode ID: 0b20c13aa72c9fac77244505ee0b2c2f825c3ad3d74a82939ac97407ab7273bf
Instruction ID: f427547a498f0e9f8e18b56d5f42dbea9c75b1ddd85a98866524f8c1dc42073f
Opcode Fuzzy Hash: 0b20c13aa72c9fac77244505ee0b2c2f825c3ad3d74a82939ac97407ab7273bf
Instruction Fuzzy Hash: 4AF01D71900209EBDF21DBA0CD86BAE77F9EB54749F2042A5E512E2050EB709B04AB51

Function 00B366F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerW.API-MS-WIN-SERVICE-WINSVC-L1-1-0(?,00B35650), ref: 00B36735
SetServiceStatus.API-MS-WIN-SERVICE-CORE-L1-1-0(00000000,00000030), ref: 00B36744

Strings

0, xrefs: 00B36708

Memory Dump Source

Source File: 00000005.00000002.4621189200.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000005.00000002.4621189200.0000000000B38000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.4621257944.0000000000B3B000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b30000_svchost.jbxd

Similarity

API ID: Service$CtrlHandlerRegisterStatus
String ID: 0
API String ID: 786618493-4108050209
Opcode ID: 01672c40fce7e35dac0c89dbe3533fe7537da11ebb371fc16bb8ae8335d1a023
Instruction ID: 10b19e8691638232a96d4a4a0b5e8142466170cb19d388b83079d16f86690d6e
Opcode Fuzzy Hash: 01672c40fce7e35dac0c89dbe3533fe7537da11ebb371fc16bb8ae8335d1a023
Instruction Fuzzy Hash: CCF03AB0D00208EBDB14DFA1D8597AEBBF8EB48708FA0414CE80567280DFB95A48CB91

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
file.exe

Function 06932C9E Relevance: 4.1, Strings: 3, Instructions: 320
COMMON

Function 06932CAD Relevance: 4.1, Strings: 3, Instructions: 311
COMMON

Function 06932CF8 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Function 06930B3D Relevance: 4.0, Strings: 3, Instructions: 246
COMMON

Function 06930B76 Relevance: 4.0, Strings: 3, Instructions: 228
COMMON

Function 06930B90 Relevance: 4.0, Strings: 3, Instructions: 219
COMMON

Function 069396B8 Relevance: 2.7, Strings: 2, Instructions: 225
COMMON

Function 069396C8 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Function 0248AE48 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 024844B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0248590D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre