Edit tour

Windows Analysis Report
97q26I8OtN.exe

Overview

General Information

Sample name:	97q26I8OtN.exe renamed because original name is a hash value
Original sample name:	57e610ffae08a6189ecc331352a5115093c0c8b9372756b2211f2e164d052dc5.exe
Analysis ID:	1587626
MD5:	2e5a55a46c75aa53efd566270938d168
SHA1:	ce2dbc6468deedaff70830ffa2e7af2c2f36f333
SHA256:	57e610ffae08a6189ecc331352a5115093c0c8b9372756b2211f2e164d052dc5
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

97q26I8OtN.exe (PID: 2536 cmdline: "C:\Users\user\Desktop\97q26I8OtN.exe" MD5: 2E5A55A46C75AA53EFD566270938D168)

powershell.exe (PID: 2020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3472 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

97q26I8OtN.exe (PID: 6060 cmdline: "C:\Users\user\Desktop\97q26I8OtN.exe" MD5: 2E5A55A46C75AA53EFD566270938D168)

97q26I8OtN.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\97q26I8OtN.exe" MD5: 2E5A55A46C75AA53EFD566270938D168)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmstp.exe (PID: 5256 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)

cmd.exe (PID: 2644 cmdline: /c del "C:\Users\user\Desktop\97q26I8OtN.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.xhibitonenotary.info/t18n/"], "decoy": ["tmusicoregon.net", "atici.online", "j7u7.xyz", "iewunucierwuerwnziqi1.info", "ruvabetgiris.website", "acik.lat", "obsk.top", "sphaltpaving-ttp1-shd-us-2.shop", "ispensarynearme.news", "b3nd.bond", "urelook.xyz", "gearlpfbm.top", "aconstructionjob.bond", "killsnexis.info", "oshon.xyz", "ashabsxw.top", "ussiatraiding.buzz", "raipsehumus.homes", "6ae23rx.forum", "edar88vvip.shop", "47-nurse-92864.bond", "p4g6.xyz", "kymacaw.net", "amedepot.shop", "hekindclub.net", "remiumpetsupplies.net", "enisekran.xyz", "pacerpa.shop", "milelab.pro", "mlibertypac.net", "yflume.net", "lecrtort.net", "destramentoemcasa.shop", "atubri.info", "hop-gb.sbs", "entalcar-onlineservices.lol", "aylocnuocionkiem.website", "oliticsclickour.xyz", "eo-company-abc.online", "efoplin.xyz", "ndisec.net", "ain-relief-728.xyz", "essislotgoal14.xyz", "1ngg4hdiwt5.shop", "avada-ga-20.press", "earing-tests-49842.bond", "dnusaunni05.sbs", "sim-for-travel.today", "lotehupi.shop", "bresz.xyz", "ozyjtmt.christmas", "awersip.xyz", "unihbahis.net", "ndustrialrichmond.best", "isdom-sol.xyz", "iden-paaaa.buzz", "32xa544mg.autos", "ental-health-89041.bond", "uylevothyroxine.online", "olar-installer-job-at-de2.today", "usiness-phone-systems-6543.bond", "77.info", "enaydereli.xyz", "pjn.xxx"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3533475165.000000000E306000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa82:$a2: pass 0xa88:$a3: email 0xa8f:$a4: login 0xa96:$a5: signin 0xaa7:$a6: persistent 0xc7a:$r1: C:\Users\user\AppData\Roaming\JP3BPT52\JP3log.ini
00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x96e69:$a1: 3C 30 50 4F 53 54 74 09 40 0xc5289:$a1: 3C 30 50 4F 53 54 74 09 40 0xf26a9:$a1: 3C 30 50 4F 53 54 74 09 40 0xad7a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xdbbc8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x108fe8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b5e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xc9a07:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xf6e27:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xa64cf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xd48ef:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x101d0f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9a520:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9a79a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc8940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc8bba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf5d60:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf5fda:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa62cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd46ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x101b0d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa5db9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd41d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1015f9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa63cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd47ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x101c0f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa6547:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd4967:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x101d87:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9b1b2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xc95d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf69f2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa9431:$sqlite3step: 68 34 1C 7B E1 0xa9544:$sqlite3step: 68 34 1C 7B E1 0xd7851:$sqlite3step: 68 34 1C 7B E1 0xd7964:$sqlite3step: 68 34 1C 7B E1 0x104c71:$sqlite3step: 68 34 1C 7B E1 0x104d84:$sqlite3step: 68 34 1C 7B E1 0xa9460:$sqlite3text: 68 38 2A 90 C5 0xa9585:$sqlite3text: 68 38 2A 90 C5 0xd7880:$sqlite3text: 68 38 2A 90 C5 0xd79a5:$sqlite3text: 68 38 2A 90 C5 0x104ca0:$sqlite3text: 68 38 2A 90 C5 0x104dc5:$sqlite3text: 68 38 2A 90 C5 0xa9473:$sqlite3blob: 68 53 D8 7F 8C 0xa959b:$sqlite3blob: 68 53 D8 7F 8C 0xd7893:$sqlite3blob: 68 53 D8 7F 8C 0xd79bb:$sqlite3blob: 68 53 D8 7F 8C 0x104cb3:$sqlite3blob: 68 53 D8 7F 8C 0x104ddb:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 97q26I8OtN.exe PID: 2536	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 97q26I8OtN.exe PID: 2536	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x49ef:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: 97q26I8OtN.exe PID: 7072	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f14a:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x5249e:$s2: ~ Shell I 0x12301a:$s2: ~ Shell I
Process Memory Space: cmstp.exe PID: 5256	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x155:$a1: 3C 30 50 4F 53 54 74 09 40 0x11069f:$a1: 3C 30 50 4F 53 54 74 09 40 0x158782:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.97q26I8OtN.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.97q26I8OtN.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.97q26I8OtN.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.97q26I8OtN.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.97q26I8OtN.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
6.2.97q26I8OtN.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.97q26I8OtN.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.97q26I8OtN.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.97q26I8OtN.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.97q26I8OtN.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: CMSTP Execution Process Creation

Source: Process started

Author: Nik Seetharaman: Data: Command: /c del "C:\Users\user\Desktop\97q26I8OtN.exe", CommandLine: /c del "C:\Users\user\Desktop\97q26I8OtN.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\cmstp.exe", ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 5256, ParentProcessName: cmstp.exe, ProcessCommandLine: /c del "C:\Users\user\Desktop\97q26I8OtN.exe", ProcessId: 2644, ProcessName: cmd.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\97q26I8OtN.exe", ParentImage: C:\Users\user\Desktop\97q26I8OtN.exe, ParentProcessId: 2536, ParentProcessName: 97q26I8OtN.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe", ProcessId: 2020, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\97q26I8OtN.exe", ParentImage: C:\Users\user\Desktop\97q26I8OtN.exe, ParentProcessId: 2536, ParentProcessName: 97q26I8OtN.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe", ProcessId: 2020, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 97q26I8OtN.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.bresz.xyz/t18n/www.ental-health-89041.bond	Avira URL Cloud: Label: malware
Source: http://www.bresz.xyz/t18n/	Avira URL Cloud: Label: malware
Source: http://www.bresz.xyz	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.xhibitonenotary.info/t18n/"], "decoy": ["tmusicoregon.net", "atici.online", "j7u7.xyz", "iewunucierwuerwnziqi1.info", "ruvabetgiris.website", "acik.lat", "obsk.top", "sphaltpaving-ttp1-shd-us-2.shop", "ispensarynearme.news", "b3nd.bond", "urelook.xyz", "gearlpfbm.top", "aconstructionjob.bond", "killsnexis.info", "oshon.xyz", "ashabsxw.top", "ussiatraiding.buzz", "raipsehumus.homes", "6ae23rx.forum", "edar88vvip.shop", "47-nurse-92864.bond", "p4g6.xyz", "kymacaw.net", "amedepot.shop", "hekindclub.net", "remiumpetsupplies.net", "enisekran.xyz", "pacerpa.shop", "milelab.pro", "mlibertypac.net", "yflume.net", "lecrtort.net", "destramentoemcasa.shop", "atubri.info", "hop-gb.sbs", "entalcar-onlineservices.lol", "aylocnuocionkiem.website", "oliticsclickour.xyz", "eo-company-abc.online", "efoplin.xyz", "ndisec.net", "ain-relief-728.xyz", "essislotgoal14.xyz", "1ngg4hdiwt5.shop", "avada-ga-20.press", "earing-tests-49842.bond", "dnusaunni05.sbs", "sim-for-travel.today", "lotehupi.shop", "bresz.xyz", "ozyjtmt.christmas", "awersip.xyz", "unihbahis.net", "ndustrialrichmond.best", "isdom-sol.xyz", "iden-paaaa.buzz", "32xa544mg.autos", "ental-health-89041.bond", "uylevothyroxine.online", "olar-installer-job-at-de2.today", "usiness-phone-systems-6543.bond", "77.info", "enaydereli.xyz", "pjn.xxx"]}

Multi AV Scanner detection for submitted file

Source: 97q26I8OtN.exe	ReversingLabs: Detection: 91%
Source: 97q26I8OtN.exe	Virustotal: Detection: 65%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 97q26I8OtN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 97q26I8OtN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: kzmd.pdbSHA256 source: 97q26I8OtN.exe
Source:	Binary string: cmstp.pdbGCTL source: 97q26I8OtN.exe, 00000006.00000002.2375383375.0000000001790000.00000040.10000000.00040000.00000000.sdmp, 97q26I8OtN.exe, 00000006.00000002.2375150898.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: kzmd.pdb source: 97q26I8OtN.exe
Source:	Binary string: wntdll.pdbUGP source: 97q26I8OtN.exe, 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2375836082.0000000004EDC000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2379725763.0000000005089000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 97q26I8OtN.exe, 97q26I8OtN.exe, 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2375836082.0000000004EDC000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2379725763.0000000005089000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: 97q26I8OtN.exe, 00000006.00000002.2375383375.0000000001790000.00000040.10000000.00040000.00000000.sdmp, 97q26I8OtN.exe, 00000006.00000002.2375150898.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CAB3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,		9_2_00CAB3C4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CA894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,		9_2_00CA894B

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 4x nop then pop esi	6_2_004172E6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 4x nop then pop ebx	6_2_00407B23
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop esi	9_2_032D72E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop ebx	9_2_032C7B23

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.xhibitonenotary.info/t18n/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.enaydereli.xyz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.ental-health-89041.bond
Source: global traffic	DNS traffic detected: DNS query: www.sphaltpaving-ttp1-shd-us-2.shop
Source: global traffic	DNS traffic detected: DNS query: www.killsnexis.info
Source: global traffic	DNS traffic detected: DNS query: www.enaydereli.xyz
Source: global traffic	DNS traffic detected: DNS query: www.hekindclub.net

Source: explorer.exe, 00000007.00000002.3524143003.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3524143003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000002.3524143003.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3524143003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.3524143003.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3524143003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000002.3524143003.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3524143003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.3524143003.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000002.3522509548.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3522479463.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2307200163.00000000028A0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 97q26I8OtN.exe, 00000000.00000002.2306586112.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 97q26I8OtN.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsdQdelete
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bresz.xyz
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bresz.xyz/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bresz.xyz/t18n/www.ental-health-89041.bond
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bresz.xyzReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.destramentoemcasa.shop
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.destramentoemcasa.shop/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.destramentoemcasa.shop/t18n/www.pacerpa.shop
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.destramentoemcasa.shopReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.efoplin.xyz
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.efoplin.xyz/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.efoplin.xyz/t18n/e
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.efoplin.xyzReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enaydereli.xyz
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enaydereli.xyz/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enaydereli.xyz/t18n/www.hekindclub.net
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enaydereli.xyzReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ental-health-89041.bond
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ental-health-89041.bond/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ental-health-89041.bond/t18n/www.sphaltpaving-ttp1-shd-us-2.shop
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ental-health-89041.bondReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.entalcar-onlineservices.lol
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.entalcar-onlineservices.lol/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.entalcar-onlineservices.lol/t18n/www.hop-gb.sbs
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.entalcar-onlineservices.lolReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hekindclub.net
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hekindclub.net/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hekindclub.net/t18n/www.raipsehumus.homes
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hekindclub.netReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hop-gb.sbs
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hop-gb.sbs/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hop-gb.sbs/t18n/www.olar-installer-job-at-de2.today
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hop-gb.sbsReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iewunucierwuerwnziqi1.info
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iewunucierwuerwnziqi1.info/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iewunucierwuerwnziqi1.info/t18n/www.entalcar-onlineservices.lol
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iewunucierwuerwnziqi1.infoReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.killsnexis.info
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.killsnexis.info/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.killsnexis.info/t18n/www.enaydereli.xyz
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.killsnexis.infoReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olar-installer-job-at-de2.today
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olar-installer-job-at-de2.today/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olar-installer-job-at-de2.today/t18n/www.xhibitonenotary.info
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olar-installer-job-at-de2.todayReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pacerpa.shop
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pacerpa.shop/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pacerpa.shop/t18n/www.efoplin.xyz
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pacerpa.shopReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raipsehumus.homes
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raipsehumus.homes/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raipsehumus.homes/t18n/www.iewunucierwuerwnziqi1.info
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raipsehumus.homesReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sphaltpaving-ttp1-shd-us-2.shop
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sphaltpaving-ttp1-shd-us-2.shop/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sphaltpaving-ttp1-shd-us-2.shop/t18n/www.killsnexis.info
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sphaltpaving-ttp1-shd-us-2.shopReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.unihbahis.net
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.unihbahis.net/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.unihbahis.net/t18n/www.destramentoemcasa.shop
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.unihbahis.netReferer:
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhibitonenotary.info
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhibitonenotary.info/t18n/
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhibitonenotary.info/t18n/www.unihbahis.net
Source: explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhibitonenotary.infoReferer:
Source: explorer.exe, 00000007.00000000.2321567000.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000007.00000000.2325858407.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3530151026.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.3524143003.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000002.3524143003.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000007.00000002.3524143003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.3524143003.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3524143003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.3524143003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000007.00000002.3530151026.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2325858407.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000007.00000002.3530151026.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2325858407.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000007.00000000.2325858407.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3530151026.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.2321567000.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979585604.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3524846046.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000007.00000002.3530151026.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2325858407.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3533475165.000000000E306000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 97q26I8OtN.exe PID: 2536, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 97q26I8OtN.exe PID: 7072, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: cmstp.exe PID: 5256, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041A330 NtCreateFile,	6_2_0041A330
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041A3E0 NtReadFile,	6_2_0041A3E0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041A460 NtClose,	6_2_0041A460
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041A510 NtAllocateVirtualMemory,	6_2_0041A510
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041A3DD NtReadFile,	6_2_0041A3DD
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041A382 NtCreateFile,	6_2_0041A382
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041A45A NtClose,	6_2_0041A45A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041A58B NtAllocateVirtualMemory,	6_2_0041A58B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_018A2BF0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2B60 NtClose,LdrInitializeThunk,	6_2_018A2B60
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2AD0 NtReadFile,LdrInitializeThunk,	6_2_018A2AD0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_018A2DD0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_018A2DF0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_018A2D10
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_018A2D30
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_018A2CA0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_018A2C70
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_018A2F90
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2FB0 NtResumeThread,LdrInitializeThunk,	6_2_018A2FB0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2FE0 NtCreateFile,LdrInitializeThunk,	6_2_018A2FE0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2F30 NtCreateSection,LdrInitializeThunk,	6_2_018A2F30
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_018A2E80
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_018A2EA0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A3090 NtSetValueKey,	6_2_018A3090
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A3010 NtOpenDirectoryObject,	6_2_018A3010
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A4340 NtSetContextThread,	6_2_018A4340
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A35C0 NtCreateMutant,	6_2_018A35C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A4650 NtSuspendThread,	6_2_018A4650
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A39B0 NtGetContextThread,	6_2_018A39B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2B80 NtQueryInformationFile,	6_2_018A2B80
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2BA0 NtEnumerateValueKey,	6_2_018A2BA0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2BE0 NtQueryValueKey,	6_2_018A2BE0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2AB0 NtWaitForSingleObject,	6_2_018A2AB0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2AF0 NtWriteFile,	6_2_018A2AF0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2DB0 NtEnumerateKey,	6_2_018A2DB0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2D00 NtSetInformationFile,	6_2_018A2D00
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A3D10 NtOpenProcessToken,	6_2_018A3D10
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A3D70 NtOpenThread,	6_2_018A3D70
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2CC0 NtQueryVirtualMemory,	6_2_018A2CC0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2CF0 NtOpenProcess,	6_2_018A2CF0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2C00 NtQueryInformationProcess,	6_2_018A2C00
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2C60 NtCreateKey,	6_2_018A2C60
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2FA0 NtQuerySection,	6_2_018A2FA0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2F60 NtCreateProcessEx,	6_2_018A2F60
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2EE0 NtQueueApcThread,	6_2_018A2EE0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A2E30 NtWriteVirtualMemory,	6_2_018A2E30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2EE232 NtCreateFile,	7_2_0E2EE232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2EFE12 NtProtectVirtualMemory,	7_2_0E2EFE12
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2EFE0A NtProtectVirtualMemory,	7_2_0E2EFE0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_052A2D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_052A2DF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2DD0 NtDelayExecution,LdrInitializeThunk,	9_2_052A2DD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2C60 NtCreateKey,LdrInitializeThunk,	9_2_052A2C60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_052A2C70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_052A2CA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2F30 NtCreateSection,LdrInitializeThunk,	9_2_052A2F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2FE0 NtCreateFile,LdrInitializeThunk,	9_2_052A2FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_052A2EA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2B60 NtClose,LdrInitializeThunk,	9_2_052A2B60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2BE0 NtQueryValueKey,LdrInitializeThunk,	9_2_052A2BE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_052A2BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2AD0 NtReadFile,LdrInitializeThunk,	9_2_052A2AD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A35C0 NtCreateMutant,LdrInitializeThunk,	9_2_052A35C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A4650 NtSuspendThread,	9_2_052A4650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A4340 NtSetContextThread,	9_2_052A4340
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2D30 NtUnmapViewOfSection,	9_2_052A2D30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2D00 NtSetInformationFile,	9_2_052A2D00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2DB0 NtEnumerateKey,	9_2_052A2DB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2C00 NtQueryInformationProcess,	9_2_052A2C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2CF0 NtOpenProcess,	9_2_052A2CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2CC0 NtQueryVirtualMemory,	9_2_052A2CC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2F60 NtCreateProcessEx,	9_2_052A2F60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2FA0 NtQuerySection,	9_2_052A2FA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2FB0 NtResumeThread,	9_2_052A2FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2F90 NtProtectVirtualMemory,	9_2_052A2F90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2E30 NtWriteVirtualMemory,	9_2_052A2E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2E80 NtReadVirtualMemory,	9_2_052A2E80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2EE0 NtQueueApcThread,	9_2_052A2EE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2BA0 NtEnumerateValueKey,	9_2_052A2BA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2B80 NtQueryInformationFile,	9_2_052A2B80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2AB0 NtWaitForSingleObject,	9_2_052A2AB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A2AF0 NtWriteFile,	9_2_052A2AF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A3010 NtOpenDirectoryObject,	9_2_052A3010
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A3090 NtSetValueKey,	9_2_052A3090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A3D10 NtOpenProcessToken,	9_2_052A3D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A3D70 NtOpenThread,	9_2_052A3D70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A39B0 NtGetContextThread,	9_2_052A39B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DA330 NtCreateFile,	9_2_032DA330
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DA3E0 NtReadFile,	9_2_032DA3E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DA510 NtAllocateVirtualMemory,	9_2_032DA510
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DA460 NtClose,	9_2_032DA460
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DA382 NtCreateFile,	9_2_032DA382
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DA3DD NtReadFile,	9_2_032DA3DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DA58B NtAllocateVirtualMemory,	9_2_032DA58B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DA45A NtClose,	9_2_032DA45A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0514A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	9_2_0514A036
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05149BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	9_2_05149BAF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0514A042 NtQueryInformationProcess,	9_2_0514A042
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05149BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_05149BB2

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 0_2_052AD5BC	0_2_052AD5BC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 0_2_08ED84E8	0_2_08ED84E8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 0_2_08EDF9E0	0_2_08EDF9E0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 0_2_08EDF5A2	0_2_08EDF5A2
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041EB99	6_2_0041EB99
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041DC3D	6_2_0041DC3D
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041E549	6_2_0041E549
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_00409E5C	6_2_00409E5C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041D6BC	6_2_0041D6BC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041DF7D	6_2_0041DF7D
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041E7AE	6_2_0041E7AE
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187B1B0	6_2_0187B1B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019301AA	6_2_019301AA
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019281CC	6_2_019281CC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01860100	6_2_01860100
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190A118	6_2_0190A118
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F8158	6_2_018F8158
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A516C	6_2_018A516C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0193B16B	6_2_0193B16B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191F0CC	6_2_0191F0CC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192F0E0	6_2_0192F0E0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019270E9	6_2_019270E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018B739A	6_2_018B739A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019303E6	6_2_019303E6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187E3F0	6_2_0187E3F0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192132D	6_2_0192132D
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192A352	6_2_0192A352
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185D34C	6_2_0185D34C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018752A0	6_2_018752A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B2C0	6_2_0188B2C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F02C0	6_2_018F02C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01930591	6_2_01930591
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190D5B0	6_2_0190D5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870535	6_2_01870535
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01927571	6_2_01927571
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191E4F6	6_2_0191E4F6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192F43F	6_2_0192F43F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01922446	6_2_01922446
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01861460	6_2_01861460
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192F7B0	6_2_0192F7B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186C7C0	6_2_0186C7C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01894750	6_2_01894750
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870770	6_2_01870770
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019216CC	6_2_019216CC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188C6E0	6_2_0188C6E0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018729A0	6_2_018729A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0193A9A6	6_2_0193A9A6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01879950	6_2_01879950
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B950	6_2_0188B950
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01886962	6_2_01886962
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018568B8	6_2_018568B8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018738E0	6_2_018738E0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189E8F0	6_2_0189E8F0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DD800	6_2_018DD800
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01872840	6_2_01872840
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187A840	6_2_0187A840
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188FB80	6_2_0188FB80
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01926BD7	6_2_01926BD7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018ADBF9	6_2_018ADBF9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E5BF0	6_2_018E5BF0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192AB40	6_2_0192AB40
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192FB76	6_2_0192FB76
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186EA80	6_2_0186EA80
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018B5AA0	6_2_018B5AA0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190DAAC	6_2_0190DAAC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191DAC6	6_2_0191DAC6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01927A46	6_2_01927A46
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192FA49	6_2_0192FA49
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E3A6C	6_2_018E3A6C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01888DBF	6_2_01888DBF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188FDC0	6_2_0188FDC0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186ADE0	6_2_0186ADE0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187AD00	6_2_0187AD00
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01873D40	6_2_01873D40
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01921D5A	6_2_01921D5A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01927D73	6_2_01927D73
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910CB5	6_2_01910CB5
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192FCF2	6_2_0192FCF2
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01860CF2	6_2_01860CF2
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870C00	6_2_01870C00
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E9C32	6_2_018E9C32
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871F92	6_2_01871F92
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192FFB1	6_2_0192FFB1
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018EEFA0	6_2_018EEFA0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01862FC8	6_2_01862FC8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187CFE0	6_2_0187CFE0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192FF09	6_2_0192FF09
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018B2F28	6_2_018B2F28
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01890F30	6_2_01890F30
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E4F40	6_2_018E4F40
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192CE93	6_2_0192CE93
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01882E90	6_2_01882E90
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01879EB0	6_2_01879EB0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192EEDB	6_2_0192EEDB
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192EE26	6_2_0192EE26
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870E59	6_2_01870E59
Source: C:\Windows\explorer.exe	Code function: 7_2_0E085232	7_2_0E085232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E07FB32	7_2_0E07FB32
Source: C:\Windows\explorer.exe	Code function: 7_2_0E07FB30	7_2_0E07FB30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E084036	7_2_0E084036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E07B082	7_2_0E07B082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E07CD02	7_2_0E07CD02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E082912	7_2_0E082912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0885CD	7_2_0E0885CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2EE232	7_2_0E2EE232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2ED036	7_2_0E2ED036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2E4082	7_2_0E2E4082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2E8B32	7_2_0E2E8B32
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2E8B30	7_2_0E2E8B30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2E5D02	7_2_0E2E5D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2EB912	7_2_0E2EB912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2F15CD	7_2_0E2F15CD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CAB634	9_2_00CAB634
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05270535	9_2_05270535
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05330591	9_2_05330591
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05314420	9_2_05314420
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05322446	9_2_05322446
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0531E4F6	9_2_0531E4F6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05270770	9_2_05270770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05294750	9_2_05294750
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0526C7C0	9_2_0526C7C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0528C6E0	9_2_0528C6E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05260100	9_2_05260100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0530A118	9_2_0530A118
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052F8158	9_2_052F8158
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_053241A2	9_2_053241A2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_053301AA	9_2_053301AA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_053281CC	9_2_053281CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05302000	9_2_05302000
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532A352	9_2_0532A352
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_053303E6	9_2_053303E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0527E3F0	9_2_0527E3F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05310274	9_2_05310274
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052F02C0	9_2_052F02C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0527AD00	9_2_0527AD00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0530CD1F	9_2_0530CD1F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05288DBF	9_2_05288DBF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0526ADE0	9_2_0526ADE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05270C00	9_2_05270C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05310CB5	9_2_05310CB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05260CF2	9_2_05260CF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05312F30	9_2_05312F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052B2F28	9_2_052B2F28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05290F30	9_2_05290F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052E4F40	9_2_052E4F40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052EEFA0	9_2_052EEFA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0527CFE0	9_2_0527CFE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05262FC8	9_2_05262FC8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532EE26	9_2_0532EE26
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05270E59	9_2_05270E59
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532CE93	9_2_0532CE93
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05282E90	9_2_05282E90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532EEDB	9_2_0532EEDB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05286962	9_2_05286962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052729A0	9_2_052729A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0533A9A6	9_2_0533A9A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05272840	9_2_05272840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0527A840	9_2_0527A840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052568B8	9_2_052568B8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0529E8F0	9_2_0529E8F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532AB40	9_2_0532AB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05326BD7	9_2_05326BD7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0526EA80	9_2_0526EA80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05327571	9_2_05327571
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0530D5B0	9_2_0530D5B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532F43F	9_2_0532F43F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05261460	9_2_05261460
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532F7B0	9_2_0532F7B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052B5630	9_2_052B5630
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_053216CC	9_2_053216CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052A516C	9_2_052A516C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0525F172	9_2_0525F172
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0533B16B	9_2_0533B16B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0527B1B0	9_2_0527B1B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532F0E0	9_2_0532F0E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_053270E9	9_2_053270E9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052770C0	9_2_052770C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0531F0CC	9_2_0531F0CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532132D	9_2_0532132D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0525D34C	9_2_0525D34C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052B739A	9_2_052B739A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052752A0	9_2_052752A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_053112ED	9_2_053112ED
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0528B2C0	9_2_0528B2C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05327D73	9_2_05327D73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05273D40	9_2_05273D40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05321D5A	9_2_05321D5A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0528FDC0	9_2_0528FDC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052E9C32	9_2_052E9C32
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532FCF2	9_2_0532FCF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532FF09	9_2_0532FF09
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532FFB1	9_2_0532FFB1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05271F92	9_2_05271F92
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05279EB0	9_2_05279EB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05305910	9_2_05305910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05279950	9_2_05279950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0528B950	9_2_0528B950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052DD800	9_2_052DD800
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052738E0	9_2_052738E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532FB76	9_2_0532FB76
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0528FB80	9_2_0528FB80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052ADBF9	9_2_052ADBF9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052E5BF0	9_2_052E5BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052E3A6C	9_2_052E3A6C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05327A46	9_2_05327A46
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0532FA49	9_2_0532FA49
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052B5AA0	9_2_052B5AA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05311AA3	9_2_05311AA3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0530DAAC	9_2_0530DAAC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0531DAC6	9_2_0531DAC6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DE7AE	9_2_032DE7AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DE549	9_2_032DE549
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DEB99	9_2_032DEB99
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032C2FB0	9_2_032C2FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032C9E60	9_2_032C9E60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032C9E5C	9_2_032C9E5C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032C2D90	9_2_032C2D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0514A036	9_2_0514A036
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05142D02	9_2_05142D02
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0514E5CD	9_2_0514E5CD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05148912	9_2_05148912
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05141082	9_2_05141082
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05145B30	9_2_05145B30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_05145B32	9_2_05145B32
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0514B232	9_2_0514B232

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 052DEA12 appears 86 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 052B7E54 appears 111 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 0525B970 appears 280 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 00CAE951 appears 100 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 052A5130 appears 58 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 052EF290 appears 105 times
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: String function: 018A5130 appears 36 times
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: String function: 018EF290 appears 105 times
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: String function: 018DEA12 appears 86 times
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: String function: 018B7E54 appears 98 times
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: String function: 0185B970 appears 272 times

Source: 97q26I8OtN.exe, 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 97q26I8OtN.exe
Source: 97q26I8OtN.exe, 00000000.00000002.2314047537.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 97q26I8OtN.exe
Source: 97q26I8OtN.exe, 00000000.00000002.2315242966.0000000007BBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 97q26I8OtN.exe
Source: 97q26I8OtN.exe, 00000000.00000000.2277235282.0000000000B0E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekzmd.exe8 vs 97q26I8OtN.exe
Source: 97q26I8OtN.exe, 00000000.00000002.2289666354.000000000115E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 97q26I8OtN.exe
Source: 97q26I8OtN.exe, 00000006.00000002.2375383375.0000000001790000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs 97q26I8OtN.exe
Source: 97q26I8OtN.exe, 00000006.00000002.2375150898.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs 97q26I8OtN.exe
Source: 97q26I8OtN.exe, 00000006.00000002.2375435011.000000000195D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 97q26I8OtN.exe
Source: 97q26I8OtN.exe	Binary or memory string: OriginalFilenamekzmd.exe8 vs 97q26I8OtN.exe

Source: 97q26I8OtN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3533475165.000000000E306000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 97q26I8OtN.exe PID: 2536, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 97q26I8OtN.exe PID: 7072, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: cmstp.exe PID: 5256, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 97q26I8OtN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/6@5/0

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00CA8F05 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,InitiateSystemShutdownW,AdjustTokenPrivileges,CloseHandle,

9_2_00CA8F05

Source: C:\Users\user\Desktop\97q26I8OtN.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\97q26I8OtN.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fsttans.nxw.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Command line argument: kernel32.dll

9_2_00CA6052

Source: 97q26I8OtN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 97q26I8OtN.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\97q26I8OtN.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 97q26I8OtN.exe	ReversingLabs: Detection: 91%
Source: 97q26I8OtN.exe	Virustotal: Detection: 65%

Source: cmstp.exe	String found in binary or memory: /k certutil.exe -f -enterprise -v -addstore Root "%s"
Source: 97q26I8OtN.exe	String found in binary or memory: -Add Fertilizer Details
Source: 97q26I8OtN.exe	String found in binary or memory: /Add Transaction Details!Transaction Name!Transaction Type/Transaction Description

Source: unknown	Process created: C:\Users\user\Desktop\97q26I8OtN.exe "C:\Users\user\Desktop\97q26I8OtN.exe"
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Users\user\Desktop\97q26I8OtN.exe "C:\Users\user\Desktop\97q26I8OtN.exe"
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Users\user\Desktop\97q26I8OtN.exe "C:\Users\user\Desktop\97q26I8OtN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\97q26I8OtN.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Users\user\Desktop\97q26I8OtN.exe "C:\Users\user\Desktop\97q26I8OtN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Users\user\Desktop\97q26I8OtN.exe "C:\Users\user\Desktop\97q26I8OtN.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\97q26I8OtN.exe"	Jump to behavior

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\97q26I8OtN.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 97q26I8OtN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 97q26I8OtN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 97q26I8OtN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kzmd.pdbSHA256 source: 97q26I8OtN.exe
Source:	Binary string: cmstp.pdbGCTL source: 97q26I8OtN.exe, 00000006.00000002.2375383375.0000000001790000.00000040.10000000.00040000.00000000.sdmp, 97q26I8OtN.exe, 00000006.00000002.2375150898.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: kzmd.pdb source: 97q26I8OtN.exe
Source:	Binary string: wntdll.pdbUGP source: 97q26I8OtN.exe, 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2375836082.0000000004EDC000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2379725763.0000000005089000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 97q26I8OtN.exe, 97q26I8OtN.exe, 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2375836082.0000000004EDC000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2379725763.0000000005089000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: 97q26I8OtN.exe, 00000006.00000002.2375383375.0000000001790000.00000040.10000000.00040000.00000000.sdmp, 97q26I8OtN.exe, 00000006.00000002.2375150898.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp

Source: 97q26I8OtN.exe

Static PE information: 0x99709B7A [Sun Jul 30 01:38:02 2051 UTC]

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041F00F push edi; ret	6_2_0041F011
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_00401174 push ebp; retf	6_2_00401175
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041EB99 push ebp; ret	6_2_0041EE10
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041D4D2 push eax; ret	6_2_0041D4D8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041D4DB push eax; ret	6_2_0041D542
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041D485 push eax; ret	6_2_0041D4D8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041D53C push eax; ret	6_2_0041D542
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0041C6D2 push esp; ret	6_2_0041C6D3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018609AD push ecx; mov dword ptr [esp], ecx	6_2_018609B6
Source: C:\Windows\explorer.exe	Code function: 7_2_0E088B02 push esp; retn 0000h	7_2_0E088B03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E088B1E push esp; retn 0000h	7_2_0E088B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0889B5 push esp; retn 0000h	7_2_0E088AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2F1B02 push esp; retn 0000h	7_2_0E2F1B03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2F1B1E push esp; retn 0000h	7_2_0E2F1B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0E2F19B5 push esp; retn 0000h	7_2_0E2F1AE7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CB1A3D push ecx; ret	9_2_00CB1A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_052609AD push ecx; mov dword ptr [esp], ecx	9_2_052609B6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DF00F push edi; ret	9_2_032DF011
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DC6D2 push esp; ret	9_2_032DC6D3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DD53C push eax; ret	9_2_032DD542
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DD485 push eax; ret	9_2_032DD4D8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DD4DB push eax; ret	9_2_032DD542
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DD4D2 push eax; ret	9_2_032DD4D8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DEB99 push ebp; ret	9_2_032DEE10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_032DD91A push esp; ret	9_2_032DD91B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0514E9B5 push esp; retn 0000h	9_2_0514EAE7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0514EB1E push esp; retn 0000h	9_2_0514EB1F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0514EB02 push esp; retn 0000h	9_2_0514EB03

Source: 97q26I8OtN.exe

Static PE information: section name: .text entropy: 7.4949352527964646

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CAA6EE GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,lstrlenW,lstrlenW,lstrlenW,LoadStringW,LoadStringW,MessageBoxW,LoadStringW,GetSystemDirectoryW,LoadStringW,MessageBoxW,	9_2_00CAA6EE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CA5DEC memset,GetPrivateProfileStringW,GetModuleHandleA,GetProcAddress,GetCurrentProcess,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetProcAddress,GetProcAddress,FreeLibrary,	9_2_00CA5DEC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CACAB4 GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,CmFree,	9_2_00CACAB4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CAA068 memset,memset,RegOpenKeyExW,RegQueryValueExW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,LoadStringW,MessageBoxW,GetSystemDirectoryW,	9_2_00CAA068
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CAA47F RegOpenKeyExW,RegQueryValueExW,GetPrivateProfileIntW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,	9_2_00CAA47F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CADD1E memset,memset,memset,memset,LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,lstrlenW,memset,lstrlenW,lstrlenW,RegSetValueExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,CreateFileW,CloseHandle,CmFree,CmFree,GetPrivateProfileIntW,SetFileAttributesW,SHFileOperationW,RegCloseKey,RegCloseKey,	9_2_00CADD1E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CAD233 RegOpenKeyExW,GetPrivateProfileIntW,GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,memset,RegEnumValueW,RegCloseKey,	9_2_00CAD233
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CAB634 LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,LoadStringW,MessageBoxW,CmFree,CmFree,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadStringW,MessageBoxW,memset,memset,memset,RegOpenKeyExW,RegQueryValueExW,ExpandEnvironmentStringsW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,LoadStringW,RegCreateKeyW,lstrlenW,RegSetValueExW,LoadStringW,MessageBoxW,RegCloseKey,RegCloseKey,memset,memset,CopyFileW,LoadStringW,MessageBoxW,GetOSVersion,GetOSMajorVersion,CmMalloc,memset,CmFree,CmMalloc,memset,GetLastError,CmFree,lstrlenW,CmMalloc,lstrlenW,CmFree,CmFree,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,LoadStringW,MessageBoxExW,CmMalloc,memset,CmFree,CmMalloc,	9_2_00CAB634

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xE7

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 97q26I8OtN.exe PID: 2536, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\97q26I8OtN.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Users\user\Desktop\97q26I8OtN.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Users\user\Desktop\97q26I8OtN.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Users\user\Desktop\97q26I8OtN.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Users\user\Desktop\97q26I8OtN.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\97q26I8OtN.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\97q26I8OtN.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 32C9904 second address: 32C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 32C9B7E second address: 32C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Memory allocated: 8EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Memory allocated: 9EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Memory allocated: A0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Memory allocated: B0E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5376	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4383	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9832	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 864	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 7002	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 2968	Jump to behavior

Source: C:\Users\user\Desktop\97q26I8OtN.exe	API coverage: 1.8 %
Source: C:\Windows\SysWOW64\cmstp.exe	API coverage: 1.6 %

Source: C:\Users\user\Desktop\97q26I8OtN.exe TID: 4776	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3556	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5840	Thread sleep count: 9832 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5840	Thread sleep time: -19664000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5840	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5840	Thread sleep time: -202000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4632	Thread sleep count: 7002 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4632	Thread sleep time: -14004000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4632	Thread sleep count: 2968 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4632	Thread sleep time: -5936000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CAB3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,		9_2_00CAB3C4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CA894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,		9_2_00CA894B

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00CAF80E GetSystemInfo,GetVersionExW,

9_2_00CAF80E

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000002.3524143003.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000007.00000003.2979585604.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000002.3524143003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000007.00000000.2321567000.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000007.00000002.3524143003.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000007.00000002.3516982177.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.3516982177.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000007.00000002.3524143003.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000000.2321567000.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000007.00000002.3516982177.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000000.2321567000.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000007.00000002.3516982177.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A0185 mov eax, dword ptr fs:[00000030h]	6_2_018A0185
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E019F mov eax, dword ptr fs:[00000030h]	6_2_018E019F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E019F mov eax, dword ptr fs:[00000030h]	6_2_018E019F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E019F mov eax, dword ptr fs:[00000030h]	6_2_018E019F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E019F mov eax, dword ptr fs:[00000030h]	6_2_018E019F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185A197 mov eax, dword ptr fs:[00000030h]	6_2_0185A197
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185A197 mov eax, dword ptr fs:[00000030h]	6_2_0185A197
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185A197 mov eax, dword ptr fs:[00000030h]	6_2_0185A197
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191C188 mov eax, dword ptr fs:[00000030h]	6_2_0191C188
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191C188 mov eax, dword ptr fs:[00000030h]	6_2_0191C188
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018B7190 mov eax, dword ptr fs:[00000030h]	6_2_018B7190
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019111A4 mov eax, dword ptr fs:[00000030h]	6_2_019111A4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019111A4 mov eax, dword ptr fs:[00000030h]	6_2_019111A4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019111A4 mov eax, dword ptr fs:[00000030h]	6_2_019111A4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019111A4 mov eax, dword ptr fs:[00000030h]	6_2_019111A4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187B1B0 mov eax, dword ptr fs:[00000030h]	6_2_0187B1B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019261C3 mov eax, dword ptr fs:[00000030h]	6_2_019261C3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019261C3 mov eax, dword ptr fs:[00000030h]	6_2_019261C3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019351CB mov eax, dword ptr fs:[00000030h]	6_2_019351CB
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189D1D0 mov eax, dword ptr fs:[00000030h]	6_2_0189D1D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189D1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0189D1D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_018DE1D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_018DE1D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_018DE1D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_018DE1D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_018DE1D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018851EF mov eax, dword ptr fs:[00000030h]	6_2_018851EF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019071F9 mov esi, dword ptr fs:[00000030h]	6_2_019071F9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018651ED mov eax, dword ptr fs:[00000030h]	6_2_018651ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018901F8 mov eax, dword ptr fs:[00000030h]	6_2_018901F8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019361E5 mov eax, dword ptr fs:[00000030h]	6_2_019361E5
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01920115 mov eax, dword ptr fs:[00000030h]	6_2_01920115
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190A118 mov ecx, dword ptr fs:[00000030h]	6_2_0190A118
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190A118 mov eax, dword ptr fs:[00000030h]	6_2_0190A118
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190A118 mov eax, dword ptr fs:[00000030h]	6_2_0190A118
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190A118 mov eax, dword ptr fs:[00000030h]	6_2_0190A118
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01890124 mov eax, dword ptr fs:[00000030h]	6_2_01890124
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185B136 mov eax, dword ptr fs:[00000030h]	6_2_0185B136
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185B136 mov eax, dword ptr fs:[00000030h]	6_2_0185B136
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185B136 mov eax, dword ptr fs:[00000030h]	6_2_0185B136
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185B136 mov eax, dword ptr fs:[00000030h]	6_2_0185B136
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01861131 mov eax, dword ptr fs:[00000030h]	6_2_01861131
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01861131 mov eax, dword ptr fs:[00000030h]	6_2_01861131
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01935152 mov eax, dword ptr fs:[00000030h]	6_2_01935152
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F4144 mov eax, dword ptr fs:[00000030h]	6_2_018F4144
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F4144 mov eax, dword ptr fs:[00000030h]	6_2_018F4144
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F4144 mov ecx, dword ptr fs:[00000030h]	6_2_018F4144
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F4144 mov eax, dword ptr fs:[00000030h]	6_2_018F4144
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F4144 mov eax, dword ptr fs:[00000030h]	6_2_018F4144
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01859148 mov eax, dword ptr fs:[00000030h]	6_2_01859148
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01859148 mov eax, dword ptr fs:[00000030h]	6_2_01859148
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01859148 mov eax, dword ptr fs:[00000030h]	6_2_01859148
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01859148 mov eax, dword ptr fs:[00000030h]	6_2_01859148
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F3140 mov eax, dword ptr fs:[00000030h]	6_2_018F3140
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F3140 mov eax, dword ptr fs:[00000030h]	6_2_018F3140
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F3140 mov eax, dword ptr fs:[00000030h]	6_2_018F3140
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01866154 mov eax, dword ptr fs:[00000030h]	6_2_01866154
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01866154 mov eax, dword ptr fs:[00000030h]	6_2_01866154
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185C156 mov eax, dword ptr fs:[00000030h]	6_2_0185C156
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01867152 mov eax, dword ptr fs:[00000030h]	6_2_01867152
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F8158 mov eax, dword ptr fs:[00000030h]	6_2_018F8158
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F9179 mov eax, dword ptr fs:[00000030h]	6_2_018F9179
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185F172 mov eax, dword ptr fs:[00000030h]	6_2_0185F172
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185D08D mov eax, dword ptr fs:[00000030h]	6_2_0185D08D
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186208A mov eax, dword ptr fs:[00000030h]	6_2_0186208A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018ED080 mov eax, dword ptr fs:[00000030h]	6_2_018ED080
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018ED080 mov eax, dword ptr fs:[00000030h]	6_2_018ED080
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01865096 mov eax, dword ptr fs:[00000030h]	6_2_01865096
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189909C mov eax, dword ptr fs:[00000030h]	6_2_0189909C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188D090 mov eax, dword ptr fs:[00000030h]	6_2_0188D090
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188D090 mov eax, dword ptr fs:[00000030h]	6_2_0188D090
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F80A8 mov eax, dword ptr fs:[00000030h]	6_2_018F80A8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019260B8 mov eax, dword ptr fs:[00000030h]	6_2_019260B8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019260B8 mov ecx, dword ptr fs:[00000030h]	6_2_019260B8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov ecx, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov ecx, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov ecx, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov ecx, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018770C0 mov eax, dword ptr fs:[00000030h]	6_2_018770C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019350D9 mov eax, dword ptr fs:[00000030h]	6_2_019350D9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DD0C0 mov eax, dword ptr fs:[00000030h]	6_2_018DD0C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DD0C0 mov eax, dword ptr fs:[00000030h]	6_2_018DD0C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E20DE mov eax, dword ptr fs:[00000030h]	6_2_018E20DE
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018890DB mov eax, dword ptr fs:[00000030h]	6_2_018890DB
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0185A0E3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018850E4 mov eax, dword ptr fs:[00000030h]	6_2_018850E4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018850E4 mov ecx, dword ptr fs:[00000030h]	6_2_018850E4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E60E0 mov eax, dword ptr fs:[00000030h]	6_2_018E60E0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018680E9 mov eax, dword ptr fs:[00000030h]	6_2_018680E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0185C0F0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A20F0 mov ecx, dword ptr fs:[00000030h]	6_2_018A20F0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E4000 mov ecx, dword ptr fs:[00000030h]	6_2_018E4000
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187E016 mov eax, dword ptr fs:[00000030h]	6_2_0187E016
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187E016 mov eax, dword ptr fs:[00000030h]	6_2_0187E016
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187E016 mov eax, dword ptr fs:[00000030h]	6_2_0187E016
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187E016 mov eax, dword ptr fs:[00000030h]	6_2_0187E016
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185A020 mov eax, dword ptr fs:[00000030h]	6_2_0185A020
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185C020 mov eax, dword ptr fs:[00000030h]	6_2_0185C020
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192903E mov eax, dword ptr fs:[00000030h]	6_2_0192903E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192903E mov eax, dword ptr fs:[00000030h]	6_2_0192903E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192903E mov eax, dword ptr fs:[00000030h]	6_2_0192903E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192903E mov eax, dword ptr fs:[00000030h]	6_2_0192903E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F6030 mov eax, dword ptr fs:[00000030h]	6_2_018F6030
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190705E mov ebx, dword ptr fs:[00000030h]	6_2_0190705E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190705E mov eax, dword ptr fs:[00000030h]	6_2_0190705E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01862050 mov eax, dword ptr fs:[00000030h]	6_2_01862050
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B052 mov eax, dword ptr fs:[00000030h]	6_2_0188B052
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E6050 mov eax, dword ptr fs:[00000030h]	6_2_018E6050
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E106E mov eax, dword ptr fs:[00000030h]	6_2_018E106E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01935060 mov eax, dword ptr fs:[00000030h]	6_2_01935060
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov ecx, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01871070 mov eax, dword ptr fs:[00000030h]	6_2_01871070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188C073 mov eax, dword ptr fs:[00000030h]	6_2_0188C073
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DD070 mov ecx, dword ptr fs:[00000030h]	6_2_018DD070
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188438F mov eax, dword ptr fs:[00000030h]	6_2_0188438F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188438F mov eax, dword ptr fs:[00000030h]	6_2_0188438F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185E388 mov eax, dword ptr fs:[00000030h]	6_2_0185E388
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185E388 mov eax, dword ptr fs:[00000030h]	6_2_0185E388
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185E388 mov eax, dword ptr fs:[00000030h]	6_2_0185E388
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0193539D mov eax, dword ptr fs:[00000030h]	6_2_0193539D
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018B739A mov eax, dword ptr fs:[00000030h]	6_2_018B739A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018B739A mov eax, dword ptr fs:[00000030h]	6_2_018B739A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01858397 mov eax, dword ptr fs:[00000030h]	6_2_01858397
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01858397 mov eax, dword ptr fs:[00000030h]	6_2_01858397
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01858397 mov eax, dword ptr fs:[00000030h]	6_2_01858397
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018933A0 mov eax, dword ptr fs:[00000030h]	6_2_018933A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018933A0 mov eax, dword ptr fs:[00000030h]	6_2_018933A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018833A5 mov eax, dword ptr fs:[00000030h]	6_2_018833A5
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191B3D0 mov ecx, dword ptr fs:[00000030h]	6_2_0191B3D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0186A3C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0186A3C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0186A3C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0186A3C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0186A3C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0186A3C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018683C0 mov eax, dword ptr fs:[00000030h]	6_2_018683C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018683C0 mov eax, dword ptr fs:[00000030h]	6_2_018683C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018683C0 mov eax, dword ptr fs:[00000030h]	6_2_018683C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018683C0 mov eax, dword ptr fs:[00000030h]	6_2_018683C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E63C0 mov eax, dword ptr fs:[00000030h]	6_2_018E63C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191C3CD mov eax, dword ptr fs:[00000030h]	6_2_0191C3CD
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018703E9 mov eax, dword ptr fs:[00000030h]	6_2_018703E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018703E9 mov eax, dword ptr fs:[00000030h]	6_2_018703E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018703E9 mov eax, dword ptr fs:[00000030h]	6_2_018703E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018703E9 mov eax, dword ptr fs:[00000030h]	6_2_018703E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018703E9 mov eax, dword ptr fs:[00000030h]	6_2_018703E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018703E9 mov eax, dword ptr fs:[00000030h]	6_2_018703E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018703E9 mov eax, dword ptr fs:[00000030h]	6_2_018703E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018703E9 mov eax, dword ptr fs:[00000030h]	6_2_018703E9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019353FC mov eax, dword ptr fs:[00000030h]	6_2_019353FC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018963FF mov eax, dword ptr fs:[00000030h]	6_2_018963FF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191F3E6 mov eax, dword ptr fs:[00000030h]	6_2_0191F3E6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0187E3F0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0187E3F0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0187E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0187E3F0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189A30B mov eax, dword ptr fs:[00000030h]	6_2_0189A30B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189A30B mov eax, dword ptr fs:[00000030h]	6_2_0189A30B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189A30B mov eax, dword ptr fs:[00000030h]	6_2_0189A30B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E930B mov eax, dword ptr fs:[00000030h]	6_2_018E930B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E930B mov eax, dword ptr fs:[00000030h]	6_2_018E930B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E930B mov eax, dword ptr fs:[00000030h]	6_2_018E930B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185C310 mov ecx, dword ptr fs:[00000030h]	6_2_0185C310
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01880310 mov ecx, dword ptr fs:[00000030h]	6_2_01880310
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F32A mov eax, dword ptr fs:[00000030h]	6_2_0188F32A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01857330 mov eax, dword ptr fs:[00000030h]	6_2_01857330
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192132D mov eax, dword ptr fs:[00000030h]	6_2_0192132D
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192132D mov eax, dword ptr fs:[00000030h]	6_2_0192132D
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192A352 mov eax, dword ptr fs:[00000030h]	6_2_0192A352
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E2349 mov eax, dword ptr fs:[00000030h]	6_2_018E2349
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185D34C mov eax, dword ptr fs:[00000030h]	6_2_0185D34C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185D34C mov eax, dword ptr fs:[00000030h]	6_2_0185D34C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01935341 mov eax, dword ptr fs:[00000030h]	6_2_01935341
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E035C mov eax, dword ptr fs:[00000030h]	6_2_018E035C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E035C mov eax, dword ptr fs:[00000030h]	6_2_018E035C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E035C mov eax, dword ptr fs:[00000030h]	6_2_018E035C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E035C mov ecx, dword ptr fs:[00000030h]	6_2_018E035C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E035C mov eax, dword ptr fs:[00000030h]	6_2_018E035C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E035C mov eax, dword ptr fs:[00000030h]	6_2_018E035C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01859353 mov eax, dword ptr fs:[00000030h]	6_2_01859353
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01859353 mov eax, dword ptr fs:[00000030h]	6_2_01859353
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190437C mov eax, dword ptr fs:[00000030h]	6_2_0190437C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191F367 mov eax, dword ptr fs:[00000030h]	6_2_0191F367
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01867370 mov eax, dword ptr fs:[00000030h]	6_2_01867370
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01867370 mov eax, dword ptr fs:[00000030h]	6_2_01867370
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01867370 mov eax, dword ptr fs:[00000030h]	6_2_01867370
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E0283 mov eax, dword ptr fs:[00000030h]	6_2_018E0283
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E0283 mov eax, dword ptr fs:[00000030h]	6_2_018E0283
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E0283 mov eax, dword ptr fs:[00000030h]	6_2_018E0283
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189E284 mov eax, dword ptr fs:[00000030h]	6_2_0189E284
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189E284 mov eax, dword ptr fs:[00000030h]	6_2_0189E284
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01935283 mov eax, dword ptr fs:[00000030h]	6_2_01935283
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189329E mov eax, dword ptr fs:[00000030h]	6_2_0189329E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189329E mov eax, dword ptr fs:[00000030h]	6_2_0189329E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018752A0 mov eax, dword ptr fs:[00000030h]	6_2_018752A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018752A0 mov eax, dword ptr fs:[00000030h]	6_2_018752A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018752A0 mov eax, dword ptr fs:[00000030h]	6_2_018752A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018752A0 mov eax, dword ptr fs:[00000030h]	6_2_018752A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F62A0 mov eax, dword ptr fs:[00000030h]	6_2_018F62A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F62A0 mov ecx, dword ptr fs:[00000030h]	6_2_018F62A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F62A0 mov eax, dword ptr fs:[00000030h]	6_2_018F62A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F62A0 mov eax, dword ptr fs:[00000030h]	6_2_018F62A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F62A0 mov eax, dword ptr fs:[00000030h]	6_2_018F62A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F62A0 mov eax, dword ptr fs:[00000030h]	6_2_018F62A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F72A0 mov eax, dword ptr fs:[00000030h]	6_2_018F72A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F72A0 mov eax, dword ptr fs:[00000030h]	6_2_018F72A0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E92BC mov eax, dword ptr fs:[00000030h]	6_2_018E92BC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E92BC mov eax, dword ptr fs:[00000030h]	6_2_018E92BC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E92BC mov ecx, dword ptr fs:[00000030h]	6_2_018E92BC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E92BC mov ecx, dword ptr fs:[00000030h]	6_2_018E92BC
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019292A6 mov eax, dword ptr fs:[00000030h]	6_2_019292A6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019292A6 mov eax, dword ptr fs:[00000030h]	6_2_019292A6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019292A6 mov eax, dword ptr fs:[00000030h]	6_2_019292A6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019292A6 mov eax, dword ptr fs:[00000030h]	6_2_019292A6
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018692C5 mov eax, dword ptr fs:[00000030h]	6_2_018692C5
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018692C5 mov eax, dword ptr fs:[00000030h]	6_2_018692C5
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0186A2C3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0186A2C3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0186A2C3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0186A2C3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0186A2C3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0188B2C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0188B2C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0188B2C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0188B2C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0188B2C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0188B2C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0188B2C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185B2D3 mov eax, dword ptr fs:[00000030h]	6_2_0185B2D3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185B2D3 mov eax, dword ptr fs:[00000030h]	6_2_0185B2D3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185B2D3 mov eax, dword ptr fs:[00000030h]	6_2_0185B2D3
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F2D0 mov eax, dword ptr fs:[00000030h]	6_2_0188F2D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F2D0 mov eax, dword ptr fs:[00000030h]	6_2_0188F2D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018702E1 mov eax, dword ptr fs:[00000030h]	6_2_018702E1
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018702E1 mov eax, dword ptr fs:[00000030h]	6_2_018702E1
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018702E1 mov eax, dword ptr fs:[00000030h]	6_2_018702E1
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191F2F8 mov eax, dword ptr fs:[00000030h]	6_2_0191F2F8
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019352E2 mov eax, dword ptr fs:[00000030h]	6_2_019352E2
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018592FF mov eax, dword ptr fs:[00000030h]	6_2_018592FF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019112ED mov eax, dword ptr fs:[00000030h]	6_2_019112ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01897208 mov eax, dword ptr fs:[00000030h]	6_2_01897208
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01897208 mov eax, dword ptr fs:[00000030h]	6_2_01897208
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01935227 mov eax, dword ptr fs:[00000030h]	6_2_01935227
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185823B mov eax, dword ptr fs:[00000030h]	6_2_0185823B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189724D mov eax, dword ptr fs:[00000030h]	6_2_0189724D
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01859240 mov eax, dword ptr fs:[00000030h]	6_2_01859240
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01859240 mov eax, dword ptr fs:[00000030h]	6_2_01859240
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191B256 mov eax, dword ptr fs:[00000030h]	6_2_0191B256
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191B256 mov eax, dword ptr fs:[00000030h]	6_2_0191B256
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E8243 mov eax, dword ptr fs:[00000030h]	6_2_018E8243
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E8243 mov ecx, dword ptr fs:[00000030h]	6_2_018E8243
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185A250 mov eax, dword ptr fs:[00000030h]	6_2_0185A250
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018ED250 mov ecx, dword ptr fs:[00000030h]	6_2_018ED250
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01866259 mov eax, dword ptr fs:[00000030h]	6_2_01866259
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01910274 mov eax, dword ptr fs:[00000030h]	6_2_01910274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01864260 mov eax, dword ptr fs:[00000030h]	6_2_01864260
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01864260 mov eax, dword ptr fs:[00000030h]	6_2_01864260
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01864260 mov eax, dword ptr fs:[00000030h]	6_2_01864260
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185826B mov eax, dword ptr fs:[00000030h]	6_2_0185826B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192D26B mov eax, dword ptr fs:[00000030h]	6_2_0192D26B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0192D26B mov eax, dword ptr fs:[00000030h]	6_2_0192D26B
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A1270 mov eax, dword ptr fs:[00000030h]	6_2_018A1270
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018A1270 mov eax, dword ptr fs:[00000030h]	6_2_018A1270
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01889274 mov eax, dword ptr fs:[00000030h]	6_2_01889274
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01894588 mov eax, dword ptr fs:[00000030h]	6_2_01894588
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01862582 mov eax, dword ptr fs:[00000030h]	6_2_01862582
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01862582 mov ecx, dword ptr fs:[00000030h]	6_2_01862582
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185758F mov eax, dword ptr fs:[00000030h]	6_2_0185758F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185758F mov eax, dword ptr fs:[00000030h]	6_2_0185758F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185758F mov eax, dword ptr fs:[00000030h]	6_2_0185758F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189E59C mov eax, dword ptr fs:[00000030h]	6_2_0189E59C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018EB594 mov eax, dword ptr fs:[00000030h]	6_2_018EB594
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018EB594 mov eax, dword ptr fs:[00000030h]	6_2_018EB594
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815A9 mov eax, dword ptr fs:[00000030h]	6_2_018815A9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815A9 mov eax, dword ptr fs:[00000030h]	6_2_018815A9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815A9 mov eax, dword ptr fs:[00000030h]	6_2_018815A9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815A9 mov eax, dword ptr fs:[00000030h]	6_2_018815A9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815A9 mov eax, dword ptr fs:[00000030h]	6_2_018815A9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E05A7 mov eax, dword ptr fs:[00000030h]	6_2_018E05A7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E05A7 mov eax, dword ptr fs:[00000030h]	6_2_018E05A7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E05A7 mov eax, dword ptr fs:[00000030h]	6_2_018E05A7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191F5BE mov eax, dword ptr fs:[00000030h]	6_2_0191F5BE
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F35BA mov eax, dword ptr fs:[00000030h]	6_2_018F35BA
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F35BA mov eax, dword ptr fs:[00000030h]	6_2_018F35BA
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F35BA mov eax, dword ptr fs:[00000030h]	6_2_018F35BA
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F35BA mov eax, dword ptr fs:[00000030h]	6_2_018F35BA
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0188F5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0188F5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0188F5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0188F5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0188F5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0188F5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0188F5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0188F5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0188F5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018845B1 mov eax, dword ptr fs:[00000030h]	6_2_018845B1
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018845B1 mov eax, dword ptr fs:[00000030h]	6_2_018845B1
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018FD5B0 mov eax, dword ptr fs:[00000030h]	6_2_018FD5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018FD5B0 mov eax, dword ptr fs:[00000030h]	6_2_018FD5B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019335D7 mov eax, dword ptr fs:[00000030h]	6_2_019335D7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019335D7 mov eax, dword ptr fs:[00000030h]	6_2_019335D7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019335D7 mov eax, dword ptr fs:[00000030h]	6_2_019335D7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189E5CF mov eax, dword ptr fs:[00000030h]	6_2_0189E5CF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189E5CF mov eax, dword ptr fs:[00000030h]	6_2_0189E5CF
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018955C0 mov eax, dword ptr fs:[00000030h]	6_2_018955C0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018895DA mov eax, dword ptr fs:[00000030h]	6_2_018895DA
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018665D0 mov eax, dword ptr fs:[00000030h]	6_2_018665D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0189A5D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0189A5D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019355C9 mov eax, dword ptr fs:[00000030h]	6_2_019355C9
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DD5D0 mov eax, dword ptr fs:[00000030h]	6_2_018DD5D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018DD5D0 mov ecx, dword ptr fs:[00000030h]	6_2_018DD5D0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189C5ED mov eax, dword ptr fs:[00000030h]	6_2_0189C5ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189C5ED mov eax, dword ptr fs:[00000030h]	6_2_0189C5ED
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018625E0 mov eax, dword ptr fs:[00000030h]	6_2_018625E0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0188E5E7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0188E5E7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0188E5E7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0188E5E7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0188E5E7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0188E5E7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0188E5E7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0188E5E7
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815F4 mov eax, dword ptr fs:[00000030h]	6_2_018815F4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815F4 mov eax, dword ptr fs:[00000030h]	6_2_018815F4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815F4 mov eax, dword ptr fs:[00000030h]	6_2_018815F4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815F4 mov eax, dword ptr fs:[00000030h]	6_2_018815F4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815F4 mov eax, dword ptr fs:[00000030h]	6_2_018815F4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018815F4 mov eax, dword ptr fs:[00000030h]	6_2_018815F4
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01897505 mov eax, dword ptr fs:[00000030h]	6_2_01897505
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01897505 mov ecx, dword ptr fs:[00000030h]	6_2_01897505
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018F6500 mov eax, dword ptr fs:[00000030h]	6_2_018F6500
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01934500 mov eax, dword ptr fs:[00000030h]	6_2_01934500
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01934500 mov eax, dword ptr fs:[00000030h]	6_2_01934500
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01934500 mov eax, dword ptr fs:[00000030h]	6_2_01934500
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01934500 mov eax, dword ptr fs:[00000030h]	6_2_01934500
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01934500 mov eax, dword ptr fs:[00000030h]	6_2_01934500
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01934500 mov eax, dword ptr fs:[00000030h]	6_2_01934500
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01934500 mov eax, dword ptr fs:[00000030h]	6_2_01934500
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01935537 mov eax, dword ptr fs:[00000030h]	6_2_01935537
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870535 mov eax, dword ptr fs:[00000030h]	6_2_01870535
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870535 mov eax, dword ptr fs:[00000030h]	6_2_01870535
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870535 mov eax, dword ptr fs:[00000030h]	6_2_01870535
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870535 mov eax, dword ptr fs:[00000030h]	6_2_01870535
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870535 mov eax, dword ptr fs:[00000030h]	6_2_01870535
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01870535 mov eax, dword ptr fs:[00000030h]	6_2_01870535
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186D534 mov eax, dword ptr fs:[00000030h]	6_2_0186D534
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186D534 mov eax, dword ptr fs:[00000030h]	6_2_0186D534
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186D534 mov eax, dword ptr fs:[00000030h]	6_2_0186D534
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186D534 mov eax, dword ptr fs:[00000030h]	6_2_0186D534
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186D534 mov eax, dword ptr fs:[00000030h]	6_2_0186D534
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186D534 mov eax, dword ptr fs:[00000030h]	6_2_0186D534
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190F525 mov eax, dword ptr fs:[00000030h]	6_2_0190F525
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190F525 mov eax, dword ptr fs:[00000030h]	6_2_0190F525
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190F525 mov eax, dword ptr fs:[00000030h]	6_2_0190F525
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190F525 mov eax, dword ptr fs:[00000030h]	6_2_0190F525
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190F525 mov eax, dword ptr fs:[00000030h]	6_2_0190F525
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190F525 mov eax, dword ptr fs:[00000030h]	6_2_0190F525
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0190F525 mov eax, dword ptr fs:[00000030h]	6_2_0190F525
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E53E mov eax, dword ptr fs:[00000030h]	6_2_0188E53E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E53E mov eax, dword ptr fs:[00000030h]	6_2_0188E53E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E53E mov eax, dword ptr fs:[00000030h]	6_2_0188E53E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E53E mov eax, dword ptr fs:[00000030h]	6_2_0188E53E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188E53E mov eax, dword ptr fs:[00000030h]	6_2_0188E53E
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189D530 mov eax, dword ptr fs:[00000030h]	6_2_0189D530
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189D530 mov eax, dword ptr fs:[00000030h]	6_2_0189D530
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191B52F mov eax, dword ptr fs:[00000030h]	6_2_0191B52F
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01868550 mov eax, dword ptr fs:[00000030h]	6_2_01868550
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01868550 mov eax, dword ptr fs:[00000030h]	6_2_01868550
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189656A mov eax, dword ptr fs:[00000030h]	6_2_0189656A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189656A mov eax, dword ptr fs:[00000030h]	6_2_0189656A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189656A mov eax, dword ptr fs:[00000030h]	6_2_0189656A
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185B562 mov eax, dword ptr fs:[00000030h]	6_2_0185B562
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189B570 mov eax, dword ptr fs:[00000030h]	6_2_0189B570
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189B570 mov eax, dword ptr fs:[00000030h]	6_2_0189B570
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01869486 mov eax, dword ptr fs:[00000030h]	6_2_01869486
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01869486 mov eax, dword ptr fs:[00000030h]	6_2_01869486
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185B480 mov eax, dword ptr fs:[00000030h]	6_2_0185B480
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018664AB mov eax, dword ptr fs:[00000030h]	6_2_018664AB
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018934B0 mov eax, dword ptr fs:[00000030h]	6_2_018934B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018944B0 mov ecx, dword ptr fs:[00000030h]	6_2_018944B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018EA4B0 mov eax, dword ptr fs:[00000030h]	6_2_018EA4B0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019354DB mov eax, dword ptr fs:[00000030h]	6_2_019354DB
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018604E5 mov ecx, dword ptr fs:[00000030h]	6_2_018604E5
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_019094E0 mov eax, dword ptr fs:[00000030h]	6_2_019094E0
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0188340D mov eax, dword ptr fs:[00000030h]	6_2_0188340D
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01898402 mov eax, dword ptr fs:[00000030h]	6_2_01898402
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01898402 mov eax, dword ptr fs:[00000030h]	6_2_01898402
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_01898402 mov eax, dword ptr fs:[00000030h]	6_2_01898402
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E7410 mov eax, dword ptr fs:[00000030h]	6_2_018E7410
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185C427 mov eax, dword ptr fs:[00000030h]	6_2_0185C427
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185E420 mov eax, dword ptr fs:[00000030h]	6_2_0185E420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185E420 mov eax, dword ptr fs:[00000030h]	6_2_0185E420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0185E420 mov eax, dword ptr fs:[00000030h]	6_2_0185E420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E6420 mov eax, dword ptr fs:[00000030h]	6_2_018E6420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E6420 mov eax, dword ptr fs:[00000030h]	6_2_018E6420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E6420 mov eax, dword ptr fs:[00000030h]	6_2_018E6420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E6420 mov eax, dword ptr fs:[00000030h]	6_2_018E6420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E6420 mov eax, dword ptr fs:[00000030h]	6_2_018E6420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E6420 mov eax, dword ptr fs:[00000030h]	6_2_018E6420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_018E6420 mov eax, dword ptr fs:[00000030h]	6_2_018E6420
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0189A430 mov eax, dword ptr fs:[00000030h]	6_2_0189A430
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0191F453 mov eax, dword ptr fs:[00000030h]	6_2_0191F453
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186B440 mov eax, dword ptr fs:[00000030h]	6_2_0186B440
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186B440 mov eax, dword ptr fs:[00000030h]	6_2_0186B440
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186B440 mov eax, dword ptr fs:[00000030h]	6_2_0186B440
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Code function: 6_2_0186B440 mov eax, dword ptr fs:[00000030h]	6_2_0186B440

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00CB0FE7 GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,

9_2_00CB0FE7

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CB14D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		9_2_00CB14D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00CB1720 SetUnhandledExceptionFilter,		9_2_00CB1720

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe"
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\97q26I8OtN.exe	NtClose: Indirect: 0x175A56C
Source: C:\Users\user\Desktop\97q26I8OtN.exe	NtQueueApcThread: Indirect: 0x175A4F2			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Thread register set: target process: 4004			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 4004			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: CA0000

Jump to behavior

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Users\user\Desktop\97q26I8OtN.exe "C:\Users\user\Desktop\97q26I8OtN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Process created: C:\Users\user\Desktop\97q26I8OtN.exe "C:\Users\user\Desktop\97q26I8OtN.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\97q26I8OtN.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00CA8DB2 AllocateAndInitializeSid,GetModuleHandleA,LoadLibraryExA,GetProcAddress,FreeSid,FreeLibrary,

9_2_00CA8DB2

Source: explorer.exe, 00000007.00000000.2307070203.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3517941472.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000007.00000000.2312540119.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2307070203.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3517941472.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.2307070203.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3517941472.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.2306254715.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3516982177.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000007.00000000.2307070203.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3517941472.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000002.3524846046.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979585604.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2321567000.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\97q26I8OtN.exe	Queries volume information: C:\Users\user\Desktop\97q26I8OtN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\97q26I8OtN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00CB1945 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_00CB1945

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00CAF80E GetSystemInfo,GetVersionExW,

9_2_00CAF80E

Source: C:\Users\user\Desktop\97q26I8OtN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.97q26I8OtN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.97q26I8OtN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	215 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	412 Process Injection	4 Obfuscated Files or Information	NTDS	231 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rootkit	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	412 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
97q26I8OtN.exe	92%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
97q26I8OtN.exe	66%	Virustotal		Browse
97q26I8OtN.exe	100%	Avira	TR/AD.Swotter.vctve

Source	Detection	Scanner	Label
http://www.raipsehumus.homesReferer:	0%	Avira URL Cloud	safe
http://www.killsnexis.infoReferer:	0%	Avira URL Cloud	safe
http://www.iewunucierwuerwnziqi1.info/t18n/www.entalcar-onlineservices.lol	0%	Avira URL Cloud	safe
http://www.efoplin.xyz/t18n/	0%	Avira URL Cloud	safe
http://www.olar-installer-job-at-de2.today	0%	Avira URL Cloud	safe
http://www.destramentoemcasa.shop/t18n/	0%	Avira URL Cloud	safe
http://www.olar-installer-job-at-de2.todayReferer:	0%	Avira URL Cloud	safe
http://www.bresz.xyz/t18n/www.ental-health-89041.bond	100%	Avira URL Cloud	malware
http://www.sphaltpaving-ttp1-shd-us-2.shop/t18n/	0%	Avira URL Cloud	safe
http://www.raipsehumus.homes	0%	Avira URL Cloud	safe
http://www.ental-health-89041.bond/t18n/	0%	Avira URL Cloud	safe
http://www.ental-health-89041.bond/t18n/www.sphaltpaving-ttp1-shd-us-2.shop	0%	Avira URL Cloud	safe
http://www.xhibitonenotary.info/t18n/www.unihbahis.net	0%	Avira URL Cloud	safe
http://www.destramentoemcasa.shop	0%	Avira URL Cloud	safe
http://www.entalcar-onlineservices.lol	0%	Avira URL Cloud	safe
http://www.entalcar-onlineservices.lol/t18n/www.hop-gb.sbs	0%	Avira URL Cloud	safe
http://www.hekindclub.net	0%	Avira URL Cloud	safe
http://www.enaydereli.xyz	0%	Avira URL Cloud	safe
http://www.raipsehumus.homes/t18n/www.iewunucierwuerwnziqi1.info	0%	Avira URL Cloud	safe
http://www.pacerpa.shop/t18n/www.efoplin.xyz	0%	Avira URL Cloud	safe
http://www.hop-gb.sbs/t18n/www.olar-installer-job-at-de2.today	0%	Avira URL Cloud	safe
http://www.entalcar-onlineservices.lolReferer:	0%	Avira URL Cloud	safe
http://www.enaydereli.xyzReferer:	0%	Avira URL Cloud	safe
http://www.unihbahis.net/t18n/www.destramentoemcasa.shop	0%	Avira URL Cloud	safe
http://www.efoplin.xyz	0%	Avira URL Cloud	safe
http://www.enaydereli.xyz/t18n/www.hekindclub.net	0%	Avira URL Cloud	safe
http://www.unihbahis.net/t18n/	0%	Avira URL Cloud	safe
http://www.bresz.xyzReferer:	0%	Avira URL Cloud	safe
http://www.ental-health-89041.bondReferer:	0%	Avira URL Cloud	safe
http://www.pacerpa.shopReferer:	0%	Avira URL Cloud	safe
http://www.hop-gb.sbs/t18n/	0%	Avira URL Cloud	safe
http://www.sphaltpaving-ttp1-shd-us-2.shop/t18n/www.killsnexis.info	0%	Avira URL Cloud	safe
http://www.iewunucierwuerwnziqi1.infoReferer:	0%	Avira URL Cloud	safe
www.xhibitonenotary.info/t18n/	0%	Avira URL Cloud	safe
http://www.xhibitonenotary.info/t18n/	0%	Avira URL Cloud	safe
http://www.hekindclub.net/t18n/	0%	Avira URL Cloud	safe
http://www.unihbahis.net	0%	Avira URL Cloud	safe
http://www.killsnexis.info/t18n/	0%	Avira URL Cloud	safe
http://www.killsnexis.info/t18n/www.enaydereli.xyz	0%	Avira URL Cloud	safe
http://www.entalcar-onlineservices.lol/t18n/	0%	Avira URL Cloud	safe
http://www.hekindclub.netReferer:	0%	Avira URL Cloud	safe
http://www.bresz.xyz/t18n/	100%	Avira URL Cloud	malware
http://www.bresz.xyz	100%	Avira URL Cloud	malware
http://www.xhibitonenotary.infoReferer:	0%	Avira URL Cloud	safe
http://www.destramentoemcasa.shopReferer:	0%	Avira URL Cloud	safe
http://www.destramentoemcasa.shop/t18n/www.pacerpa.shop	0%	Avira URL Cloud	safe
http://www.raipsehumus.homes/t18n/	0%	Avira URL Cloud	safe
http://www.hop-gb.sbs	0%	Avira URL Cloud	safe
http://www.sphaltpaving-ttp1-shd-us-2.shop	0%	Avira URL Cloud	safe
http://www.ental-health-89041.bond	0%	Avira URL Cloud	safe
http://www.enaydereli.xyz/t18n/	0%	Avira URL Cloud	safe
http://www.pacerpa.shop	0%	Avira URL Cloud	safe
http://www.killsnexis.info	0%	Avira URL Cloud	safe
http://www.pacerpa.shop/t18n/	0%	Avira URL Cloud	safe
http://www.sphaltpaving-ttp1-shd-us-2.shopReferer:	0%	Avira URL Cloud	safe
http://www.hop-gb.sbsReferer:	0%	Avira URL Cloud	safe
http://www.efoplin.xyzReferer:	0%	Avira URL Cloud	safe
http://www.hekindclub.net/t18n/www.raipsehumus.homes	0%	Avira URL Cloud	safe
http://www.olar-installer-job-at-de2.today/t18n/www.xhibitonenotary.info	0%	Avira URL Cloud	safe
http://www.xhibitonenotary.info	0%	Avira URL Cloud	safe
http://www.efoplin.xyz/t18n/e	0%	Avira URL Cloud	safe
http://www.iewunucierwuerwnziqi1.info/t18n/	0%	Avira URL Cloud	safe
http://www.unihbahis.netReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	high
www.hekindclub.net	unknown	unknown	true	unknown
www.sphaltpaving-ttp1-shd-us-2.shop	unknown	unknown	true	unknown
www.ental-health-89041.bond	unknown	unknown	true	unknown
www.enaydereli.xyz	unknown	unknown	true	unknown
www.killsnexis.info	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.xhibitonenotary.info/t18n/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.olar-installer-job-at-de2.today	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.efoplin.xyz/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3524143003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000973C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.comM	explorer.exe, 00000007.00000002.3530151026.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2325858407.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.iewunucierwuerwnziqi1.info/t18n/www.entalcar-onlineservices.lol	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olar-installer-job-at-de2.todayReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.killsnexis.infoReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.raipsehumus.homes	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.destramentoemcasa.shop/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.raipsehumus.homesReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bresz.xyz/t18n/www.ental-health-89041.bond	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.sphaltpaving-ttp1-shd-us-2.shop/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/e	explorer.exe, 00000007.00000000.2321567000.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979585604.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3524846046.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	97q26I8OtN.exe, 00000000.00000002.2306586112.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ental-health-89041.bond/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ental-health-89041.bond/t18n/www.sphaltpaving-ttp1-shd-us-2.shop	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xhibitonenotary.info/t18n/www.unihbahis.net	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.entalcar-onlineservices.lol	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pacerpa.shop/t18n/www.efoplin.xyz	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hekindclub.net	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.destramentoemcasa.shop	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.entalcar-onlineservices.lol/t18n/www.hop-gb.sbs	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.raipsehumus.homes/t18n/www.iewunucierwuerwnziqi1.info	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.enaydereli.xyz	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hop-gb.sbs/t18n/www.olar-installer-job-at-de2.today	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000007.00000000.2325858407.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3530151026.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.come	explorer.exe, 00000007.00000002.3530151026.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2325858407.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000007.00000000.2321567000.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.entalcar-onlineservices.lolReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enaydereli.xyzReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.unihbahis.net/t18n/www.destramentoemcasa.shop	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000007.00000002.3524143003.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.efoplin.xyz	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/I	explorer.exe, 00000007.00000002.3524143003.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.enaydereli.xyz/t18n/www.hekindclub.net	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bresz.xyzReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.unihbahis.net/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000007.00000002.3522509548.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3522479463.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2307200163.00000000028A0000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.ental-health-89041.bondReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hop-gb.sbs/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.pacerpa.shopReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sphaltpaving-ttp1-shd-us-2.shop/t18n/www.killsnexis.info	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iewunucierwuerwnziqi1.infoReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hekindclub.net/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xhibitonenotary.info/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.unihbahis.net	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.entalcar-onlineservices.lol/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.killsnexis.info/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.killsnexis.info/t18n/www.enaydereli.xyz	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bresz.xyz	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.hekindclub.netReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bresz.xyz/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.destramentoemcasa.shopReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xhibitonenotary.infoReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hop-gb.sbs	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.destramentoemcasa.shop/t18n/www.pacerpa.shop	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.raipsehumus.homes/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.com-	explorer.exe, 00000007.00000002.3530151026.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2325858407.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.sphaltpaving-ttp1-shd-us-2.shop	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enaydereli.xyz/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ental-health-89041.bond	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pacerpa.shop	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsdQdelete	97q26I8OtN.exe	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.pacerpa.shop/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.killsnexis.info	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sphaltpaving-ttp1-shd-us-2.shopReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comEMd	explorer.exe, 00000007.00000000.2325858407.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3530151026.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hop-gb.sbsReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.efoplin.xyzReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hekindclub.net/t18n/www.raipsehumus.homes	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olar-installer-job-at-de2.today/t18n/www.xhibitonenotary.info	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.xhibitonenotary.info	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.unihbahis.netReferer:	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000007.00000002.3524143003.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2320216242.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.iewunucierwuerwnziqi1.info/t18n/	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.efoplin.xyz/t18n/e	explorer.exe, 00000007.00000002.3533217997.000000000C474000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-	explorer.exe, 00000007.00000002.3520696519.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2312954945.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587626
Start date and time:	2025-01-10 15:59:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	97q26I8OtN.exe renamed because original name is a hash value
Original Sample Name:	57e610ffae08a6189ecc331352a5115093c0c8b9372756b2211f2e164d052dc5.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/6@5/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 187 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 2.23.242.162, 20.12.23.50
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:00:43	API Interceptor	1x Sleep call for process: 97q26I8OtN.exe modified
10:00:45	API Interceptor	39x Sleep call for process: powershell.exe modified
10:00:48	API Interceptor	1718161x Sleep call for process: explorer.exe modified
10:01:30	API Interceptor	2140016x Sleep call for process: cmstp.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.fb-t-msedge.net	nkCBRtd25H.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://eu.jotform.com/app/250092704521347	Get hash	malicious	Unknown	Browse	13.107.253.45
	http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.ch	Get hash	malicious	Unknown	Browse	13.107.253.45
	fghj.exe	Get hash	malicious	LummaC	Browse	13.107.253.45
	https://p3rsa.appdocumentcenter.com/BpdLO	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.253.45
	Nuevo-orden.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.45
	Notification of a Compromised Email Account.msg	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	13.107.253.45

Process:	C:\Users\user\Desktop\97q26I8OtN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//8M0Uyus:fLHxvCZfIfSKRHmOugw1s
MD5:	34AB91BF9BDA40C61902A40A571C9BEE
SHA1:	9A585FD4DE02FBEF18CEB65BCA0B91D91F07BD29
SHA-256:	68FE13F752B2E439A058AA3379F043CE706914DEC401F6ECEBBBEE93F0A4262C
SHA-512:	B8EB321D0C834F0EA1B7C758255C6A4E8747F65B98E52904446D79B1B980E0CC0E6D89D772D3E8B43F90BF333CFC5AAE8AE1F2A555F6291C6191F2810985BF81
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fsttans.nxw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhpy20f1.sdb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfzcpt1e.xgr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pcasdjby.dyi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.48444538423912
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	97q26I8OtN.exe
File size:	769'024 bytes
MD5:	2e5a55a46c75aa53efd566270938d168
SHA1:	ce2dbc6468deedaff70830ffa2e7af2c2f36f333
SHA256:	57e610ffae08a6189ecc331352a5115093c0c8b9372756b2211f2e164d052dc5
SHA512:	8eef317a65dacf9686df9b22b47b9bf6738ec607983740279079b9927f02b4a3413b166500f7c11e1944b62e241aaa0552d1e2b73755dbaecaaed178a49e72a1
SSDEEP:	12288:v39mEqOVzmIJnfTu6EKrVwTBbHsot5ZeVK7EWWlPYnlMWn:vIEqE6sTxBwBtve0WRnW
TLSH:	54F4AE1476548F52CA7987F47872E07013FC5E6EA01EE2655EC27EEBB9A2F048950F83
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.p...............0.............F.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4bce46
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x99709B7A [Sun Jul 30 01:38:02 2051 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbcdf2	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0x61c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb8dcc	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbae4c	0xbb000	ee5785fab93a668317eb56616de51297	False	0.7966282482453209	data	7.4949352527964646	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbe000	0x61c	0x800	5d6fdff6b2d3631cbaa83dedeb07c0b4	False	0.337890625	data	3.456910900854242	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	7334087f42d2a51739480a23b24e407b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbe090	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data			0.42180616740088106
RT_MANIFEST	0xbe42c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:01:44.358814001 CET	49870	53	192.168.2.6	1.1.1.1
Jan 10, 2025 16:01:44.367430925 CET	53	49870	1.1.1.1	192.168.2.6
Jan 10, 2025 16:02:05.014175892 CET	53181	53	192.168.2.6	1.1.1.1
Jan 10, 2025 16:02:05.023049116 CET	53	53181	1.1.1.1	192.168.2.6
Jan 10, 2025 16:02:25.906277895 CET	60820	53	192.168.2.6	1.1.1.1
Jan 10, 2025 16:02:25.921519995 CET	53	60820	1.1.1.1	192.168.2.6
Jan 10, 2025 16:02:46.568629980 CET	55100	53	192.168.2.6	1.1.1.1
Jan 10, 2025 16:02:46.584697962 CET	53	55100	1.1.1.1	192.168.2.6
Jan 10, 2025 16:03:08.342381954 CET	63201	53	192.168.2.6	1.1.1.1
Jan 10, 2025 16:03:08.355367899 CET	53	63201	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:01:44.358814001 CET	192.168.2.6	1.1.1.1	0x35a4	Standard query (0)	www.ental-health-89041.bond	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:05.014175892 CET	192.168.2.6	1.1.1.1	0x57a	Standard query (0)	www.sphaltpaving-ttp1-shd-us-2.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:25.906277895 CET	192.168.2.6	1.1.1.1	0xe882	Standard query (0)	www.killsnexis.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:46.568629980 CET	192.168.2.6	1.1.1.1	0x639f	Standard query (0)	www.enaydereli.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:03:08.342381954 CET	192.168.2.6	1.1.1.1	0x41ab	Standard query (0)	www.hekindclub.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:00:39.626882076 CET	1.1.1.1	192.168.2.6	0xd395	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:00:39.626882076 CET	1.1.1.1	192.168.2.6	0xd395	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:00:39.626882076 CET	1.1.1.1	192.168.2.6	0xd395	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:44.367430925 CET	1.1.1.1	192.168.2.6	0x35a4	Name error (3)	www.ental-health-89041.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:05.023049116 CET	1.1.1.1	192.168.2.6	0x57a	Name error (3)	www.sphaltpaving-ttp1-shd-us-2.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:25.921519995 CET	1.1.1.1	192.168.2.6	0xe882	Name error (3)	www.killsnexis.info	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:46.584697962 CET	1.1.1.1	192.168.2.6	0x639f	Name error (3)	www.enaydereli.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:03:08.355367899 CET	1.1.1.1	192.168.2.6	0x41ab	Name error (3)	www.hekindclub.net	none	none	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xE7
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xE7
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xE7
GetMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xE7

Target ID:	0
Start time:	10:00:42
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\97q26I8OtN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\97q26I8OtN.exe"
Imagebase:	0xa50000
File size:	769'024 bytes
MD5 hash:	2E5A55A46C75AA53EFD566270938D168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2307446999.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:00:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\97q26I8OtN.exe"
Imagebase:	0xa30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:00:43
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:00:43
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\97q26I8OtN.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\97q26I8OtN.exe"
Imagebase:	0x270000
File size:	769'024 bytes
MD5 hash:	2E5A55A46C75AA53EFD566270938D168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:00:43
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\97q26I8OtN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\97q26I8OtN.exe"
Imagebase:	0xc80000
File size:	769'024 bytes
MD5 hash:	2E5A55A46C75AA53EFD566270938D168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:00:45
Start date:	10/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.3533475165.000000000E306000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:00:48
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:00:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmstp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmstp.exe"
Imagebase:	0xca0000
File size:	81'920 bytes
MD5 hash:	D7AABFAB5BEFD53BA3A27BD48F3CC675
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3517418450.0000000003660000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3517507304.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:00:53
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\97q26I8OtN.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:00:53
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	55
Total number of Limit Nodes:	1

Executed Functions

Function 08ED84E8 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738ad8642995de67ec8108d9beccff8379239d055c9ab42770ef95df0e0e85ce
Instruction ID: 4d43f1dd05728e320c12cad380a822642c735cb46210eb9cf8dff9419aca050d
Opcode Fuzzy Hash: 738ad8642995de67ec8108d9beccff8379239d055c9ab42770ef95df0e0e85ce
Instruction Fuzzy Hash: 9ED1B171A05365CFCB10CBA4C840ABEBBF1BF45316F149A7AE0B59B281D734D84ACB91

Function 052AADA8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2309874201.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_97q26I8OtN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 92a3e1b2038eaaaed48585ea3442863085baf115ed9f1c4377379c4db502b202
Instruction ID: 32797cecc2d771c613db588470c2e03f2cb3a2230295b320dd6e25ea5f21a47b
Opcode Fuzzy Hash: 92a3e1b2038eaaaed48585ea3442863085baf115ed9f1c4377379c4db502b202
Instruction Fuzzy Hash: 15713471A10B068FD728DF2AD54476ABBF5FF88300F008A2DD08AD7A40DB75E849CB90

Function 052A44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 052A59D1

Memory Dump Source

Source File: 00000000.00000002.2309874201.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_97q26I8OtN.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dee0b40f907e41c05cb6fb3f9b0bda114db23bf745000ed21f7001c6ab1f1657
Instruction ID: 69af0d5e98ea200b225c34307bdbb768f006d0761c5c332abbed8b3b37a053ae
Opcode Fuzzy Hash: dee0b40f907e41c05cb6fb3f9b0bda114db23bf745000ed21f7001c6ab1f1657
Instruction Fuzzy Hash: 7A41EEB1D0071DCBDB24CFA9C985B8EBBF5BF88304F20806AD408AB251DBB56945CF90

Function 052A5914 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 052A59D1

Memory Dump Source

Source File: 00000000.00000002.2309874201.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_97q26I8OtN.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a9db656045cf1775266b7afbe9aa66f3233bd790e10196f10a531f54b38860f6
Instruction ID: 63a18b55246f53e3a00979b7f62ebd4d43c797a8e8acbc2e1a3843a5b6e586e8
Opcode Fuzzy Hash: a9db656045cf1775266b7afbe9aa66f3233bd790e10196f10a531f54b38860f6
Instruction Fuzzy Hash: 4541EFB1D00719CFDB24CFA9C984B9EBBF5BF89304F20816AD408AB255DBB56946CF50

Function 052AD27C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,052AD656,?,?,?,?,?), ref: 052AD717

Memory Dump Source

Source File: 00000000.00000002.2309874201.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_97q26I8OtN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f0ba63277d252b5e6cd03011c5152e5523eedf20609a51278c76284b81fb692c
Instruction ID: c51161fd1b84c1b24a814e8b9bf6eff78b3e58b06b54895618d57fc8c49bb625
Opcode Fuzzy Hash: f0ba63277d252b5e6cd03011c5152e5523eedf20609a51278c76284b81fb692c
Instruction Fuzzy Hash: C621D2B59002499FDB10CF9AD984ADEBBF4EF48320F54841AE918A3310D378A954CFA5

Function 052AD688 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,052AD656,?,?,?,?,?), ref: 052AD717

Memory Dump Source

Source File: 00000000.00000002.2309874201.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_97q26I8OtN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7cb02ab33931a14d20a911cadd76c31270033226df2a1a8f38f8570f7c736c0b
Instruction ID: d5b440b539b7e9a22dcc9740bb9d7779d911839bf16333cc414fdc2bbf2c9781
Opcode Fuzzy Hash: 7cb02ab33931a14d20a911cadd76c31270033226df2a1a8f38f8570f7c736c0b
Instruction Fuzzy Hash: EC21D2B69002099FDB10CF99D984ADEBBF4EB48314F14841AE918A3350D378A954CFA0

Function 052AB031 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,052AADC4), ref: 052AAFFE

Memory Dump Source

Source File: 00000000.00000002.2309874201.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_97q26I8OtN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 87b6e4f8f3691176fe6c62cf18cf5dd065f42af414dea13846f2138cfa0f7a76
Instruction ID: 398ffb12aad4abd2d7b47e7c465cd1791e790711e86ee3cf9a0eb6e79a2fdb79
Opcode Fuzzy Hash: 87b6e4f8f3691176fe6c62cf18cf5dd065f42af414dea13846f2138cfa0f7a76
Instruction Fuzzy Hash: 32119E73A14205DBDB14DBAAE8047EBBBE9AFC8324F048069D519A7250CB759846CBA0

Function 052AA0CC Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,052AADC4), ref: 052AAFFE

Memory Dump Source

Source File: 00000000.00000002.2309874201.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_97q26I8OtN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c9a2ba7113a0c795590e5908566826c0b4a173fcd8d70e3d0e16a4d1782bfdc5
Instruction ID: 03dcfcd549ac4648fb4fa2a9b8292c222c8e3842b146bbcc9897e8dfa577d4f0
Opcode Fuzzy Hash: c9a2ba7113a0c795590e5908566826c0b4a173fcd8d70e3d0e16a4d1782bfdc5
Instruction Fuzzy Hash: 4B1102B6C047498FCB24CF9AC544B9EFBF4EF88324F10841AD529A7210D3B9A545CFA1

Function 08ED5C71 Relevance: 1.4, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%*&/)(#$^@!~-_, xrefs: 08ED5CA9

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 9b77735bc48bc793a8a68a0e616e596cb1c4c171852aea7e4b220fda9ba7ce1b
Instruction ID: 747a8d357a16e56a1209ec2aef7d8c043d9e156f8b72cf53afc771004717c785
Opcode Fuzzy Hash: 9b77735bc48bc793a8a68a0e616e596cb1c4c171852aea7e4b220fda9ba7ce1b
Instruction Fuzzy Hash: 1051B031B002049BDB04BB74D8556AEBBB2FF89300F5484A9DD926B38ACF756D49CBC1

Function 08ED5C80 Relevance: 1.4, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%*&/)(#$^@!~-_, xrefs: 08ED5CA9

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 4bef6dc5e9ceff1885eab8dcc6d7ee3820fc921d7bf0750712b4713298f11f1a
Instruction ID: aeea7c8a72af6fc28fdb9016ab76717947aab9ae24295ca37ecc501f27cfd6a1
Opcode Fuzzy Hash: 4bef6dc5e9ceff1885eab8dcc6d7ee3820fc921d7bf0750712b4713298f11f1a
Instruction Fuzzy Hash: DF519131B002049BDB04BB74D8556ADBBB2BF89300F5484A9DD916B389CF756D49CBD1

Function 08EDD388 Relevance: 1.3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r, xrefs: 08EDD4E4

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 9973ce0967b764abbe4d11d1da88009bf804427a31d91a9fd45dc445ec25b115
Instruction ID: 5e1ebbf481017969fd6226aa0eb837446aefb5361d7ef6710913e3e4d928ba13
Opcode Fuzzy Hash: 9973ce0967b764abbe4d11d1da88009bf804427a31d91a9fd45dc445ec25b115
Instruction Fuzzy Hash: D4313C36A05205DFD700DF98E9946EDF7B9FB4A302B11B295D406A7206C738E98BCB90

Function 08ED15FF Relevance: .6, Instructions: 554
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50b16faf7e197205b2a895873a4844a7f87fc16adbf70bd940ea8e16410feef
Instruction ID: 2cfcdb1886a7373a742563125d2eb600cafa44cbc78a139b8d1881c4291420fe
Opcode Fuzzy Hash: f50b16faf7e197205b2a895873a4844a7f87fc16adbf70bd940ea8e16410feef
Instruction Fuzzy Hash: FB420231D10619CFCF15EFA8C8446ECBBB1BF49301F5182AAD5497B265EB309A99CF81

Function 08ED16A0 Relevance: .5, Instructions: 523
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94abd902ee3224deb4d7e0e9c02733b2b4312fe5751172d6f93d024f0103910
Instruction ID: 00867d8c73f269d5abd6968e4770b937e59f17b36ea19fa6dc89bf5e633adee6
Opcode Fuzzy Hash: a94abd902ee3224deb4d7e0e9c02733b2b4312fe5751172d6f93d024f0103910
Instruction Fuzzy Hash: 1942E231D10619CFCF15EFA8C8446DCBBB1BF49301F5182A9D5497B265EB30AA9ACF81

Function 08ED1691 Relevance: .5, Instructions: 519
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ddffa60c883138d0c18617efbfc0a77030bee605042efb4d5806fe7c4ede9d
Instruction ID: 3bb3027cefc36435a64ed686e9ae65bb109263bff269b5f9f4b7efe4a64880e9
Opcode Fuzzy Hash: 52ddffa60c883138d0c18617efbfc0a77030bee605042efb4d5806fe7c4ede9d
Instruction Fuzzy Hash: B942F231D10619CFCF15EFA8C8446ECBBB1BF49301F5182A9D5497B265EB30AA99CF81

Function 08ED2808 Relevance: .5, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d749c7e5d94b7eea81f247a44cd8e0875964d1f60254a5ef79707b597f771829
Instruction ID: 7d348ceff5c10fc5a8ab9b655be9ef88a73571fda773f69eec4c53acd676fe7a
Opcode Fuzzy Hash: d749c7e5d94b7eea81f247a44cd8e0875964d1f60254a5ef79707b597f771829
Instruction Fuzzy Hash: C1125032A10709CFCF15DF64C4506DDB7B2FF85301F10869AE949AB254EB71EA86CB91

Function 08ED5EE8 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b4c88a256642baaa3bba34cc2e93518c9f3b4b62c30b5ba153d72254b1c624
Instruction ID: 3a9b5d602317040111fb41e197ab2caf2b65fc3cf2871c2e9378e9a03e6ff8b8
Opcode Fuzzy Hash: 78b4c88a256642baaa3bba34cc2e93518c9f3b4b62c30b5ba153d72254b1c624
Instruction Fuzzy Hash: D0F1F131A08354CFC715CBA8C85466EBBB2FF92311F1491AED156DB3A2DB74C90ACB91

Function 08EDBBA8 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e09465304e2ce8055a03b4eae70f8751b6118f25847e5df846f657388e1abb2
Instruction ID: a9426c6c9a6e319a148a9f3b7e45fb8a51e007b6ada92634cba1045ce3caea6b
Opcode Fuzzy Hash: 3e09465304e2ce8055a03b4eae70f8751b6118f25847e5df846f657388e1abb2
Instruction Fuzzy Hash: 92A16E74E1421ADFDB04DFA4D480ADDFBB6FF88311F10A628D519AB345EB30A94ACB40

Function 08EDBB99 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9882ae1d004e73311c4c2f4fa6f9733a2f83f3140d8432a0a37b5ce916f80544
Instruction ID: f25155d526c1f7fd4657e5fc39d2c4d905bdf7220ec732d487231ab64a68d53a
Opcode Fuzzy Hash: 9882ae1d004e73311c4c2f4fa6f9733a2f83f3140d8432a0a37b5ce916f80544
Instruction Fuzzy Hash: BBA17F70E0521ADFDB04DFA4D480ADDFBB6FF88311F10A629D519AB355EB34994ACB40

Function 08ED0CF8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df133499b465f33d6b0cdbbcd26d5140cb7d6dbbed29119ef619cfd674478868
Instruction ID: 500d549068348a42bfbf93be549bb35b6c694475379c14e4c2c4e824e2c6541f
Opcode Fuzzy Hash: df133499b465f33d6b0cdbbcd26d5140cb7d6dbbed29119ef619cfd674478868
Instruction Fuzzy Hash: DD819332A10A09DFCF15EF68D4986ECBFB1FF44305F14646AE445A7294EB30D96ACB81

Function 08ED8DB0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beef4dc903630a8156f984888c4c0864610c00a2b56b8e2d14a8202f5b7bb984
Instruction ID: eead17458afa6528705fc48b5938f426ba6ed2444559819a4aeeef12d0f58b64
Opcode Fuzzy Hash: beef4dc903630a8156f984888c4c0864610c00a2b56b8e2d14a8202f5b7bb984
Instruction Fuzzy Hash: 28510531A08364CFD715CB29C8107BABBB2EF86312F0499BBE555DB296C634980ACB51

Function 08ED7F17 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3784e54055634c12ad0679996a93c308e9681118998aaa07df33f8c9f7b092
Instruction ID: 4ac6f80fa11c308b4bcab3a2a0db4ebd6c8406bc5f142d5ba7c7325df16522cb
Opcode Fuzzy Hash: 7b3784e54055634c12ad0679996a93c308e9681118998aaa07df33f8c9f7b092
Instruction Fuzzy Hash: 3051B235F00219DBDB049FA9CC507AEBBB2BB84312F10952AE955A73C4CA349C4B9B91

Function 08ED8C98 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca3264ebd81b1fc09fe42be7778f4cc10baccbbaea18fef4a52908447166e4e
Instruction ID: db2d46b188accfb2570bdc9aae700d5267875d1b411076e5e31ebec576bcde9a
Opcode Fuzzy Hash: 5ca3264ebd81b1fc09fe42be7778f4cc10baccbbaea18fef4a52908447166e4e
Instruction Fuzzy Hash: 0A415932B09364DFC3259F6898407EB7BA9EB86311F04597FE142DB2D2C660884EC352

Function 08EDADD0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2371f05f6d85e1797eb4763d12945f6aeece04957f5f6c4a77b7eab52c15c179
Instruction ID: 8e9ad1b4899a50572a3b9a1d5433e7aa84ed8db64ac7ef40601df2b993666849
Opcode Fuzzy Hash: 2371f05f6d85e1797eb4763d12945f6aeece04957f5f6c4a77b7eab52c15c179
Instruction Fuzzy Hash: 8B41C5319483A6CFD711CFA9D8842AEBFB0EF41211F1851BBD995C7192D338C68AC761

Function 08ED3F70 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2e2103d4e16069344b51c81555070621959950c0eaa7f08cce0a79a4c7a70
Instruction ID: 9299a8eef006ea4cb466a16be24cb8a2138949f91c0fad098811953896ff467e
Opcode Fuzzy Hash: a6e2e2103d4e16069344b51c81555070621959950c0eaa7f08cce0a79a4c7a70
Instruction Fuzzy Hash: F8514E72E0021ACBCF10CFA8C8816EEF7F1FF85204F14866AE559E7241D734A996CB95

Function 08ED03C4 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593be4ae3c3c2096d39d5aecda9ecfb21440be289e41a7f9217642d1e1de3040
Instruction ID: af77ea00b738297822ddb0159f332515086717b836fcec35555de1f4914114f9
Opcode Fuzzy Hash: 593be4ae3c3c2096d39d5aecda9ecfb21440be289e41a7f9217642d1e1de3040
Instruction Fuzzy Hash: 1441D572E487569FCB01BF64C8586EEBBB0FB45342F246429E402E7294F634C91B8B91

Function 08ED0F70 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1aa0fac1f9afb3537f0560bbd2d16839b68594dcf34f0599b0cfb41dd996e2b
Instruction ID: bd6d51c65ec09ed6489132d792c37ed59918559e6445d24212001869bd5a4ae5
Opcode Fuzzy Hash: d1aa0fac1f9afb3537f0560bbd2d16839b68594dcf34f0599b0cfb41dd996e2b
Instruction Fuzzy Hash: 66412B33E087969FCB01BF60C9586EEBBB0FF46201F14206AD442F7295E634891BCB91

Function 08ED5B34 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b5eea3c42e618e8d28f4654d3ef0d7d9806ede17712d5e24ef56500a948fe3
Instruction ID: c47b3d39051c9bf01296a7e896b063ca2f69cac0e7cbd8e3e0bc8af16dc9cb9a
Opcode Fuzzy Hash: 06b5eea3c42e618e8d28f4654d3ef0d7d9806ede17712d5e24ef56500a948fe3
Instruction Fuzzy Hash: 95316676900309EFCF10DFA9D884A9EBFF5EB49310F10846AE809A7310D775A915CBA0

Function 08ED5EA6 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1da1925e8e17c945ae8f77446ec16b7c9ec7c8f7435d3893c4079585765a27c
Instruction ID: bd188ceeea1ea4e1292c2c2d964eb901f3b99237cc3e142f53691b9b4acb6b94
Opcode Fuzzy Hash: a1da1925e8e17c945ae8f77446ec16b7c9ec7c8f7435d3893c4079585765a27c
Instruction Fuzzy Hash: B031A53170D3C08FC7025778D8193697FE29B86211F0941ABE546CB2D3CE684C0ED762

Function 08ED5A93 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae3af55b7ee8fb121f69982a4787c47ce6a0f86da3d133f6e32f29e4d9f57a7
Instruction ID: 7ad260e7c5df9a242ecb9a34f69be7413a19bd628ec5e4478abce70a98c52c42
Opcode Fuzzy Hash: cae3af55b7ee8fb121f69982a4787c47ce6a0f86da3d133f6e32f29e4d9f57a7
Instruction Fuzzy Hash: 38318D6280E3D1AFD7039B389CA46953F709F23254F0A41DBD884CF1E3E6245A09C766

Function 08ED09F8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993c900b5f1414aed7dd7cd80dc3d2e38a2f8b8fb8b39156d4b21adf1f185c3d
Instruction ID: bab3f373987978c71baf52a6ce87013d7a3a975061a1748fab34ed3204b7240a
Opcode Fuzzy Hash: 993c900b5f1414aed7dd7cd80dc3d2e38a2f8b8fb8b39156d4b21adf1f185c3d
Instruction Fuzzy Hash: C63146B69017499FDB00CF9AD980A9EFFF4FF49314F18806EE508AB211C775A945CBA0

Function 08EDEF16 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af942d860acede851c660c87bf351a28377dadab44dc7a51114b36e30f1304c3
Instruction ID: 99004f5477facd1e76737f39793549207a4c92a336c95c015edfa61bd8282718
Opcode Fuzzy Hash: af942d860acede851c660c87bf351a28377dadab44dc7a51114b36e30f1304c3
Instruction Fuzzy Hash: 77315A75D04219CFCB54DFA8E4886ADBBB5FF89302B11A559D406EB359EB309947CF00

Function 08EDCBD9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686eae9500abf337199852311e520d9b1215b59d6142131a122a4dd58ee388dc
Instruction ID: 207aeb7f3b1115b33991fc8bc0a2209fbf7f11eb9bd91c33fd8be57e531e866c
Opcode Fuzzy Hash: 686eae9500abf337199852311e520d9b1215b59d6142131a122a4dd58ee388dc
Instruction Fuzzy Hash: B431C275905318CFCB24CFA4C984BE8BBB5BB49352F20A1A9D40AA7341C735A98BCF10

Function 08EDEDA2 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f75aeec36f25daf665d3464f1a0cc1340210e8c2597ab35519d0cfc3ba7cb2
Instruction ID: ace5d4ea6c07699eefa5a249ee3ce930f11a6cf1f8d339813f78736a6c348d96
Opcode Fuzzy Hash: b2f75aeec36f25daf665d3464f1a0cc1340210e8c2597ab35519d0cfc3ba7cb2
Instruction Fuzzy Hash: AA219F7290874ADFCB05CFA4C4846FEBB79AF49302F10A665C415AB285DB30994BCB51

Function 08ED3EA0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e4960bff7a1b4b6cb60b3ff0b6433ecd59251f4cf643d600c1c3c3086850e0
Instruction ID: cca694aa5e2f1f815f9a01bda3d7d355796c250056ab0fa3db6a2a8e13bd7180
Opcode Fuzzy Hash: 94e4960bff7a1b4b6cb60b3ff0b6433ecd59251f4cf643d600c1c3c3086850e0
Instruction Fuzzy Hash: 13214F31E007098FCB11EB68C4446AEB7B4EF89211F00866AE919E7350FB709986CB92

Function 0111D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289280686.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdebc67eea202d5c9a632734fb4d3a54d111d2f0e4f3101307055c2d57edbca0
Instruction ID: d6bafc94466ad3cee83602fb8475e2b29a0f39705544c1d5cb5c1f882d5fcb24
Opcode Fuzzy Hash: fdebc67eea202d5c9a632734fb4d3a54d111d2f0e4f3101307055c2d57edbca0
Instruction Fuzzy Hash: 01212771144204DFDF09DF44E5C4B56FF65FB84314F20C178D9090BA5AC336E456CAA2

Function 0112D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289318521.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba759fd67d785ac0bc0e93cefcdf287e57e8c7d51d137a450f936bdcfc6d8ee
Instruction ID: 866cd8121ba979a1d35031392d504d0c86986db7127e49ae16edfbb680d279da
Opcode Fuzzy Hash: 2ba759fd67d785ac0bc0e93cefcdf287e57e8c7d51d137a450f936bdcfc6d8ee
Instruction Fuzzy Hash: FE214671504300EFDF0DDF94E9C0B26BBA5FB85324F20C56DE90A4B252C776D426CA62

Function 0112D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289318521.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890a75e2e8480086a80e99defc51ffbdc507f4aaba1d0b37bcbc66371414590f
Instruction ID: b2eb838a1f937b462dd7dfd7fb00fa08ac742b84677bc2f2399b91ca8a522f18
Opcode Fuzzy Hash: 890a75e2e8480086a80e99defc51ffbdc507f4aaba1d0b37bcbc66371414590f
Instruction Fuzzy Hash: 7E212275604340EFDF19DF54E9C0B26BB61FB84314F20C56DD90A0B2A2C77AD427CA66

Function 08ED3848 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c2724ed82f7a2414dcbd1616c7617c676294f030ea49d2188178d98d1824e9
Instruction ID: 694e4481389a8b170f65291c0d0e654fc8cf29defd3611e37120f65d4426587c
Opcode Fuzzy Hash: 57c2724ed82f7a2414dcbd1616c7617c676294f030ea49d2188178d98d1824e9
Instruction Fuzzy Hash: C8211575B1020A8FCF44DF69C8944EEF7B9FF89300B108569E905B7355EB30A945CBA1

Function 08ED6A90 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cbb8fb4797713fa22035098b5d37695efe3a40bf2df109e3baf5a62d4b49dfa
Instruction ID: 336ff0a199a7dd9e62c2afcf136b49e6f300fad4f611b7e8e46ea620ebc41868
Opcode Fuzzy Hash: 6cbb8fb4797713fa22035098b5d37695efe3a40bf2df109e3baf5a62d4b49dfa
Instruction Fuzzy Hash: 4E213A31B40304CFDB049BB89854A6A37E6EBD8311B20503AD606DB394DE70DD0647D2

Function 08ED6A80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f520a4de0f2436e3ecb82321aa5526e9d663e2a9ff8342b4301abec17950305
Instruction ID: 44c2c2427f4348560c3fa34d6240e9e5eeb0df7027ea84f7487bf9a1799462ac
Opcode Fuzzy Hash: 4f520a4de0f2436e3ecb82321aa5526e9d663e2a9ff8342b4301abec17950305
Instruction Fuzzy Hash: 0C115972B44300DFDB04CF689954AAA37F6EF98312F14517BD502EB2A4DA74CD0A87D2

Function 08EDEF67 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fdcdea0847d841884db33d0aa7cffbefc90e59a06741d037a61fed8caa71efd
Instruction ID: 5893c600fd3d21c7bd69a6c73dc2187e3d460297a0931c3f487fb334e02983ba
Opcode Fuzzy Hash: 4fdcdea0847d841884db33d0aa7cffbefc90e59a06741d037a61fed8caa71efd
Instruction Fuzzy Hash: 09314871D0420ACFDB40DFA8D54869DBBB5FF49302B11A61AE416EB399EB309846CF40

Function 08EDBF11 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9016b638226e016d83280b87e1143a03d34c61a7f8c3ca702732be231fbd5c2
Instruction ID: b1ee417a7e47d2624b71c0258df0656a9fa88305ea01530144dc891e0408c6a8
Opcode Fuzzy Hash: c9016b638226e016d83280b87e1143a03d34c61a7f8c3ca702732be231fbd5c2
Instruction Fuzzy Hash: 7721BE7190824ACBCB00DFA8C8402EEBBB5FF89311F119569C45477242E7746E46CFA1

Function 08ED3839 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915974d6726305dfee46ee58874678acaa07150946fc926df21b47b218338922
Instruction ID: 5d41710a9043d89c5af9840505e21566109b3fb76d7472252fe937b1c544fb81
Opcode Fuzzy Hash: 915974d6726305dfee46ee58874678acaa07150946fc926df21b47b218338922
Instruction Fuzzy Hash: F2218375B002058FCF04DF69C8949AEBBB9FF88300B04856DE905E7355EB30E909CBA1

Function 08ED0394 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12be292ac883c26d984d6e5ee93706c79292b665c91aa9489523a97df913c7ab
Instruction ID: 9a59d201d256e19ee2baf8559d22f21abccc4d0cd56458e7185a2f0d69c4d5df
Opcode Fuzzy Hash: 12be292ac883c26d984d6e5ee93706c79292b665c91aa9489523a97df913c7ab
Instruction Fuzzy Hash: 7A2124B19007499FCB10CF9AD984A9EFBF4FB48314F64402EE419A7300C374A904CBA4

Function 08ED1FB8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f468884fab226b68bdecfa06e3de2c5cad4789032938d92eaf261afc20e071c0
Instruction ID: 9a729f8a5693da6ceeb43e790663f1843193013d9aa75d15325094caad3f65c9
Opcode Fuzzy Hash: f468884fab226b68bdecfa06e3de2c5cad4789032938d92eaf261afc20e071c0
Instruction Fuzzy Hash: A5218CB59003099FCB10DF99C445BAEFBF4FB88325F14801AEA55AB384C775A945CFA1

Function 0112D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289318521.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fb1971d7295521cccbd1976e677e656140024b09537c385942bcbca6face47
Instruction ID: 87892c1146cafec2ded4047545a1ea57688941b114262252775c5919f64ef722
Opcode Fuzzy Hash: 26fb1971d7295521cccbd1976e677e656140024b09537c385942bcbca6face47
Instruction Fuzzy Hash: 3D2180755083809FCB06CF64D994715BF71EB46214F28C5DAD8498F2A7C33A9816CB62

Function 08ED4FA4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2015f684972d2e44008a959a344908ee59fbada984d8fc6c94d96838482ea21f
Instruction ID: 4707c5af321e0aa895a7913ea54890333a5125ff11243fda78269406abc16f99
Opcode Fuzzy Hash: 2015f684972d2e44008a959a344908ee59fbada984d8fc6c94d96838482ea21f
Instruction Fuzzy Hash: 6611D0B2D0824ADFCB01DFA4D8905EDBFB1FF85305B0091EAC111AB2A5DA344A0ADB91

Function 08ED1FA9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614cf3febd38f27b43145bcbd705b03cf1bdcec17dbdd12a4c84798653c36a5e
Instruction ID: 65083f70216b79e8edffbddba99c34c51eb85f7cf701bfda1d9195ffb89697ec
Opcode Fuzzy Hash: 614cf3febd38f27b43145bcbd705b03cf1bdcec17dbdd12a4c84798653c36a5e
Instruction Fuzzy Hash: FE2143B59043498FCB10DFA9C445BAEBBB4FB49325F10801AE955AB380C779AA45CFA1

Function 0111D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289280686.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 7687468345984c4c1f8a5a85556a283b6b5a18fad60cc8c0bee7d14312f3b662
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 6A11CDB6404280CFCF16CF44D5C4B56BF61FB84224F2486A9D8090AA5AC33AE456CBA2

Function 08ED539C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efccb49fde4f6f9cf741b6942fc8bf9138e54762a411d6fb4d9f72ff2a6f787
Instruction ID: 786d43bf70ab51b44641fbd1fa4a75e174569ec0aac8da230ec8c08f95543b68
Opcode Fuzzy Hash: 3efccb49fde4f6f9cf741b6942fc8bf9138e54762a411d6fb4d9f72ff2a6f787
Instruction Fuzzy Hash: 6C2103B68003599FCB10CF9AD984ADEBFF4FB48324F50842AE919A7300C375A954CFA1

Function 08EDC848 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375778df6e698aff2d8917382ecf44a1bb7b9499d09f23d829c28c2bc8027de2
Instruction ID: 8d7ffa5e6760e979db629da124cbdc6f56f431af43aba4c561f7932ff4f68b99
Opcode Fuzzy Hash: 375778df6e698aff2d8917382ecf44a1bb7b9499d09f23d829c28c2bc8027de2
Instruction Fuzzy Hash: D321F9B1D046189BEB18CF97D9547DEBEB7AFC8305F14C06AD40866254DB750946CF90

Function 0112D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289318521.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 5faaf7517426adfe80a43e364a7ca644e8ffdd620e41fe8e7e379364fdb50999
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: F711BB75504280DFDB0ACF54D5C0B15BBA1FB85224F24C6A9D8494B2A6C33AD41ACB62

Function 08ED3937 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e882b24329c9d7d50620c519b3710ba1f7fdb84398b0fd926fee720da186ddf
Instruction ID: 38172c882c26fb5406a4664f4ba83d969a970fb256a0d1baa421c9c2d9b1ec49
Opcode Fuzzy Hash: 8e882b24329c9d7d50620c519b3710ba1f7fdb84398b0fd926fee720da186ddf
Instruction Fuzzy Hash: AA01D6363102108FCB40E75DD89456DBBEADFC9611F1480BBE509CB361CE619C0AC791

Function 08EDD2ED Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff25e7a7cb915077734c6155b59e901f16c6866a03ea9719ea1c58b292026100
Instruction ID: c4a2c1119e1f37f29df64ced97a77a7d9c9bdefd710797a31e351e7cf72071b2
Opcode Fuzzy Hash: ff25e7a7cb915077734c6155b59e901f16c6866a03ea9719ea1c58b292026100
Instruction Fuzzy Hash: 53116D71A05245DFD700CF88D9D09EEF7B6BF0A301B25A694D409AB206C734F98BCBA0

Function 08EDC858 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4462f1664ffcb809107394d4f123487ce75c157f020c5d23ba990d2762936cb
Instruction ID: e693f03959d257ce96af1bb9e0844ecd190fa05f3de1bb35126b7fed757edc7b
Opcode Fuzzy Hash: d4462f1664ffcb809107394d4f123487ce75c157f020c5d23ba990d2762936cb
Instruction Fuzzy Hash: A61190B1D006189BEB18CFABD9457DEBAB6AF88304F14C06AD90866254DB75194ACFA0

Function 08EDB9F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af979e380194cfb7a1667d4389e99cdfb03eec6290d35f641362d6d4c207c31
Instruction ID: 514f58f9bed82da88e515575e91e7984f5da5625b8161860a73b7ba84f223d65
Opcode Fuzzy Hash: 7af979e380194cfb7a1667d4389e99cdfb03eec6290d35f641362d6d4c207c31
Instruction Fuzzy Hash: 8911D379E042599FCF05CFE8C8949EDBBB2FF49310B1481AAD908AB265D6756805CF41

Function 08EDD6A9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902b16c3af9f1ff17c486349b26f5062e42dce6147604e9bd84fb16a8db897c2
Instruction ID: 23fc907537c3d656c949c72d2edd91577d115bd4aa5d30a5f1b05340d45faf20
Opcode Fuzzy Hash: 902b16c3af9f1ff17c486349b26f5062e42dce6147604e9bd84fb16a8db897c2
Instruction Fuzzy Hash: 8501B17660D348CFC301CF55DC40AF9BBBCAF4A302F14B2DAD4195A192D7348A0ADB90

Function 08EDD721 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b07ea20fdd15bca4db4b6ed9eec4a8027286061895be4f05b584ec5baf8148
Instruction ID: 70e839ab906d0bdf0da217a4cf3f722a8b994bd34a0bc10f4757b00cfa9a436c
Opcode Fuzzy Hash: a5b07ea20fdd15bca4db4b6ed9eec4a8027286061895be4f05b584ec5baf8148
Instruction Fuzzy Hash: 0B018C3AA08204DFC701DFA4DA85AE9BBF5EB49301F1591D5D8089B3A2D6309E46DB40

Function 08ED6210 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5afa92a0d5cbddd6ee83414e1adb5dc0d7e52136362ce542642309e28fd179
Instruction ID: 92443aed676e3d67da173cb5ac46d4c28e88c72d4f021e6870316a892ca5ffe3
Opcode Fuzzy Hash: 6f5afa92a0d5cbddd6ee83414e1adb5dc0d7e52136362ce542642309e28fd179
Instruction Fuzzy Hash: 2101D633208274CBD7118AA9A8407BA77A5E7A9229F45963BF015CB2B1D734C80A83D0

Function 08EDD349 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffd8e988f9e4a897648683f4c5ec3bc034e52c912267cf36fdacb88358bbbc0
Instruction ID: 04c5abfdb37dec88530c80d5d4e1d9799ef88a28684f9f164cc8254a5f364335
Opcode Fuzzy Hash: cffd8e988f9e4a897648683f4c5ec3bc034e52c912267cf36fdacb88358bbbc0
Instruction Fuzzy Hash: AE112E75A05205DFD700CF94D9909AEF7B6BF4A301B25A254D415A7206C734F98BCBA0

Function 08ED1108 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5da82d90920538e1127c50409ce0c326f0e19d3918a2be06e1bcc36a151b671
Instruction ID: 7dfb69c54f5be5ff00093e0f6e4ccdcaf7ac40b32cf3c2f833ed87e4e8c82c58
Opcode Fuzzy Hash: d5da82d90920538e1127c50409ce0c326f0e19d3918a2be06e1bcc36a151b671
Instruction Fuzzy Hash: EF117C71E0021ACFDB04DF68C9517AFBBB1EB48304F04862AD911E7390EB749545DB90

Function 08EDC9D6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1be8ce00dc94e16e44366f8f3d17ee02cc82555e1103adc80abc3e7d916c42
Instruction ID: c97362995de5cebf42101ba8a4af1e2d982abd7d41ba84acf2e6743e12423984
Opcode Fuzzy Hash: aa1be8ce00dc94e16e44366f8f3d17ee02cc82555e1103adc80abc3e7d916c42
Instruction Fuzzy Hash: 9611E934905318CFCB24DF64D989AA8BBB5FF49302F1095D5E409AB255C730A986CF10

Function 08ED4F03 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce2b67351b068bbe2602521bf411fc0835cec2946b25d378a7917443d96e4b5
Instruction ID: aa728edef9d37cb3a0265bbb8962e9bd8a85bfe215f9778df1d836cb782b811d
Opcode Fuzzy Hash: 9ce2b67351b068bbe2602521bf411fc0835cec2946b25d378a7917443d96e4b5
Instruction Fuzzy Hash: A3112DB1D0020EEFDB04EFA8D9816EEBFB1FF88304F1085AAC115A7354EB345A459B81

Function 08ED1118 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb93da92080c1918eae5f9adf0f1bc3f663bb16b6be7668323a051da316e03e9
Instruction ID: 7bc806a5dad7a875dd18e025f7ac869152a7bc044c8a00d885745910d88b7a2a
Opcode Fuzzy Hash: eb93da92080c1918eae5f9adf0f1bc3f663bb16b6be7668323a051da316e03e9
Instruction Fuzzy Hash: 4E016971E0021ADFDB04EF68C8117AEBBB1EF48304F108629D915A7390EB749945DB90

Function 08EDD365 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae861fce5b9f33f78aa911ec679892521e476473ab8b745e9c1d4648ea4cf8b4
Instruction ID: 587ebc5009a647f5f48a870ca5dcff5f344a0373c0aa278627068d18e49a6139
Opcode Fuzzy Hash: ae861fce5b9f33f78aa911ec679892521e476473ab8b745e9c1d4648ea4cf8b4
Instruction Fuzzy Hash: 8D011A72A0A218DFCB44CF85D9809FDB7FABF4E302B10A254E41997216C734A94BCF90

Function 08EDD730 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88401027a5948e966c8fd7472a35450f47955e6c7a4114812b65011ddb8b46ae
Instruction ID: 5000e111954debe77e8829aba1fa5596da34b525613def8273268cfb5af6d83b
Opcode Fuzzy Hash: 88401027a5948e966c8fd7472a35450f47955e6c7a4114812b65011ddb8b46ae
Instruction Fuzzy Hash: AF012839A04208EFC705DFA8CA84AADBBF5EB49301F15D0D4D8099B365D6309E05DB40

Function 08ED4F10 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508a87979167134bfe8e925c7cb9c24817812b7ec426801971c46b4de9155a56
Instruction ID: bf0384b3b546582dd5552f30ea3a5b92a3e57eddbf9a32648349c0097ebda834
Opcode Fuzzy Hash: 508a87979167134bfe8e925c7cb9c24817812b7ec426801971c46b4de9155a56
Instruction Fuzzy Hash: 91010CB1D0020EEFDB04EFA8C9906AEBFB6FF84304F1085AAC115A7354EB345A059B81

Function 08ED1620 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e4a9c9ee1cc3868b07eb2e45e00dbe789edb168258b687043383f46d963c02
Instruction ID: 0934a7e44aba5c05a3fb84065f6df8e5e2dd8c8ad78d6b69e63ccb30e2ad6d12
Opcode Fuzzy Hash: 83e4a9c9ee1cc3868b07eb2e45e00dbe789edb168258b687043383f46d963c02
Instruction Fuzzy Hash: 7A01623291070A9BCF109F75D8448D9FB79FFC5315F11862AE50567210EB71A599CB90

Function 08EDBA8F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0ad5007fb3b9cf206da1ce701624be321f0defcfeaedc2a021d781a1b7d2f6
Instruction ID: eefe500d9067e66341d5a55ace5492d432275699f82e919da03d6b55f9851fb7
Opcode Fuzzy Hash: fb0ad5007fb3b9cf206da1ce701624be321f0defcfeaedc2a021d781a1b7d2f6
Instruction Fuzzy Hash: 6701BB75E08308CBCB04DFA5E5856EDBBB5FF99312F21A029D51AAB358E7349806CF50

Function 08EDEE23 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c5cd30f242ff0ba279ca0fceb7394e351d0d4ff845656329042a298f354618
Instruction ID: 6ecb5e501de207f7e86abca6159714ae02999844f7e38f645e28e624beaa756f
Opcode Fuzzy Hash: 71c5cd30f242ff0ba279ca0fceb7394e351d0d4ff845656329042a298f354618
Instruction Fuzzy Hash: 450117B4A04315CFDB60DFA8D44949DBFB5FF89216B60921DD816A7346DB346843DF40

Function 08EDDF80 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceab9adfab8ffceafc807ddac83cfd1e4d8c46359cd29a8d29f1e11942d1d0b8
Instruction ID: 3ff34501fbb542462fc6858db2060d5a0bff267a5422fab124a4eb75bab6f58a
Opcode Fuzzy Hash: ceab9adfab8ffceafc807ddac83cfd1e4d8c46359cd29a8d29f1e11942d1d0b8
Instruction Fuzzy Hash: 47015AB5E092899FCB40DFA8D9546AEBFF0BF08301F14819AD854A7381E3349A41CF91

Function 08ED3948 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c1edb06e34ff0ae18ae4c5fb2b640c5481ef8cf3f0dca9814c33598e0aac65
Instruction ID: 2443dceafff8778df2bf210b5d31b37b46e7a21f4a6d91a0ba1fdce887d58dc9
Opcode Fuzzy Hash: c5c1edb06e34ff0ae18ae4c5fb2b640c5481ef8cf3f0dca9814c33598e0aac65
Instruction Fuzzy Hash: 8BF054353505108FC684976DC89893D77EADFC9A21B1540BAE50ECB374DF60DC02CB90

Function 08EDB087 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20be4c17748f10d3fa5612bfe22057428021c2bf30ae1507e1057872cfd1c87
Instruction ID: 7dbb4465c47c0c607f6fb9c0edf598e4b4b7602114c17acc6dc3d24ec893ec2a
Opcode Fuzzy Hash: a20be4c17748f10d3fa5612bfe22057428021c2bf30ae1507e1057872cfd1c87
Instruction Fuzzy Hash: 04F0A47290A315CBCB44CB58DCD09EC7739BF8A316F1126A9D20AAB196E770194E8B11

Function 08EDC97C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e83da8b4bb412ed561a90c46ca3984a6db20006db21f93ddce75a2febdff46c
Instruction ID: 50504899e3a3ba00435d36198e654c0a3bdce1276bb8078248e5a32cd29caea8
Opcode Fuzzy Hash: 0e83da8b4bb412ed561a90c46ca3984a6db20006db21f93ddce75a2febdff46c
Instruction Fuzzy Hash: 3F010074A09328CFCB25CB60C955AE8BBB6BF0E302F1050D9E409AB251C731AE86CF00

Function 08EDD919 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9ed724ca12805b361aeb02d12744bd60cabf107905f4694d9659c75f021c58
Instruction ID: 420cb3c9b752b91c1ec328f71a99a019c4c4b373381ab2a378503dcb72f39ba6
Opcode Fuzzy Hash: 3f9ed724ca12805b361aeb02d12744bd60cabf107905f4694d9659c75f021c58
Instruction Fuzzy Hash: D2F06DB1E0030A8FDB04DFA8D8416EEBFF0AB08310F10996AD904E7340D77586498BD0

Function 08EDDF90 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2b819c3b8bdfecc868764b8f84dc1f5b5d9c4d1fc749c7234610a440edd464
Instruction ID: 3050185c2064d69facadd84c90adb9af9678e9a935398b345aa10c4429f4475a
Opcode Fuzzy Hash: 6d2b819c3b8bdfecc868764b8f84dc1f5b5d9c4d1fc749c7234610a440edd464
Instruction Fuzzy Hash: 1401F674E042499FCB40DFA8D584AAEFBF1BF08301F1082AAE854A7340D7349A41DFA1

Function 08EDCD58 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca3df73d123745a6698469a566b090b9ba3d033e7fbacdcdfb8ec2b2f0c63b6
Instruction ID: 519e34510d250c558830aa647d284df79bf855e3f53ff8f84caa9ca803ae2038
Opcode Fuzzy Hash: cca3df73d123745a6698469a566b090b9ba3d033e7fbacdcdfb8ec2b2f0c63b6
Instruction Fuzzy Hash: DAF09775509314CFC755DB60D5949E87BBAFB4E352F606095D40AAB311C735A88BCF10

Function 08EDF1AE Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6e214a6fea948af6ed46663ac32d04d80886c0c9be5a2261b551e734e3d55c
Instruction ID: 7697541e7cb437978fc180ffa07f7f1863870622b035b6bcf34642a52fba8116
Opcode Fuzzy Hash: ac6e214a6fea948af6ed46663ac32d04d80886c0c9be5a2261b551e734e3d55c
Instruction Fuzzy Hash: 5CF087B49093188FCF00CF68D48969C7FB2BF98312F90912AE80AAB311CA345886CB10

Function 08EDD928 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84150b39dbe3eb558bbcdb28dbc6123daae1979cc363a63742980f901806b9a
Instruction ID: 7e79b1cd2e499b1db33a66fbe2a54ccf9d7b7e08245b9496ddeca0e8ad10f5df
Opcode Fuzzy Hash: e84150b39dbe3eb558bbcdb28dbc6123daae1979cc363a63742980f901806b9a
Instruction Fuzzy Hash: B0F0DAB1E0430A9FDB44DFA9C841ABEBBF4AB48210F1059AAD918E7240E77195498F91

Function 08ED37F0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3f2431df8082a0d058a836993af949da3a3b9837882e8ba7b3ff5f50216aa0
Instruction ID: 4f538fb6ddc3ce3a169533e72e51ab99184c624d180d7351e1418742da29428b
Opcode Fuzzy Hash: 6c3f2431df8082a0d058a836993af949da3a3b9837882e8ba7b3ff5f50216aa0
Instruction Fuzzy Hash: 11E09272B10B100B4B0CEB6FA40486AF6DBAFC8610304C47ED50D87B69FE309C428A84

Function 08EDD660 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e28ed725a68aa44b132153a220abdda49c118b46edee3c54653b892ff53ce01
Instruction ID: b613684a70a32f474cb55de45af5f0c0634fc753d1a81b29e36dbc512e35789b
Opcode Fuzzy Hash: 8e28ed725a68aa44b132153a220abdda49c118b46edee3c54653b892ff53ce01
Instruction Fuzzy Hash: 6BF06DB6409388AFC702CFA4E8547EE7F79AB06302F10419AEC549B282C3384A55DFB1

Function 08EDEDB0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ac942effe6ae475cfa18ee2f4a36b28a0b04383ccf2ff98d186fbd33458974
Instruction ID: 1405a6963b1f48a84762f3b8eba9610a80f90ef94899fd222b7ca3fce6e11f84
Opcode Fuzzy Hash: 88ac942effe6ae475cfa18ee2f4a36b28a0b04383ccf2ff98d186fbd33458974
Instruction Fuzzy Hash: C8F0E532408346CBDB04DF69C4497E97BBDAB84303F00A139C50566258DF70494FCB61

Function 08EDD859 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5343ca343abbc1e6269b8b3b99d93b69696c243d6babc3cf14b261defa0d4c
Instruction ID: 71a5063e1d5c4383dbbc7574bc75cdbcf41c91e0ab3c29d8b4d00039a2073076
Opcode Fuzzy Hash: 5c5343ca343abbc1e6269b8b3b99d93b69696c243d6babc3cf14b261defa0d4c
Instruction Fuzzy Hash: 36E092769803159FD351CF68E5066CABFF0AF04725F34D295D029EB7A1D73451464B80

Function 08EDCA2E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7fbbc21cd966ef5473bccdc8d71aa8856a1f7c560e5e7caea989a06723b72b
Instruction ID: 405a6e63690a2a86e3c572b763c61939b79d423a38f1b98bfeae91e3f0a72b0d
Opcode Fuzzy Hash: 4b7fbbc21cd966ef5473bccdc8d71aa8856a1f7c560e5e7caea989a06723b72b
Instruction Fuzzy Hash: 3CF01C35209304CFCB159F60C564AA47B7AFF4A307B5160D9D40E5B262C735DC8ACF10

Function 08EDCCCB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e38ea73ad5a9637cc19eb51d49e26f63f0b7d16e1f1c546ec4b7020cdb4343f
Instruction ID: 941a67d21923383ddf583f871ee52a6dfef2618a4b676a9c896be091d9fad157
Opcode Fuzzy Hash: 4e38ea73ad5a9637cc19eb51d49e26f63f0b7d16e1f1c546ec4b7020cdb4343f
Instruction Fuzzy Hash: 9AF0DA79905258DFDB91CF68D894B99BBB0BF0A304F2460C6D489B7312DB346A85CF12

Function 08ED7448 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cb36fc53514fd24d3a477b83893a77d2415af6bea4906e78c4f83e0b7d1877
Instruction ID: f3a6896e6b257ca88bc04e39c58f964445d1c209fb5b02be8222718ae9cc2c18
Opcode Fuzzy Hash: 23cb36fc53514fd24d3a477b83893a77d2415af6bea4906e78c4f83e0b7d1877
Instruction Fuzzy Hash: 74E06D34A01245DFEB019FE8DA8976E7FB1FB45301F000527D802E3382DA3889568792

Function 08EDB2A2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0737d73d2c78c9452552ba6201ecb3c0f6238234576a358277c0ad44d5f34989
Instruction ID: b4c2f56ac97219714a00ab1343cb7e91ea3930c6d81ced64fbdafae28eda1f45
Opcode Fuzzy Hash: 0737d73d2c78c9452552ba6201ecb3c0f6238234576a358277c0ad44d5f34989
Instruction Fuzzy Hash: 11E04F77A06305CFCB14CB68DDD06EC777ABBC9322F0236A8D509AB251E670594A8A01

Function 08ED37E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab8c0cfb90b960e9aa8974dec0640e6fe7a3ed91fda80a27bcfe2761554ca65
Instruction ID: 336139c349f1f802b4f21cc1c63a9b919f8d1b6af2ad06150da68dbe6a1c1073
Opcode Fuzzy Hash: 1ab8c0cfb90b960e9aa8974dec0640e6fe7a3ed91fda80a27bcfe2761554ca65
Instruction Fuzzy Hash: 37E0C277B11A900FEB09DFB9D540A57BBB3BFC4210708C5AED14A4BB6AEA305906C785

Function 08ED09C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8471b6846b0f18941d36fe564d7879ce15860a5f4787c73799fc4a0d590fdd85
Instruction ID: 408ce4d7d211b4dfac5149f1999dd8eac9fd260bda3e9a7c9254cebff83802aa
Opcode Fuzzy Hash: 8471b6846b0f18941d36fe564d7879ce15860a5f4787c73799fc4a0d590fdd85
Instruction Fuzzy Hash: CED05B335021947BCB029795B800F467F7CAF86914F09C057E5044B132D766956597D0

Function 08EDB745 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd6907fb66fc3644c5c3ee51d4ffff8884a120175b40eebf36bfac4edf5bbc9
Instruction ID: a79247414fc49859c66dc56aee8c87af354b307c19fbc21e9516acc79927b51f
Opcode Fuzzy Hash: 2bd6907fb66fc3644c5c3ee51d4ffff8884a120175b40eebf36bfac4edf5bbc9
Instruction Fuzzy Hash: E2E0DF7650A205CBCF009B18C9982A87B35FB86312F1027E8D009A6146E7709A468F42

Function 08EDD868 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a5afe14bddd7111b6d1bd0b70723300b04bdce42298084f1e31f7b45720f35
Instruction ID: 482ef95224ad348f3e38f58ae38d8d208ea8b7e6bfe9aa7b1a7e22a78bae4ebd
Opcode Fuzzy Hash: 02a5afe14bddd7111b6d1bd0b70723300b04bdce42298084f1e31f7b45720f35
Instruction Fuzzy Hash: B1E092B5E4020A9FD780EFA9C945A9EBBF0AF08604F11D5A9D019E7221E77496058F91

Function 08EDD670 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7679aa6a363e8c7eb939c0c684977c6c688346fe9b470916f3b2686faf7a4db6
Instruction ID: a0e49eebd8b022e4b8d3165d96338fc560ed984d4fdfdfc421afbe95292d3847
Opcode Fuzzy Hash: 7679aa6a363e8c7eb939c0c684977c6c688346fe9b470916f3b2686faf7a4db6
Instruction Fuzzy Hash: 29E08C75804208EFC714DFA4E4456ADBFB4BB05302F1081A9E80856240C7349A95DFA4

Function 08ED8C58 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d536bafc72d2bd36e28cb0558237dba0be0752d8d35442e48b5a72be5ebb6530
Instruction ID: d7eb8ed216c7e6c292952bfa1f51280ace2ee9d4994deeecfcbd968b7b7e3466
Opcode Fuzzy Hash: d536bafc72d2bd36e28cb0558237dba0be0752d8d35442e48b5a72be5ebb6530
Instruction Fuzzy Hash: 81D02B6200D3A4EFC7064A6088942D53B38EF07202B5901F7D541CA013D104480FC763

Function 08EDDA60 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9c5b806a3189e746afa960b5b42a054749d10f08ae0ddfe8ee6e4aa1b9b1b0
Instruction ID: 63bb4b8d38e0732f86b0162fc268ed3af4cace33125ebfe0620a818d44081b6e
Opcode Fuzzy Hash: 6e9c5b806a3189e746afa960b5b42a054749d10f08ae0ddfe8ee6e4aa1b9b1b0
Instruction Fuzzy Hash: F3D0123725430C9F4B40EE94E840C52BBDDBB15714B00D436F504CB130F621E52AE751

Function 08ED09D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2c60772cc12243f4928a8b8a5b2b553d5826df92ef859b9922f0de317ba0d6
Instruction ID: 1e08f9dd2bc4ce542ed9d290115bed7dfa3dd56da6ff388c27b3479e25f76d80
Opcode Fuzzy Hash: 9c2c60772cc12243f4928a8b8a5b2b553d5826df92ef859b9922f0de317ba0d6
Instruction Fuzzy Hash: FCC012371005187B8A01AB85D800C86BBADAF49654709C056E5088B121D632E51697D0

Function 08EDD025 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80131692e1cd48a91608386500aba8fe7b4a64b0bbda21b33b311ffd801a5580
Instruction ID: 8a509bfc09a0689f95d8c32e1efa2634d1dbf8e382eabc7b0cc377c2649bbb5c
Opcode Fuzzy Hash: 80131692e1cd48a91608386500aba8fe7b4a64b0bbda21b33b311ffd801a5580
Instruction Fuzzy Hash: 92D09E3010D204CFC7555F64D4ADAA87778FF4A30375060E5E81E6A156C7359846CF60

Function 08ED77AA Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3a454947234c33c260a122752348f890e115771c9c2f3ceda17b0729ed150d
Instruction ID: 0337de07704bdf12adcfa8f9cad4b52e7b58da5d60e962e62670cfe0342a8fe5
Opcode Fuzzy Hash: 6b3a454947234c33c260a122752348f890e115771c9c2f3ceda17b0729ed150d
Instruction Fuzzy Hash: 24C09BE721E3C01FF70757705C919D21F28C9777153495483D954F9152C515855EC277

Function 08EDCD76 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7fd5a639dbdc81cadc555f4ce04a24863c7a7b82291282ada24d02cf32794e
Instruction ID: 39b9cc828eb4c9bb1af6527d04d7be51431eca4a113fb47615133e8f1d36a91a
Opcode Fuzzy Hash: 4f7fd5a639dbdc81cadc555f4ce04a24863c7a7b82291282ada24d02cf32794e
Instruction Fuzzy Hash: FBD0C97AA04318CEDB60CF54C850BD9BBB4AF09346F206097C149B3300D6305A8ACF57

Function 08EDAF48 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600d918de936e18a61140911de7e6d730636637e1e6f24301ff0d8818964a76b
Instruction ID: 93d4c13fa5476bf063e6ca3fbf2802f9c79a920af164ba079f882e1d0653d5f9
Opcode Fuzzy Hash: 600d918de936e18a61140911de7e6d730636637e1e6f24301ff0d8818964a76b
Instruction Fuzzy Hash: A4C08C3204430487D3142FA2F68E3283B687B0031BF040068D90C000208AB88940CA21

Function 08EDF54F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6604810b59f1bf884dc0efce68b005afe52c524b26d20608568fdbc1f84a9be8
Instruction ID: 0f7f097df17e322934aa3d0423b8407c4ea896281d0bd7607d1077baa697735f
Opcode Fuzzy Hash: 6604810b59f1bf884dc0efce68b005afe52c524b26d20608568fdbc1f84a9be8
Instruction Fuzzy Hash: 85D0C971504606CFDB109B18D18958C7FA8BF94302B046615C40496155DA3064478E40

Function 08ED5B24 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a503a1d4c9d8ba2417411fcc1ee36bde00af814d66ce9e1908f8186913338d8
Instruction ID: 0a427cb9fd175e6930bf6080b97a27c7c67d63255bd617c993d44bac91ce2a4b
Opcode Fuzzy Hash: 1a503a1d4c9d8ba2417411fcc1ee36bde00af814d66ce9e1908f8186913338d8
Instruction Fuzzy Hash: 13B0123F196384E1E4042FE48CC8C6A7C50EBF1703B80FC0ABF4C14040C8A0482E922B

Non-executed Functions

Function 08EDF5A2 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c2548da1065efd6874f6f57c563b360ead0fc66ed0bc6889024bb273706b46
Instruction ID: a2be76e2e7a210755fac8c80a2f513d9e51d20589b16f7192de5d3c02de07c20
Opcode Fuzzy Hash: 51c2548da1065efd6874f6f57c563b360ead0fc66ed0bc6889024bb273706b46
Instruction Fuzzy Hash: 10E10975E00219CFDB14DFA9C580AAEFBB2FF88305F249269D415AB355DB30A942CF60

Function 08EDF9E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2316878544.0000000008ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9978c50aa1b61f4e3869075e521ac703027473a95c36de32b591814f9ba0e97a
Instruction ID: 18aa1eb218b01b1aeec17092cd8ca27d7487b8f25b2c750c8895c40c8cfe314e
Opcode Fuzzy Hash: 9978c50aa1b61f4e3869075e521ac703027473a95c36de32b591814f9ba0e97a
Instruction Fuzzy Hash: 35E12B75E00259CFDB14DFA8C590AAEFBB2FF89305F248169D815AB355DB30A942CF60

Function 052AD5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2309874201.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32028a37ba08e4772b000dcf2b25c4c25d9c4ab289484e7f14d0f05689363fe1
Instruction ID: f4518f937e3fb1e89a7d82c3abaeb06c1edd24f8b7a14c2dc058b70f33b30c9f
Opcode Fuzzy Hash: 32028a37ba08e4772b000dcf2b25c4c25d9c4ab289484e7f14d0f05689363fe1
Instruction Fuzzy Hash: A6A18E36E20206CFCF05DFB4C9545AEBBB2FF85300B15816AE806AB265DB75E915CF40

Analysis Process: 97q26I8OtN.exePID: 7072, Parent PID: 2536COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	6.5%
Total number of Nodes:	550
Total number of Limit Nodes:	66

Executed Functions

Function 0041A3DD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

rMA, xrefs: 0041A41D, 0041A424
1JA, xrefs: 0041A3FC, 0041A408
rMA, xrefs: 0041A402, 0041A410

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: 5c0496517f31d97c259472048ca822b0fbab862c9f6c5a7a438ed9b1a19d9914
Instruction ID: 6b0eadeb9f920fdd354d08d6441780c3440f976d83cb28858d5aec770868b797
Opcode Fuzzy Hash: 5c0496517f31d97c259472048ca822b0fbab862c9f6c5a7a438ed9b1a19d9914
Instruction Fuzzy Hash: 8BF0B7B2210108AFCB14DF99DC80EEB77A9EF8C364F158649BA1D97291C630E851CBA0

Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

rMA, xrefs: 0041A41D, 0041A424
1JA, xrefs: 0041A3FC, 0041A408
rMA, xrefs: 0041A402, 0041A410

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0041A382 Relevance: 1.6, APIs: 1, Instructions: 53
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 384f15d26221d1ce35fc860fbf05f01770ee111a2540979e292dd623a0094b7d
Instruction ID: 1d50eb2daa8320807c68a08b6faf5cc2ae5bd794e9842ed8d656efd9c24861c4
Opcode Fuzzy Hash: 384f15d26221d1ce35fc860fbf05f01770ee111a2540979e292dd623a0094b7d
Instruction Fuzzy Hash: C00129B6209148AFCB04CF98DD81CEB37EDAF8C314B14864DF958C3241E630EC118BA4

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95

Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4

Function 0041A58B Relevance: 1.5, APIs: 1, Instructions: 39
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2e6ef2fa9001d2d9cf9345e573db39239b86da486cd1fbfce64457679fac3d55
Instruction ID: e2f7334f55054fde19e298c53a6b0f2b5d857b1dd4677e4b8f5d9aa6102ffb42
Opcode Fuzzy Hash: 2e6ef2fa9001d2d9cf9345e573db39239b86da486cd1fbfce64457679fac3d55
Instruction Fuzzy Hash: 77F09AB12012086FDB14EF98EC85DE7B7ADEF88764F10455AF9489B201C531E954CBA0

Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6e6c5e82ca89ed4a42ba518b5317fd08a5cbb145625d4d903a2a484f9fb4b5bc
Instruction ID: 6fe4d53e7d8ec6a6d060faccbf19106aef2bcb785c60214f3d9d71c46fb769f5
Opcode Fuzzy Hash: 6e6c5e82ca89ed4a42ba518b5317fd08a5cbb145625d4d903a2a484f9fb4b5bc
Instruction Fuzzy Hash: A5E08C752012046BDB20EBB58C89EEB7B68EF44364F14419EFA4DAB652C930A6418A90

Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0

Function 018A2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2BFA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 47f58f72c80b1f52cd17e4b10c0dbfe5d830b2d6565d7424dcb9085cfd16a102
Instruction ID: f9adcfa4a9e199f55b546c9bcd4e6d4cb41f557cb011ef34981696b50b52a31b
Opcode Fuzzy Hash: 47f58f72c80b1f52cd17e4b10c0dbfe5d830b2d6565d7424dcb9085cfd16a102
Instruction Fuzzy Hash: 4D90023120140806D1807158484468A000997D2301F95D015A102A664DCA158B5D7BA2

Function 018A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2B6A

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac4491c87aeb6f8064f7327b81f317d5a38c56fee2231f9be21d3b0f38627fbb
Instruction ID: 3b85241cecb80621df7b3796b99abaca6bc6a484eea2c756a01cfa445492cfea
Opcode Fuzzy Hash: ac4491c87aeb6f8064f7327b81f317d5a38c56fee2231f9be21d3b0f38627fbb
Instruction Fuzzy Hash: FF90026120240007410571584854656400E97E1301B55D021E20195A0DC5258A996626

Function 018A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2ADA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3c247444864a281cfcc63b3da29ac24e82777d9c1ff5d54048db88102837512
Instruction ID: d505e9827c6a0bdeb685b6cf2b579e46504ac82849b5706ef98737e292f67296
Opcode Fuzzy Hash: e3c247444864a281cfcc63b3da29ac24e82777d9c1ff5d54048db88102837512
Instruction Fuzzy Hash: 2F900225211400070105B5580B44547004A97D6351355D021F201A560CD6218A695622

Function 018A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2DDA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c6090c702074e7600f7667a967b775902eced5628729783ea5a6b4b55a294d6
Instruction ID: 0209eb781f89321a2850b295600e24ef9143722ba5dc988b414084c96e05862c
Opcode Fuzzy Hash: 8c6090c702074e7600f7667a967b775902eced5628729783ea5a6b4b55a294d6
Instruction Fuzzy Hash: 48900221242441565545B1584844547400AA7E1341795D012A2419960CC5269A5EDB22

Function 018A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2DFA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4df249603d58f4c736b87e5000de2278b833fa1d8f8864bbb239cf8b2ea3a37
Instruction ID: 89399dd77b01d1a2ed3287ca3b68f0d41036dc7a837a45b958329c49afcd58ca
Opcode Fuzzy Hash: b4df249603d58f4c736b87e5000de2278b833fa1d8f8864bbb239cf8b2ea3a37
Instruction Fuzzy Hash: 8A90023120140417D11171584944747000D97D1341F95D412A1429568DD6568B5AA622

Function 018A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2D1A

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da5fa15e2c8bea8f824633f376f63d82644de1a156642cf0257634839fff4dc8
Instruction ID: 2e462dc878ecbd150c9096c09ed222934a2aa6781a720de8eeacbf97d7a1bc90
Opcode Fuzzy Hash: da5fa15e2c8bea8f824633f376f63d82644de1a156642cf0257634839fff4dc8
Instruction Fuzzy Hash: D190022921340006D1807158584864A000997D2302F95E415A101A568CC9158A6D5722

Function 018A2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2D3A

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9aea45ff08788c44c649b0c24e148f1e79f757833b578fa8206debe8a1b12b7c
Instruction ID: a35df927c6f40fc26ab84bda67cb498e1826f8b4b938e3d2a6a6d6f99dd8667e
Opcode Fuzzy Hash: 9aea45ff08788c44c649b0c24e148f1e79f757833b578fa8206debe8a1b12b7c
Instruction Fuzzy Hash: 9C90022130140007D140715858586464009E7E2301F55E011E1419564CD9158A5E5723

Function 018A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2CAA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b99a61b2c009b7979d2a828191964db1ebb4de7e659ea0e44fbabec509815b5f
Instruction ID: 40e786307af66b9a7da6780d74093491591a6eb8a03c32679ce4757a69b9ddc9
Opcode Fuzzy Hash: b99a61b2c009b7979d2a828191964db1ebb4de7e659ea0e44fbabec509815b5f
Instruction Fuzzy Hash: DB90023120140406D10075985848686000997E1301F55E011A6029565EC6658A996632

Function 018A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2C7A

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b291961c31e23fb53547dce9cadc69a4776644cc0a59da690217e939024793f6
Instruction ID: 4e8744d45e29dc7718866da75bbb5a539dced16293bf287aebbfc5625fab11f2
Opcode Fuzzy Hash: b291961c31e23fb53547dce9cadc69a4776644cc0a59da690217e939024793f6
Instruction Fuzzy Hash: 6290023120148806D1107158884478A000997D1301F59D411A5429668DC6958A997622

Function 018A2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2F9A

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d1810f2fd4ee5aa21d982251bb00b8e7ba291af5217e39b83fa0c775b6fd74b
Instruction ID: 6a0da59503dc9c6ac0f2ea1d8995925a6936f7f53f741efdf0a5f523952a87ff
Opcode Fuzzy Hash: 4d1810f2fd4ee5aa21d982251bb00b8e7ba291af5217e39b83fa0c775b6fd74b
Instruction Fuzzy Hash: 2790023120180406D10071584C5474B000997D1302F55D011A2169565DC6258A596A72

Function 018A2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2FBA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: feee6b708ad6c82c67830ad67633f4d4ab563eb32e85d0bf2bb0efe057e7e3c1
Instruction ID: 73817803902f14d5a9da092b51401f8c99fadb764405b8a99700725588f8e946
Opcode Fuzzy Hash: feee6b708ad6c82c67830ad67633f4d4ab563eb32e85d0bf2bb0efe057e7e3c1
Instruction Fuzzy Hash: AC90022160140046414071688C849464009BBE2311755D121A199D560DC5598A6D5B66

Function 018A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2FEA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b05251befa2f165bdc8518c16b354ff5b189139a84a8f3208ad2873f672f64ac
Instruction ID: 08b6df357c573eeb9f4257ad32672b0af59d0b12c1bedfc3cf5d03db4fa175c5
Opcode Fuzzy Hash: b05251befa2f165bdc8518c16b354ff5b189139a84a8f3208ad2873f672f64ac
Instruction Fuzzy Hash: 33900221211C0046D20075684C54B47000997D1303F55D115A1159564CC9158A695A22

Function 018A2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2F3A

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 408c01b55724bfbe1ad41e6ae1cf02a77f0a07c6261db834ff038f27a568eb4c
Instruction ID: dd38998439b02301ac736be90c0ff5df40d102d8584912a6ffe237dc2f08667a
Opcode Fuzzy Hash: 408c01b55724bfbe1ad41e6ae1cf02a77f0a07c6261db834ff038f27a568eb4c
Instruction Fuzzy Hash: C190026134140446D10071584854B460009D7E2301F55D015E2069564DC619CE5A6627

Function 018A2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2E8A

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59dae94a2d46c2972b4d7f9f216c15f29656ae6e6fccffac3d8e7cef746139e3
Instruction ID: b280621807846a3e18efc8b2b5cc9459a92b91932851ca6c277b44a7ac7113a5
Opcode Fuzzy Hash: 59dae94a2d46c2972b4d7f9f216c15f29656ae6e6fccffac3d8e7cef746139e3
Instruction Fuzzy Hash: EA90022160140506D10171584844656000E97D1341F95D022A2029565ECA258B9AA632

Function 018A2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2EAA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 13c16656afe9707267f4dc34ad1f76fd07e5313356e822f4b3dd75c0c66e86c1
Instruction ID: e7751a25828bc7c7463bdc5a5f91970034cb361c79b0d60c22706c2a4ee5795e
Opcode Fuzzy Hash: 13c16656afe9707267f4dc34ad1f76fd07e5313356e822f4b3dd75c0c66e86c1
Instruction Fuzzy Hash: 6B90027120140406D14071584844786000997D1301F55D011A6069564EC6598FDD6B66

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Function 0041A5C6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6EA, xrefs: 0041A62C

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID:
String ID: 6EA
API String ID: 0-1400015478
Opcode ID: 6f91872405a5665760c44d80f0d31e8fe445e7a8515f7e2f7a920fb12f5240b4
Instruction ID: 3d5a4909fdf7ea18f232bcb6db1d04f408665bc14c263944276654def93571ea
Opcode Fuzzy Hash: 6f91872405a5665760c44d80f0d31e8fe445e7a8515f7e2f7a920fb12f5240b4
Instruction Fuzzy Hash: 67F0E2B22012057FD728DB58DC85EE7779CEF88364F08464AFA8C47742D631E951C6A4

Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D

Strings

6EA, xrefs: 0041A622, 0041A62C

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Function 0041A745 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f7a7bf1258667fdb217bfec2e719a1d78622227a793214c8a229aa48233c665a
Instruction ID: f6d1d87c0eccfe0969b243c592031f2bf80321ca13f96933460332b6b96dddcb
Opcode Fuzzy Hash: f7a7bf1258667fdb217bfec2e719a1d78622227a793214c8a229aa48233c665a
Instruction Fuzzy Hash: 560176B42003446FC310DF68CC81DEB7BA8DF85620F04859AF89C5B343C238E82787A2

Function 0041A791 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2f00c1280bac6a36bee62521e0aec708fb63f00487ae07fe61214d2aa94c0a8d
Instruction ID: c2fb3efb9a5f1b1f9cdc0c4d7d7891fecec6735acce639661a3542e73fa2df2e
Opcode Fuzzy Hash: 2f00c1280bac6a36bee62521e0aec708fb63f00487ae07fe61214d2aa94c0a8d
Instruction Fuzzy Hash: 8C0124B12013046FCB24EF54CC85EE73BA8EF85324F04449AF94C1B642C638E821C7B5

Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0

Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1

Function 018A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A2C24

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e1e99cafa39d71fecc10e5af6958517371e8321510b08f282d64324b66b16b0
Instruction ID: 91e6ff77d60969ba2104efb513c3c30701053e1d2cfd39a77ba95affe8470a3a
Opcode Fuzzy Hash: 3e1e99cafa39d71fecc10e5af6958517371e8321510b08f282d64324b66b16b0
Instruction Fuzzy Hash: 2DB09B719015C5CAEA11E7644A08717790577D1701F55C061D3034651F4738C2D5E676

Non-executed Functions

Function 018E2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MaxDeadActivationContexts, xrefs: 018E2D82
TracingFlags, xrefs: 018E2549
minkernel\ntdll\ldrinit.c, xrefs: 018E3187
@, xrefs: 018E2942
GlobalFlag2, xrefs: 018E2FC0
RaiseExceptionOnPossibleDeadlock, xrefs: 018E2579
DisableExceptionChainValidation, xrefs: 018E275F
FrontEndHeapDebugOptions, xrefs: 018E2489
MaxLoaderThreads, xrefs: 018E24EC
UseImpersonatedDeviceMap, xrefs: 018E251C
DisableHeapLookaside, xrefs: 018E246D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 018E3176
LdrpInitializeExecutionOptions, xrefs: 018E317D
GlobalFlag, xrefs: 018E2F3F, 018E3059
UnloadEventTraceDepth, xrefs: 018E24C0
@, xrefs: 018E2B74
MinimumStackCommitInBytes, xrefs: 018E2BB0
CFGOptions, xrefs: 018E2967
ExecuteOptions, xrefs: 018E25A0
ShutdownFlags, xrefs: 018E24A1

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 351dbd1d1f9626c983c490a91a4bd5b3402c6457c3fb2d37faae8cb2803bddc2
Instruction ID: a306e328559e54c3a75135fb65861319b4abcdb848c54d2aac584846828c809d
Opcode Fuzzy Hash: 351dbd1d1f9626c983c490a91a4bd5b3402c6457c3fb2d37faae8cb2803bddc2
Instruction Fuzzy Hash: 0C92DF71608346AFE721DF28C888F6BB7EABB85714F04481DFA94D7251D770EA44CB92

Function 019112ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01911706, 01911756, 019117A8, 01911809, 0191184D, 01911895, 019118E6
HEAP[%wZ]: , xrefs: 019116CD, 019116F9, 01911749, 0191179B, 019117FC, 01911840, 019118D9
Free Heap block %p modified at %p after it was freed, xrefs: 0191171B
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 019118A5
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 019118F8
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 0191176D
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0191186B
Heap block at %p is not last block in segment (%p), xrefs: 019117B7
Heap block at %p has incorrect segment offset (%x), xrefs: 0191181A

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 70839e1e91056fefd168265f26aa3e93667b38334b75bc69f0ea10587a1b9f2e
Instruction ID: 8ed2d59801a149c8f5b0e5a243f15a759c138f6181029a2bcd219ff995feb9ad
Opcode Fuzzy Hash: 70839e1e91056fefd168265f26aa3e93667b38334b75bc69f0ea10587a1b9f2e
Instruction Fuzzy Hash: D212C13060064AEFD725CF39C480BBABBF5FF15715F088869EA8A8B645D334E981CB51

Function 0185D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

Control Panel\Desktop, xrefs: 0185D45D
PreferredUILanguages, xrefs: 0185D4B8, 0185D4C5
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0185D3B6
@, xrefs: 0185D49D
@, xrefs: 0185D663
MachinePreferredUILanguages, xrefs: 0185D685
PreferredUILanguagesPending, xrefs: 018BA8DE
Control Panel\Desktop\MuiCached, xrefs: 0185D62B
@, xrefs: 0185D3E9

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: a92eff4ce1932158cbc3f4af74fd84a1112353fb66284784fedee08d135c6802
Instruction ID: f201b0101a7d41e2a45c8cb74156cedde5c832e90ffd1845656dd1f22b2d11ce
Opcode Fuzzy Hash: a92eff4ce1932158cbc3f4af74fd84a1112353fb66284784fedee08d135c6802
Instruction Fuzzy Hash: CFB1AE725083069FD765DFA8C480A6BBBE8FB84758F014A2EFD89D7310D730DA458B92

Function 018F9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\BaseNamedObjects, xrefs: 018F949E
\Sessions, xrefs: 018F9488
%s\%u-%u-%u-%u, xrefs: 018F9422
Global\Session\%ld%s, xrefs: 018F94C5
BaseNamedObjects, xrefs: 018F9477, 018F947C
\AppContainerNamedObjects, xrefs: 018F94AB, 018F94B9
%s\%ld\%s, xrefs: 018F948D
AppContainerNamedObjects, xrefs: 018F946E, 018F94D6

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 2994545307-3063724069
Opcode ID: ea1195ce8eb6469537651b3de10d1cdcd2c701577dd1dec13795ba6a058dd6a2
Instruction ID: 18e2d04f49f57737ad0e39c1f4d85bb08f8652ea44b7f500b4995a1a91135d4c
Opcode Fuzzy Hash: ea1195ce8eb6469537651b3de10d1cdcd2c701577dd1dec13795ba6a058dd6a2
Instruction Fuzzy Hash: 98D1A072C04316ABE721DB588880B6BBBE8AF94758F44092DFB84E7251E774DB44C793

Function 01910274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 019106EA
HEAP: , xrefs: 019103A6, 019104B5, 019105DD, 01910682, 019106D9
HEAP[%wZ]: , xrefs: 01910399, 019104A8, 019105D0, 01910675, 019106CC
About to reallocate block at %p to %Ix bytes, xrefs: 019103BA
Just reallocated block at %p to %Ix bytes, xrefs: 019105F1
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0191069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 019104D3
RtlReAllocateHeap, xrefs: 019102BF, 01910362

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: ad575231fad2d3ad13a2eb6304901087ddc875b52ae4b2d32f640854e15854c5
Instruction ID: 533b334302240e05703be164d7095098120d59572ad315e9f7b4b75d0b4f7511
Opcode Fuzzy Hash: ad575231fad2d3ad13a2eb6304901087ddc875b52ae4b2d32f640854e15854c5
Instruction Fuzzy Hash: F4D1F031604689DFDB22DF68C440AADBBF6FF5A700F0C8449F8499B256E7369AC1CB51

Function 0185D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0185D2C3
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0185D0CF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0185D146
@, xrefs: 0185D313
@, xrefs: 0185D2AF
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0185D262
Control Panel\Desktop\LanguageConfiguration, xrefs: 0185D196
@, xrefs: 0185D0FD

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: bb993efe3b140143a89461be522fa942eb81cac4900f22a500f640e7f3305e1f
Instruction ID: 71b2c4a59d62aa04d64089862411e5b82bf2d350249eba96cce9bcfb5f36dc85
Opcode Fuzzy Hash: bb993efe3b140143a89461be522fa942eb81cac4900f22a500f640e7f3305e1f
Instruction Fuzzy Hash: 5DA16D715083069FE761CF69C480B9BB7E8FB84725F404A2EE998D7241E774DA48CB93

Function 0185F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(UCRBlock != NULL), xrefs: 018BDF6F
((LONG)FreeEntry->Size > 1), xrefs: 018BE0B3
HEAP: , xrefs: 018BDF64, 018BE0A8, 018BE286, 018BE39E
HEAP[%wZ]: , xrefs: 018BDF57, 018BE09B, 018BE279, 018BE391
(!TrailingUCR), xrefs: 018BE3A9
(LONG)FreeEntry->Size > 1, xrefs: 018BE291

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 2c4ea0d0621eaefa4a8346faee8932a6d537247e08607f12be391bfe06470c46
Instruction ID: 27c4098e729b99a7b697c4a67d3474799c33e0119292e0846f7b6252c784c4d3
Opcode Fuzzy Hash: 2c4ea0d0621eaefa4a8346faee8932a6d537247e08607f12be391bfe06470c46
Instruction Fuzzy Hash: DB4200712087869FD755CF28C884AAABBE5FF88308F18496DF985CB342D734DA45CB52

Function 0187B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

DLL %wZ was redirected to %wZ by %s, xrefs: 018C83FC
minkernel\ntdll\ldrutil.c, xrefs: 018C840D, 018C84E1
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 018C84D0
API set, xrefs: 018C83F4, 018C83F9
SxS, xrefs: 018C83ED
LdrpPreprocessDllName, xrefs: 018C8403, 018C84D7

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: c66fb683b283ba946a52ebfa3b66300f346f12f608971ea48d24ca60e11fe089
Instruction ID: 245c44f6810c69b54d24edcb7789dc8764ab38e2766636ed0276189ba4b2aee1
Opcode Fuzzy Hash: c66fb683b283ba946a52ebfa3b66300f346f12f608971ea48d24ca60e11fe089
Instruction Fuzzy Hash: BEC13A71A0021A9BDB259B6CC8C0B7EBBA6BF45714F18406DED06EB291D774DF84C391

Function 018963FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 018D40DF, 018D4141, 018D4205, 018D425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 018D40D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 018D41FE
minkernel\ntdll\ldrinit.c, xrefs: 018D40E9, 018D414B, 018D420F, 018D4269
Process initialization failed with status 0x%08lx, xrefs: 018D413A
Delaying execution failed with status 0x%08lx, xrefs: 018D4258

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: d756b681a7f33be34b1b3c330868ec246ef73ffd94a469916c78ba18994056ec
Instruction ID: 41c0861ccc94c573cb86d7c254de2fe22543797d83534b352b470ffc372c66b2
Opcode Fuzzy Hash: d756b681a7f33be34b1b3c330868ec246ef73ffd94a469916c78ba18994056ec
Instruction Fuzzy Hash: 38912B71B043199BEF35DF6CD885BAE7BA1BB41B24F180129E904FB681EB749B01C791

Function 0190F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0190F809
Just allocated block at %p for %Ix bytes, xrefs: 0190F708
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 0190F7BE
RtlAllocateHeap, xrefs: 0190F56D
HEAP: , xrefs: 0190F6F4, 0190F7A1, 0190F7F8
HEAP[%wZ]: , xrefs: 0190F6E7, 0190F794, 0190F7EB

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 45080ab4f19ede940694a7efab30baa922abd1bc4674574fe0e0e1d0e9509d33
Instruction ID: dea027d23f98683a21bcd8b97d8fb720dd14e92bbdbeec4982546587e9358a3f
Opcode Fuzzy Hash: 45080ab4f19ede940694a7efab30baa922abd1bc4674574fe0e0e1d0e9509d33
Instruction Fuzzy Hash: A391EF31A00645DFDB22DF68C480AADBBF6FF59704F18805DE849EB2A1DB359B81CB51

Function 0188F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018D02E7
RTL: Re-Waiting, xrefs: 018D031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018D02BD

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 3aea30c28acdaaa878c568356c621fe7c82970f05415f022188b928b6445fc89
Instruction ID: 3b45dea7df11fddf30f3819c062f054df513c34675e45dda47f8d9c59d0cc6e6
Opcode Fuzzy Hash: 3aea30c28acdaaa878c568356c621fe7c82970f05415f022188b928b6445fc89
Instruction Fuzzy Hash: E5E18C306087429FE725EF2CC884B2ABBE0BB85318F140A5DF6A5CB2D1D774DA45CB52

Function 018851EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Number-Allowed, xrefs: 01885247
WindowsExcludedProcs, xrefs: 0188522A
Kernel-MUI-Language-Disallowed, xrefs: 01885352
Kernel-MUI-Language-Allowed, xrefs: 0188527B
Kernel-MUI-Language-SKU, xrefs: 0188542B

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 23a07934fc513ec0e1b7dcf9818c8bdf24ef1e6e3046fb8029545f64c4aa92d4
Instruction ID: 7dd9386e9203f88f72d6e9d155155cd7782050118747e17e50e01375bd51f59d
Opcode Fuzzy Hash: 23a07934fc513ec0e1b7dcf9818c8bdf24ef1e6e3046fb8029545f64c4aa92d4
Instruction Fuzzy Hash: EFF13872D00619EFDB16EFA8C980AAEBBB9FF48750F54406AE501E7210D7749F01CBA1

Function 018770C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01877C7C, 0187867F
HEAP[%wZ]: , xrefs: 01877C6D, 01878670
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01877C96, 01878696

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 56c2d7a1294801a7258b9838d2be89d17b9050966e3994979c018398f81c6839
Instruction ID: 8b29eb09cd655af50c49d8d550dd113d2001d2f377f02e7af63eb21121d878de
Opcode Fuzzy Hash: 56c2d7a1294801a7258b9838d2be89d17b9050966e3994979c018398f81c6839
Instruction Fuzzy Hash: BD139D70A0065ACFEB25CF68C4887A9BBF1BF49304F1481A9D959EB385D734EA45CF90

Function 01871070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 018C5884
HEAP[%wZ]: , xrefs: 018C5877
@, xrefs: 018C5A53
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 018C588F

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 2994545307-3570731704
Opcode ID: 658cc5b917248042273216ff840396bf3991a9a901b815ea09c26c8c1930636b
Instruction ID: 1b0e6e2b59161181f97628d2cb51fccca168961c12a99ada5eb48a2d2cd65a89
Opcode Fuzzy Hash: 658cc5b917248042273216ff840396bf3991a9a901b815ea09c26c8c1930636b
Instruction Fuzzy Hash: FF923971A00229CFEB25CF18C884BA9B7B6BF45754F0581EAE949E7691D730AF80CF51

Function 0186A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 0186A3E7
LdrResFallbackLangList Exit, xrefs: 0186A3FF
6, xrefs: 0186A3F7
LdrResFallbackLangList Enter, xrefs: 0186A3EF

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 3416ed2c4116927bee20d7794e52a9d6a718de0424d2ba363877832cc8a475e7
Instruction ID: 2b7091cde47a09a3321cf48bfd94486aa241375fbe0b3dd420a76a066bfb385f
Opcode Fuzzy Hash: 3416ed2c4116927bee20d7794e52a9d6a718de0424d2ba363877832cc8a475e7
Instruction Fuzzy Hash: FAC179741083868FD719CF58C484B6AB7E8BF84708F04496EF996EB291E734DA49CB52

Function 01898402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0189855E
minkernel\ntdll\ldrinit.c, xrefs: 01898421
@, xrefs: 01898591
LdrpInitializeProcess, xrefs: 01898422

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 2d55c51f477731903bc7315a07305f947a19b06376d6561cdd02b333e686282c
Instruction ID: 65ae609c2014e646fcff24115986dd690ea3e74ddbaaf7c7b56da426e154fd28
Opcode Fuzzy Hash: 2d55c51f477731903bc7315a07305f947a19b06376d6561cdd02b333e686282c
Instruction Fuzzy Hash: 87917C7150834AAFEB21DF65CC80EABBBE8BF85744F44492EFA84D2151E734DA058B53

Function 018664AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 018C0FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 018C106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 018C1028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018C10AE

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 875afd53b3f10578156a4619de93ad5c3ca4abe77fedd0c3de20e09cf242379a
Instruction ID: 37398d2e7dab51193477c2ef7c58a2d035e302222d6d9469be85b547cd64d1f1
Opcode Fuzzy Hash: 875afd53b3f10578156a4619de93ad5c3ca4abe77fedd0c3de20e09cf242379a
Instruction Fuzzy Hash: AD71E0B19043459FDB60DF18C889B9B7BACAF95764F500468F948CB246E334D688CBD2

Function 018815F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

LdrpCompleteMapModule, xrefs: 018CA590
MZER, xrefs: 018816E8
minkernel\ntdll\ldrmap.c, xrefs: 018CA59A
Could not validate the crypto signature for DLL %wZ, xrefs: 018CA589

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
API String ID: 0-1409021520
Opcode ID: 660cbfc43d2b136bbefea5407b74ff83364b070c294e381566f0c0fa3668d7d8
Instruction ID: c251a0d22529196824ec468b13b6bb085bb38fb18e286858fed9646eaaa7ad14
Opcode Fuzzy Hash: 660cbfc43d2b136bbefea5407b74ff83364b070c294e381566f0c0fa3668d7d8
Instruction Fuzzy Hash: D75138706007499FE726EB5CC948B657BE4BF10B18F184258FA91DB2D2EB74EB41C741

Function 019111A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0191124A, 0191125D, 0191125F, 019112C4
HEAP[%wZ]: , xrefs: 0191123D, 019112B7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01911261
This is located in the %s field of the heap header., xrefs: 019112D6

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 67c91f001d25180d19dc04b95e115ef21d6235b2c7c4467acd7af94b6d1e8f7e
Instruction ID: 926cb529414609e17af235ee3b75672b27b5f518f7bde1cf5853964708458bb3
Opcode Fuzzy Hash: 67c91f001d25180d19dc04b95e115ef21d6235b2c7c4467acd7af94b6d1e8f7e
Instruction Fuzzy Hash: 593114B1200119FFD721DBACC885FAA77E9EF15B20F180865FA05CB254E670AE85CB65

Function 01859148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 018BBAAD, 018BBAEA
HEAP[%wZ]: , xrefs: 018BBAA0, 018BBADD
VirtualQuery Failed 0x%p %x, xrefs: 018BBAF7
VirtualProtect Failed 0x%p %x, xrefs: 018BBABA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: e3f8b5977a3118bff8bc355cdefced67814e918a72f20331df6eb694dcf94e94
Instruction ID: 2a7b8041ccd41bb0afe8e5877161b1e0fe82709d8ce3bff850821094c5f82edf
Opcode Fuzzy Hash: e3f8b5977a3118bff8bc355cdefced67814e918a72f20331df6eb694dcf94e94
Instruction Fuzzy Hash: 5E31F032A00619EFCB11DB89C8C4FAEBBB9EF45724F144059E910EB291E774EF40CA61

Function 019094E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

0, xrefs: 01909BF6
, xrefs: 01909AD7
, xrefs: 01909B84

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: eb007a8d4ad0491c45e433e94802ad8dee62402be70068d675bcb30ab963837d
Instruction ID: 137fb70116e5bf7ced175977925745896eb57927e9316595e6a33bcc5c1e3528
Opcode Fuzzy Hash: eb007a8d4ad0491c45e433e94802ad8dee62402be70068d675bcb30ab963837d
Instruction Fuzzy Hash: C432F3B1A083819FE321CF68C584B5BBBE9BB88348F04492DF59D87391D775E948CB52

Function 0185A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 0185A1C1
\??\, xrefs: 018BC1E4
FilterFullPath, xrefs: 018BC2E6

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: fa6cb2ec7355c32bfeab7e9ca15526d826a059eb5f360784ec614c820572f097
Instruction ID: eb66fd8c933f8b176927a0b60deae46aa8dbecd24a990c91f070d89691d54acb
Opcode Fuzzy Hash: fa6cb2ec7355c32bfeab7e9ca15526d826a059eb5f360784ec614c820572f097
Instruction Fuzzy Hash: 15A147719116299BDB319B68CCC8BEAB7B8EF48700F1001EAEA09E7251D7359F85CF51

Function 018E7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

Objects>%4u, xrefs: 018E75D5
VirtualAlloc, xrefs: 018E75FC
Objects=%4u, xrefs: 018E75EA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: 1a07cb6181fc901709a82919e9b4fd9d112b68254b0702460fae02f355d36e01
Instruction ID: 79879c402548f1c3272c1b09b207b63594386ca28ad79a403d0e664ec5696fae
Opcode Fuzzy Hash: 1a07cb6181fc901709a82919e9b4fd9d112b68254b0702460fae02f355d36e01
Instruction Fuzzy Hash: FD912CB0E002099FEB14CF59C484BADBBF1BF49318F14816AE905EB391E7759941CF94

Function 0186B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 0186B465
LdrpResGetResourceDirectory Exit, xrefs: 0186B477
{, xrefs: 018C37B6

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 4a3b752c6b5195d3bd1633f983b38a66fd38fddc89dd4dbd0c2a4ddc8c4a08ca
Instruction ID: dc292c95ef9760cfc10f3eb20be1dac5d4fab6c8d1a3689df345fa9bae07bab9
Opcode Fuzzy Hash: 4a3b752c6b5195d3bd1633f983b38a66fd38fddc89dd4dbd0c2a4ddc8c4a08ca
Instruction Fuzzy Hash: E2919A71A00259CBEB21CF58D484BAE7BB8FF01728F148199E911EB291D778DB81CB91

Function 0189909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01899148
&, xrefs: 018D5CF8
%, xrefs: 018D5D3F

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: b672f526a534b26273165428f94ce2692ce5f0a9cbf39a6f1b3802486a6d3055
Instruction ID: ed3e668f4cec4d233cf80f1fa085b9a3c4d95991c3583a4eb4f9187145166401
Opcode Fuzzy Hash: b672f526a534b26273165428f94ce2692ce5f0a9cbf39a6f1b3802486a6d3055
Instruction Fuzzy Hash: F471E1709083069FDB14DF58C580A2BBBE9BF8431CF184A5EF4AAC7241D731DA05CB52

Function 0185758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 018BAFB8
HEAP[%wZ]: , xrefs: 018BAFAB
Invalid address specified to %s( %p, %p ), xrefs: 018BAFCB

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 9e501137384c5aec8b0d93d22a99a633423555e15a9d6abf916066f991224576
Instruction ID: a67c38948f6c602d4134bb35aeccf81568f41fac9e3bb3bf696f33646297ee98
Opcode Fuzzy Hash: 9e501137384c5aec8b0d93d22a99a633423555e15a9d6abf916066f991224576
Instruction Fuzzy Hash: 6D41E4B0200280CFEF69CA5DC0C4BFA7BE1DF41348F988469D946CB397D664DA8AC761

Function 0191C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0191C212
@, xrefs: 0191C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0191C1C5

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 8937a6c21c69054b3f531788a5164d9cf8266ca1a8b2748ca4ccb39133031803
Instruction ID: 219b52ed2d69a19c8afe070115fb6e34b02bc69324f6a3ca60f167215a7acebf
Opcode Fuzzy Hash: 8937a6c21c69054b3f531788a5164d9cf8266ca1a8b2748ca4ccb39133031803
Instruction Fuzzy Hash: 3841747194020DEBDF11DAD8C841FEEB7BCAB14701F04456AEA09E7244D774DA858B51

Function 018F4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 018F4172
LdrpResValidateFilePath Enter, xrefs: 018F4160
@, xrefs: 018F4225

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 9aa114e8e7a152adac99a1fcf103f456dafd6c92ab5d58c1cec7e7bfa0977ada
Instruction ID: 2b5112020badd169df7854c8a2132122d0f022d4f4931d880b0d5399fa268d23
Opcode Fuzzy Hash: 9aa114e8e7a152adac99a1fcf103f456dafd6c92ab5d58c1cec7e7bfa0977ada
Instruction Fuzzy Hash: 68410431A006588BEB25DBE8C844BAEBBB8FF55344F14046EDB01EB781DB348B41CB12

Function 018933A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Actx , xrefs: 018933AC
RtlCreateActivationContext, xrefs: 018D29F9
SXS: %s() passed the empty activation context data, xrefs: 018D29FE

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 49461fc771583c7c40ebd668ff6ea98d3d5af0466aef45760a0b0897e4548a83
Instruction ID: 0bb1e4fc802720de59a3ab83118d8aeb560a4e5d8a2f2c591ff19c3ad665fb93
Opcode Fuzzy Hash: 49461fc771583c7c40ebd668ff6ea98d3d5af0466aef45760a0b0897e4548a83
Instruction Fuzzy Hash: 9D31E0326403069BEF26DE68D884F9A7BA5FF54B14F1A4429EE04EF242CB70DA41C791

Function 018EB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 018EB670
GlobalFlag, xrefs: 018EB68F
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 018EB632

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 2d9bc31319ef5df84b0c1d4522c2cfa01288f76566e6df44eb585ed3945940ac
Instruction ID: 89e91993a006f0b3ae96da433dbed54ccca26d2c220c11af826d269d622c89ba
Opcode Fuzzy Hash: 2d9bc31319ef5df84b0c1d4522c2cfa01288f76566e6df44eb585ed3945940ac
Instruction Fuzzy Hash: A8316DB1A00219AFEB10EF99DC94AEEBBBCEF44744F140469EA05E7250D7749F00CBA5

Function 018A1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 018A12A5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 018A127B
BuildLabEx, xrefs: 018A130F

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 7e44aae4c4ea87e9a60470afe595e6a1fd41572ab0f6c0d7db392282ef8c6c7a
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 8731CF72900619AFEB11EF99CC44EAEBBBDEB94724F404025EA04E7260D734DB05DBA1

Function 018E20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 018E20FA
minkernel\ntdll\ldrinit.c, xrefs: 018E2104
Process initialization failed with status 0x%08lx, xrefs: 018E20F3

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 3f54418a73d4ba3489ba70eedb5cb7aef3996814f39e7ba6fd9a2da122aaf783
Instruction ID: 0b26bb4ee8b311a035c434272450d81cb8177351180f3544c05baf7020192db8
Opcode Fuzzy Hash: 3f54418a73d4ba3489ba70eedb5cb7aef3996814f39e7ba6fd9a2da122aaf783
Instruction Fuzzy Hash: 61F0A43564070C6BE724D64C9C46F993BA9EB41B54F540059F600FB285D6B4A7408B91

Function 018703E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 018C4D8A

Strings

#%u, xrefs: 018C4D82

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: cc3ed2705b98fb5c794a313f2d5726e6c06b9a775d08f22f6a111d69dfc08d76
Instruction ID: e891bb7aa513c229ac11f48f27aa87c484ed365d8ff664ecaaecce38ae3cf0dc
Opcode Fuzzy Hash: cc3ed2705b98fb5c794a313f2d5726e6c06b9a775d08f22f6a111d69dfc08d76
Instruction Fuzzy Hash: 96710A71A0014A9FDB05DFA8C994BAEBBF8FF18704F154069E905E7251EB34EA41CB62

Function 018752A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 018755A3
@, xrefs: 01875445

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 1665a14d49df1231979e3bc819ca10ecec7ef487e7bd0283135e9733ab4275a6
Instruction ID: 120c08d698460c9ec88ea300cbb1017531a834bbfc69831ec9304e4117514571
Opcode Fuzzy Hash: 1665a14d49df1231979e3bc819ca10ecec7ef487e7bd0283135e9733ab4275a6
Instruction Fuzzy Hash: 47327C705083518BD724CF19C490B3EBBE1EF89B54F24492EFA95D72A0E734DA84DB92

Function 0192A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0192A44B
`, xrefs: 0192A551

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 9876168fb5a62e5ecbb02f385946be8bb19e4b47a325f3d6b7db5c0983fc5d94
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 71C1E2322043529BE725CF28C840B2BBBE9BFD4719F084A2DF69ACB694D774D505CB42

Function 018604E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0186063D
kLsE, xrefs: 01860540

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: e47435d5ccacbc34068a67daf1e396d6785b91bd87fc8c5391018ad7e6713bdd
Instruction ID: a2eb22fc2258c512421b054d2119ddab49818795ec7a2c2f79e0cdf39616eb61
Opcode Fuzzy Hash: e47435d5ccacbc34068a67daf1e396d6785b91bd87fc8c5391018ad7e6713bdd
Instruction Fuzzy Hash: BF51D0715047468FD725EF68C4446A7BBE8AF84304F10483EFADAC7241E774DA45CB9A

Function 0186A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0186A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0186A309

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 269f4d349f87d1813255ade377f0c835fd7a31de7a71719fac87b3326db88498
Instruction ID: ff4a1da4315093e61c8d7264f8355fbf41c63bd1e09a22e5732bb1d0f3e221d8
Opcode Fuzzy Hash: 269f4d349f87d1813255ade377f0c835fd7a31de7a71719fac87b3326db88498
Instruction Fuzzy Hash: 5341BE30A04649DBDB19CF5DC940B6ABBB9FF85704F1440A9EA00EB291E7B5DB40CB51

Function 018F35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 018F35FE
LdrResGetRCConfig Enter, xrefs: 018F35EC

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: ca93b614d60195df7130e8592a52b04161802f7c64601b41c59c3b975730f260
Instruction ID: c1abf38a98754331a2f0cce06159ff29504fb527cfad02d976c7608689c4ce62
Opcode Fuzzy Hash: ca93b614d60195df7130e8592a52b04161802f7c64601b41c59c3b975730f260
Instruction Fuzzy Hash: 04318D312097429BE311DB68D844B1ABBE4BF95714F04086DBE54CB391EB38DA05DB93

Function 0189329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 018932B5
@, xrefs: 0189330D

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: cd1761cde0b4d12b9c69d943ae45712b1a8ccbb8613ee396c0143b03ed1456a1
Instruction ID: 20edc96c782e0d7453a0dd06f0cfc4b8dfdf943ed4116e6d8b850b94174289e1
Opcode Fuzzy Hash: cd1761cde0b4d12b9c69d943ae45712b1a8ccbb8613ee396c0143b03ed1456a1
Instruction Fuzzy Hash: 3C318F72548305AFD721DF38D480A5BBBE8FB84754F48092EF995D3211DA30DE049B93

Function 018934B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 018D2A90
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 018D2A95

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 74d3adb872ff0daf902d544946722a7471966fb3564ff62429671ab89f1fc83e
Instruction ID: 27712df495da069d3b34f234b77ed14f40eefb4df8a8ef2ceb2ff2ea8a365807
Opcode Fuzzy Hash: 74d3adb872ff0daf902d544946722a7471966fb3564ff62429671ab89f1fc83e
Instruction Fuzzy Hash: 3E11EC76700205ABFB258A5D9D81F6BB7AAEBA4B54F1980697E04DB240D674CF008691

Function 0189A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0189A5E9
Cleanup Group, xrefs: 0189A5E4

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: e9f41f25089bf183b88bd52fd197aa702d3f05f9b8752f0e24289eb1aa31536f
Instruction ID: 12fe8ee1d8e04a7128294c5c9d8fe80c962feb335101a51029c1228cdc79000b
Opcode Fuzzy Hash: e9f41f25089bf183b88bd52fd197aa702d3f05f9b8752f0e24289eb1aa31536f
Instruction Fuzzy Hash: ED0128B2244704AFD322DF14CD85F167BE8E784B16F098939B648C7590E374DA04CB86

Function 01867370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3707119f62e7bc1f7ae6aa09df3ef210ffa732ff28bb813fffb97b2f966006c
Instruction ID: ce22ce32c715d06516fba3b7ae9261cf3bc23325aa7ec78590b9ccbb7dc8a39a
Opcode Fuzzy Hash: a3707119f62e7bc1f7ae6aa09df3ef210ffa732ff28bb813fffb97b2f966006c
Instruction Fuzzy Hash: FFA15971608346CFD321DF28C484A2ABBEAFF98718F14496EE585D7351E730EA45CB92

Function 018E6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 018E65C1

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9d13db7a34bc0ec5353257f380f948b0f86d7c9d7bb955280467f0bcb9b22c35
Instruction ID: 101a4d1b177f445791c259b3658b753fab20d2f4f412e68af36cf2c83d5cb898
Opcode Fuzzy Hash: 9d13db7a34bc0ec5353257f380f948b0f86d7c9d7bb955280467f0bcb9b22c35
Instruction Fuzzy Hash: C0915371A40219AFEB21EB99CD85FAE7BB9EF15B50F200065F600EB191E774EA00CB51

Function 0191B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0191B28F

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 6bc9099da3f308ea250e6acd594da7d0cf6bc561a358f4b25d9cc4935902b90c
Instruction ID: 9ac9b1fd18ebfe12194131f1076bd796af5350c591e63ed295c759128a65e6a0
Opcode Fuzzy Hash: 6bc9099da3f308ea250e6acd594da7d0cf6bc561a358f4b25d9cc4935902b90c
Instruction Fuzzy Hash: BB41A63290121DABDF11EA98C840FEEB7BEEF44750F054566ED0AE7254D634DE81C7A1

Function 0190705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 019070A4

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: b778d677d52a4b1aa595426aec8ef96d90762a42153c385d38aa20e8a9a8622d
Instruction ID: be867c42f293b19f87cc3527634e7e400df8e05b2ca8eb2cd4446ac47afa4ee8
Opcode Fuzzy Hash: b778d677d52a4b1aa595426aec8ef96d90762a42153c385d38aa20e8a9a8622d
Instruction Fuzzy Hash: B0417B716093524FE776EBA8E884BA53FE8BB40774F54061CED98AB0C9C77415C1C7A1

Function 01897505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 018D4622

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 0d306190b3c4887a00dcac7021de4c3f182fa7f135569968b30be037754a1826
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 2641AE75A1065AEBDF65DF48C890BBEB7B5EF84705F08405AE942E7240DB30DA41CBA2

Function 01865096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 018650BF

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 7aa1823436d13fe0a095c2a2db3cc60dfc17b2f0605789dd582072c6a6e4ef46
Instruction ID: d63d0fc89eef96fb5c20c31d4344124970955d27f788754701bb609eecb24f73
Opcode Fuzzy Hash: 7aa1823436d13fe0a095c2a2db3cc60dfc17b2f0605789dd582072c6a6e4ef46
Instruction Fuzzy Hash: 0111B630304606DBEB294A1D9850636B7DDFB953E8F34853AE592CB391DA71DF418382

Function 018E106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 018E10F7

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 2d4254d8e9edc76b392bebb663dcdaf4bddd2daa0b87632dd07753f800e025cb
Instruction ID: 069ae1433f12111d0b76f35be6d459ec193bc9eb3668278addaa90524693ab58
Opcode Fuzzy Hash: 2d4254d8e9edc76b392bebb663dcdaf4bddd2daa0b87632dd07753f800e025cb
Instruction Fuzzy Hash: E521D3B15183449BC320DF1A8849A5BFBE8FBD5B50F404A1EBA94D6250DBB0D649CB92

Function 018B739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da1c9b6d027a5e4035c395ed36460d764570e2e5df608074f7bc36f5f6ed20a
Instruction ID: 241d98f9a7c12da64c2ab35ea31ba2c7eb413dfba4ea5873554fcc447cb3f91e
Opcode Fuzzy Hash: 3da1c9b6d027a5e4035c395ed36460d764570e2e5df608074f7bc36f5f6ed20a
Instruction Fuzzy Hash: 46428D71A007168FDB19CF5DC490AAEBBB2FFC9314B148569D956EB380D734EA42CB90

Function 0188B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da086e16ec7a1f3f5618fe6fdf266b3cdb92401024176fb3c93d2cb49ec6f91a
Instruction ID: f121b733b4d4fa96c8357368205c9f2687dbe462f003018038c834d559c76bd1
Opcode Fuzzy Hash: da086e16ec7a1f3f5618fe6fdf266b3cdb92401024176fb3c93d2cb49ec6f91a
Instruction Fuzzy Hash: F5328072E00219DFDB24EF98D891BAEBBB1FF94714F180129E905EB351E7359A01CB91

Function 018F8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a60a74b47e20a562f635b4f39068b7d41310bec646c7fc43f51792125621fb
Instruction ID: dfe124eaeca5c0bfad80d3b39c7e5a3c44fcdc152b38de1f22b3616c2c38acbd
Opcode Fuzzy Hash: 77a60a74b47e20a562f635b4f39068b7d41310bec646c7fc43f51792125621fb
Instruction Fuzzy Hash: C4425E75E102198FEB24CF69C881BADBBF5BF49300F14809DEA49EB252D7349A85CF51

Function 0190A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a780b6b4dc346d2ca6af9337a78e9c2f5d6d58252ae508d86b5526e7a0c497f4
Instruction ID: e6a4284ac44b5d12452bca429d052b99473d0ee5a408c5bb9ba28e0417f5a383
Opcode Fuzzy Hash: a780b6b4dc346d2ca6af9337a78e9c2f5d6d58252ae508d86b5526e7a0c497f4
Instruction Fuzzy Hash: 0622BC746047618FEB26CF2DC490776BBF5BF44341F08895AD98A8B2C6D335E492DBA0

Function 018665D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89dd71d7c2ac4ebdd1f9b83aab1de2171ed8f41f815219a18f3d563ccbeb8a7
Instruction ID: 9ab983120abb054cf1fa2ea388f0fc89443ae107373d1fcbac60b570d92996b0
Opcode Fuzzy Hash: c89dd71d7c2ac4ebdd1f9b83aab1de2171ed8f41f815219a18f3d563ccbeb8a7
Instruction Fuzzy Hash: 64E18071508382CFC715CF28C190A6ABBE5FF89318F158A6DE995C7351EB31EA05CB92

Function 01858397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a86557411930529a6aac0a656f7a7c059e1d2215564d55f1d16b77193a88243
Instruction ID: 471146effc5cde122c86df53803e923a7a5d256014f2bffe572bf12bec92fa60
Opcode Fuzzy Hash: 5a86557411930529a6aac0a656f7a7c059e1d2215564d55f1d16b77193a88243
Instruction Fuzzy Hash: A2D1E371A0020ADBDB54DF6AC8C0ABA77A5FF56308F04462EED16DB281E730EB55CB51

Function 018E8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 0ab5b37084b9a6bd523545f5bf1f1fd1bcd20344c2fbd5edaccf6411e31482ff
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: CDB17274A00609AFDF24DF99C948AAFBBF9FF86304F14445DAA02D7791DA74EA05CB10

Function 01870535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 9d9e63b663a24cf059fa8bb1d174adf570495566168f04445a1af18c04817574
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 55B1063160464AAFDB25CBA8C850BBEBBF6AF85704F140159E656EB281D730EF81CB51

Function 018890DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2eb395e4d0623d2bd5dfb93b82f3e232b77658e3d324d5ba366a1745859e8c6
Instruction ID: 62a4663fd5fafc20faf925c6a4946cbf88e50eccfb1079422f1181d4f4487451
Opcode Fuzzy Hash: f2eb395e4d0623d2bd5dfb93b82f3e232b77658e3d324d5ba366a1745859e8c6
Instruction Fuzzy Hash: 54A15271900215AFEB12AFA8CC41FAE77B5AF55754F014164FA00EB290D775DE01CBA1

Function 018683C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f10ca645c28eed45449710782453cdd1597bbb4f8341eef5305a0b98c2eeb3
Instruction ID: 69e76627564a7a2e84b96441477d55a3a477c139a343d27a6dc4936b5af5433c
Opcode Fuzzy Hash: 90f10ca645c28eed45449710782453cdd1597bbb4f8341eef5305a0b98c2eeb3
Instruction Fuzzy Hash: 69C14974508341CFE764CF19C498BAAB7E9BF88704F44495DE989C7291E774EA08CF92

Function 0185C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ef6c3e3353a4010227d0d807c4395b0882b1aff0c88f777af014aca7221692
Instruction ID: dc7e93df3f843a46506b67165ec176eff632e542ef495afd50e0ce0527ba31c0
Opcode Fuzzy Hash: 03ef6c3e3353a4010227d0d807c4395b0882b1aff0c88f777af014aca7221692
Instruction Fuzzy Hash: BDB16370A002658BDB65DF58C890BA9B7F5FF44744F0485E9E90AEB241EB709E86CF21

Function 0188E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf2ca45fadf4540c1d5a25a63670591d13579a05896b4308bc6458dc698ed3
Instruction ID: 6fd747d8c338990a2e1991f5864d155b6878427359124543aad990ead92f8c91
Opcode Fuzzy Hash: ffdf2ca45fadf4540c1d5a25a63670591d13579a05896b4308bc6458dc698ed3
Instruction Fuzzy Hash: 05A1E731E006599FFB21EB5CC844BADBBA5AF01B18F054115EB11E7291D774DF40CB91

Function 018A0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1f954773cbc0259cee1ea1ad8abbe569166eda453068f83eb21c1f9ad08b0c
Instruction ID: 75e06ba19e576326b14e58cc07be62e00b93aaf7600e5cae08ed2c73adbc0a6c
Opcode Fuzzy Hash: fc1f954773cbc0259cee1ea1ad8abbe569166eda453068f83eb21c1f9ad08b0c
Instruction Fuzzy Hash: 9EA1C470B0171A9FEB25DF69D890BAAB7B1FF54318F444029FA45D7281EB34EA11CB50

Function 01934500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6f34d3b63dc7b13eb851c3fd5607992108d6b5e765ff19fc20d62309656e75
Instruction ID: 519eaed8ee607b3f2b4b69a33dd16171707734770a2fd27130bb1bf51c72f3a0
Opcode Fuzzy Hash: 4b6f34d3b63dc7b13eb851c3fd5607992108d6b5e765ff19fc20d62309656e75
Instruction Fuzzy Hash: 24A1AE72A04612DFD722DF28C980F5ABBE9FF88745F460A28E549DB651D334ED01CB92

Function 018E60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f31e5fda969a0d1a49333f4f7ac4a29cfe4b14da053dec36cfa882637b9eed
Instruction ID: 3655b8f1db50a6a962edf5c21f28a1a66a17cdae5f441a2128c48458a2096417
Opcode Fuzzy Hash: 03f31e5fda969a0d1a49333f4f7ac4a29cfe4b14da053dec36cfa882637b9eed
Instruction Fuzzy Hash: 75917371D0021AAFDB15DF68D888BAEBFF5AF5A710F254159E610EB241E734DB009BA0

Function 0187E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19be7a05876e3bae3429e2237513546f853bf834c8f40198571d89e863eb1db2
Instruction ID: 815ac2a7d3a80f0bb8c5e8eb6ac7c54f72f55b3588a46bfd4514eb22ffc8deb2
Opcode Fuzzy Hash: 19be7a05876e3bae3429e2237513546f853bf834c8f40198571d89e863eb1db2
Instruction Fuzzy Hash: 7291F571E0061ACBEB24DB6DC484BBABBA1FF94B18F0541E9ED05EB241E634DB41C752

Function 01861131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23fe5ec57beb3a0da0805afbfb3e1c545d45b07445f39da1ddbc6cd33ad61c6
Instruction ID: 5633958e2f915a2ea452de60e770d8833699e7915f4bd859cae8c76ab5871d3e
Opcode Fuzzy Hash: c23fe5ec57beb3a0da0805afbfb3e1c545d45b07445f39da1ddbc6cd33ad61c6
Instruction Fuzzy Hash: 4DB100B16093418FD364CF28C980A5ABBE1BB88704F18496EF999D7352D331EA45CB42

Function 01869486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b6821f5d6a20d3504272b03ab9bd74f1254a71f5395a18eaace0d340d1368e
Instruction ID: 89442d20f6f9ec735d9d56aaa12b2f3090c7c683701d3d960117bb9cdf4b7473
Opcode Fuzzy Hash: 24b6821f5d6a20d3504272b03ab9bd74f1254a71f5395a18eaace0d340d1368e
Instruction Fuzzy Hash: BDB15A74A04305CFDB25CF1DD4887A9BBA5BB0831CF24459EE925DB2D6E730DA82CB90

Function 0191B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 82d91b6eb047a51de570c6f4e67176adb8bb8ca8e4d7c8f1b8c40aa9dfbddf10
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: DD71D335A0021E9BDB10CF68C490ABEB7FBAF54751F58451AE90ADB649E330D9C18B90

Function 0188D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 2b36ddc9b443ce84026db99626b8f40cf0aea28d26f18d24aad2c5b487605593
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 8C818C76E0051A8BDF24DF9CC8807ADFBB2FF84754F19826EDA15E7280D6359B408B91

Function 0189E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62658ec4c512ddbc3a82739751d0b381a354dd4d521cb594ef1f160ba6ca8294
Instruction ID: 8a7d05b436fc123cb73b3596f0dd41a1888ef47ca8a0ce2ed8d91b030555c7a6
Opcode Fuzzy Hash: 62658ec4c512ddbc3a82739751d0b381a354dd4d521cb594ef1f160ba6ca8294
Instruction Fuzzy Hash: ED814F71A00609AFDB25CFA9C880AEEBBBAFF88354F144429E555E7250D730AE45DB60

Function 018E035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: f2bb27e97a0e5acb244eeea31e0b7f5eb8bc4d6a7fb48bcd7b0e92f86dfd39f8
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 63716D71A0060AEFDB10DFA9C984A9EBBF8FF98700F144969E905E7250DB74EA01CB51

Function 018F62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598a2b18bb3e121e2495d317c9a4efcdcf6d545f9c1c42b4b433c339cbd79678
Instruction ID: 6d74be8f1b5b3483632c7ae80a4fb658b3d2c766ad5370a95802c48fe992af99
Opcode Fuzzy Hash: 598a2b18bb3e121e2495d317c9a4efcdcf6d545f9c1c42b4b433c339cbd79678
Instruction Fuzzy Hash: B371D132200701AFE7329F18C884F56BBA6EF50724F244A1CE755D76A1E775EA44CB51

Function 0192132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf033a2efef6d93fccdffffdbed6d4c5b1c49122a547d2f1406fe77db8e62738
Instruction ID: cd3872566412a19bca94484d8e8c26bb5160c7959dda3f6749967657af15d084
Opcode Fuzzy Hash: bf033a2efef6d93fccdffffdbed6d4c5b1c49122a547d2f1406fe77db8e62738
Instruction Fuzzy Hash: 71819171A00219DFCB09CF69C490AAEBBF1FF88310F1581A9D859EB345D734EA51CB90

Function 0192903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd76b6fdb64eb354bee13eef1385cf555e3be9d5c0cc2e255617e59e7dc6829
Instruction ID: 0bd32419dacdce1d058dc1b27b54f3c4e1e06db999892eaac4179542d3ed04f8
Opcode Fuzzy Hash: 9bd76b6fdb64eb354bee13eef1385cf555e3be9d5c0cc2e255617e59e7dc6829
Instruction Fuzzy Hash: 2761BB71200736AFE715DF69C884BABBBE9FB88718F004619F95D97248DB34E904CB91

Function 019292A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f157ee88650a02bec1910f1ad389d9a3d719f2f18ae91695f7e4306c9452cf0
Instruction ID: 916a5edb98ce2fdc0c316a6e507b95ba4b2bfa1b325fa905e9502ae924c5b8f1
Opcode Fuzzy Hash: 8f157ee88650a02bec1910f1ad389d9a3d719f2f18ae91695f7e4306c9452cf0
Instruction Fuzzy Hash: 8761F8316047728BE315CF68C494B6ABBE4BF90709F18486DE98D8B299D735E805C792

Function 0185B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd1c8580b4052c66543c6ae9a8cb28af216da45530ee23eae45e4d614f89dae
Instruction ID: de17a936282389860ab1a5ca48c44c38490d568e846d2a4e1bfebbb8aeec1015
Opcode Fuzzy Hash: 3bd1c8580b4052c66543c6ae9a8cb28af216da45530ee23eae45e4d614f89dae
Instruction Fuzzy Hash: 5741F431200601DFDB269F2DD880B6ABBA6FF54764F154469ED19EB392DB30DE018B91

Function 018DD5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: 57d3ddd2341146661cd1f7e3a93a123050b2c1b96f2e7e05f4e65e1fc0ee3f2e
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 6F5112722003429BCB11AFE89C40A7B7BE6EF94354F094569FA44C7291EB30CA56D7E2

Function 0189B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a797c7ebb41c35804f1665ee87f473d130831beb78f9784b4387fafcd4fec63
Instruction ID: a296f38d6a14f40569981c720bd672ef393f96d9aabfff5f94e8933f68f6b37b
Opcode Fuzzy Hash: 6a797c7ebb41c35804f1665ee87f473d130831beb78f9784b4387fafcd4fec63
Instruction Fuzzy Hash: 1051D4B12043459FE731EF69CC81F6A77A9EB94728F10062DF911D7192DB30DA41CBA2

Function 018895DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 57897cd1ffa764ccf71567f39432746113d49e35ad032568cfc5532debc1bb37
Instruction ID: c1a422265f8eba9e5abdc453005be5aa88a71365246400e274de99b854f6aa60
Opcode Fuzzy Hash: 57897cd1ffa764ccf71567f39432746113d49e35ad032568cfc5532debc1bb37
Instruction Fuzzy Hash: 82519E71900209AFEB21EFA9CC80BEDBBB9FF41708F60412AE594E7251DB719A44DF51

Function 01867152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ebf0992b9fdf168cbb5fd08d7c0929887231c5ede841febf4f6a6c68f6a5e5
Instruction ID: 55c8f39ed8a1f51809f86537dcc4dba3d5c06931b73210c4b3237302a8a80818
Opcode Fuzzy Hash: 46ebf0992b9fdf168cbb5fd08d7c0929887231c5ede841febf4f6a6c68f6a5e5
Instruction Fuzzy Hash: 5751E331A00A0AEFEB16DB68C988B6DBBB9FF54719F10406AD512D3291DB74DB01CBC1

Function 018845B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 3e8062174aac79928a26bd30dbab9ea7ac492e56bb46fac41ed75de862e0854f
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: F9516D72E0421EABDF15FF98C440BEEBBB5AF45754F04406AEA01EB240D734DA44CBA1

Function 0192D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 87e8439ce36f30c2d5442eb295d3476a3bf523367ce73eededdf7229be7fcaee
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: 79517F722083569FD714CF68C880BAABBE9FFC8754F04892DF99897284D734E945CB52

Function 018651ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d107ae3fff8f47ba2d4936d4ca5c553ccd758696220cb7793b019d79bda7ba80
Instruction ID: 0a489fc491fcc0b10e40d0e64432e4713528f78f09fecba154f47498eabcb6b0
Opcode Fuzzy Hash: d107ae3fff8f47ba2d4936d4ca5c553ccd758696220cb7793b019d79bda7ba80
Instruction Fuzzy Hash: FD51AC71A0121ADFEF22CBACC940BEDB7B8BB45B98F040018E905F7241D7B5EB408B61

Function 018F3140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e97bb8ea313a1ea1706413506884641a7f842778ba3f875c0db7d2467177b1
Instruction ID: 0394bad0f2342b20ffb67b6dcd64c5871476a0f032aec8ab8881ef62209d186c
Opcode Fuzzy Hash: 55e97bb8ea313a1ea1706413506884641a7f842778ba3f875c0db7d2467177b1
Instruction Fuzzy Hash: 7E51AB76604205DFE721CF58C840A6AB7E4FB88315F05852DFE98DB250D374EA85CB92

Function 019335D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: 5cff286a9daf70e3dbd011fa90073d144e32921419432c765ed31b3f267b16a3
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 07519F71640606DFDB16CF18C581A56FBB9FF85309F15C4AAE908DF222E371EA85CB90

Function 0189A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7745f0fc2a4683abed03cf240734ad589683668fe7d937d84bebe2366d900307
Instruction ID: 5a8f4a5e6ec4ffdefa7fbb7555d4cb64532c31466b06578a2e2b61d18f2fac4c
Opcode Fuzzy Hash: 7745f0fc2a4683abed03cf240734ad589683668fe7d937d84bebe2366d900307
Instruction Fuzzy Hash: CF410671748306DBEF29EFACA8C0B6A3765EB54758F48002CFD0AEB245E7719A00C752

Function 018901F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ee87acd227f97cc90b50ea10d652b4819116fa7e87c73b6c02cc4f79403860
Instruction ID: 45220315cb135de9cf352c5ed4f03d1707bebe2ed3f69302f7086f39d66b42d0
Opcode Fuzzy Hash: 27ee87acd227f97cc90b50ea10d652b4819116fa7e87c73b6c02cc4f79403860
Instruction Fuzzy Hash: 8F41AF359002199BDF15DF98C440AEEB7B8BF48714F18815AF819F7240D7359E41CBA5

Function 0186D534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578a0d380f53fce50559243816cf886b6f745cec86b8f1bb501d40720e5758b9
Instruction ID: c56ad160ca271903855c1a498ff4d444a938000ecc7f3ea87e3694e528ab3a81
Opcode Fuzzy Hash: 578a0d380f53fce50559243816cf886b6f745cec86b8f1bb501d40720e5758b9
Instruction Fuzzy Hash: 4C51DF31300682CFD722CB5CC448B2A77E9BB44B54F094A69FD81CBA91DB34DE41CBA2

Function 01866154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f36d6395a0c3c6f375f3166d5d128974c9f07c31624c2935bd2e64ede2c04c
Instruction ID: 0c691ad5a005d121e9a450e44e472b8f5c67ccc04fa09d144eec477c1534de11
Opcode Fuzzy Hash: 06f36d6395a0c3c6f375f3166d5d128974c9f07c31624c2935bd2e64ede2c04c
Instruction Fuzzy Hash: 8751D670900256DBDB25DB6CCC00BA8BBB9EF15318F2442A9E529E73D1E7349B81CF41

Function 0185B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac13b6a2f6efd13392864891718487326d60795cea97f2b3663d0b7fc38f119
Instruction ID: cb5ade3da0365a65e128db2d4e97611d9e62397602c751480805d5d743cd9946
Opcode Fuzzy Hash: fac13b6a2f6efd13392864891718487326d60795cea97f2b3663d0b7fc38f119
Instruction Fuzzy Hash: F341C571640706EFDB62EF6CC880B6ABBE9FF60798F044469E915DB251D770DA00CB61

Function 0185A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 81b59f3ff40093a2763dc19b819c60a29dc69b941d4ceb76aaa696bc390f270f
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 3B413731A00616EBDB29DE6D84D07FABBA1EB90764F15816AED45DB340D632CF80CB91

Function 018E05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16cc2c58b24395ed5cf5f057ef2e60f094d8b57c1533ec4409954c0543fe1ec
Instruction ID: 350da8b4db186ca3b3d6e48924a3e2d4d45c77df39254ced19a00023d6ed8d1f
Opcode Fuzzy Hash: f16cc2c58b24395ed5cf5f057ef2e60f094d8b57c1533ec4409954c0543fe1ec
Instruction Fuzzy Hash: 4741D2726087469FD320DF6CC844B6AB7E5BFC9700F140A19F955D7690E770EA04CBA6

Function 018702E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: e236cd306dc9a6ac7577a11011be2c37eb3a2d74a3490239e9ce40830ac32165
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 13312831A00248AFDB21CB6CCC80B9BBFE9EF15754F0441A6F815D7352D674DA84CBA1

Function 01889274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d2dd8ddd6f2cf304636a3a6b6c67d1ef31a45af8f800ed93f10998f76e3fba0
Instruction ID: f75fea4e0a4906f1ea323562aebe663cbe20917a9975c33e02716d74b1977396
Opcode Fuzzy Hash: 2d2dd8ddd6f2cf304636a3a6b6c67d1ef31a45af8f800ed93f10998f76e3fba0
Instruction Fuzzy Hash: F5318572E00229AFDB319B68CC40BAABBB5AF85714F5511E9E54DE7280DB309F44CF51

Function 01864260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d76f61eca944709ad68fa090d2f5a1751ee3accf3939b4d46fd88fdd1e369b1
Instruction ID: 2d4503443b1cbc91ef3599e4352e9a6e72844ee669f296076fa70bce1957a05c
Opcode Fuzzy Hash: 0d76f61eca944709ad68fa090d2f5a1751ee3accf3939b4d46fd88fdd1e369b1
Instruction Fuzzy Hash: B741BF35200B45DFD722CF68C980FDABBEAAF44B54F15442DE65ACB250D774EA04CBA0

Function 018850E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 18b78cada8f58af3241ef8bf85011a09e984444c244d492bf448f34239d86e71
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 63312735708B469BE722EA2CC800767BBD5AB85B94F48852EF585CB381D374DE41C7A2

Function 0185B480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b26558be4286e783493a7b197e081e9f6eb49625eb75f69670b151ae65aa8e
Instruction ID: 154cfb9bbba70ec6a0787849ab2903ead78960b30af9d2e64b032d8af8de6017
Opcode Fuzzy Hash: 63b26558be4286e783493a7b197e081e9f6eb49625eb75f69670b151ae65aa8e
Instruction Fuzzy Hash: 943135725002049FC722DF18C880A6A7BA6FF95368F544269FD45DB391D731EE02CBD1

Function 019261C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864170faf458199a7bfe1977859b80f60153169b30ef865cf36f4eec3c0885e6
Instruction ID: 1e74ed917f079172547fb336a6614b9c25b047b7c8eae630710514e7724ab0e9
Opcode Fuzzy Hash: 864170faf458199a7bfe1977859b80f60153169b30ef865cf36f4eec3c0885e6
Instruction Fuzzy Hash: 5B31D576A0026AEBDB15DF98CC40FAEB7B9FB45B40F554168E904EB248D770ED00CBA4

Function 019260B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc576706f666771561fd938f5e5bd533085af67490b6790078866b16f2d6326
Instruction ID: e36d83e3d5f2573f1de9a30beebf1f82ba029b24a6aa27593517eb66e7526e10
Opcode Fuzzy Hash: abc576706f666771561fd938f5e5bd533085af67490b6790078866b16f2d6326
Instruction Fuzzy Hash: C031D671A40626AFD712DF9DC850B6EB7B9FF84754F200069E909EB756DA30ED008B90

Function 01868550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bf94377f52d5239b60213fd34977697b6009c8d5bd5f895abba34957d5eb79
Instruction ID: 2de4c9cf01c77abddf9efe244decfb2dea9ab614b694f185f1454a7b091b7c23
Opcode Fuzzy Hash: a1bf94377f52d5239b60213fd34977697b6009c8d5bd5f895abba34957d5eb79
Instruction Fuzzy Hash: D7317C716093018FE720CF19C844B2ABBEAFB98B10F05496EF989D7391D770EA44CB91

Function 018B7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: e6383988d2ff802fe1772ee2499acfde04569825ab7e3e61e67c26c1f3bb1d16
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 87314675604706CFC710CF1CC480996BBE6FF89314B2585A9EA58DB395E730EE06CB91

Function 0188438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31aae3c8da690d4d98791a7f3c5047a8af65f25f3a58de50e339461d36efb58
Instruction ID: ebfccaf79a259203f956ecf27979b1b111e39b1a6fa6dc6908e1ee582a551e5e
Opcode Fuzzy Hash: b31aae3c8da690d4d98791a7f3c5047a8af65f25f3a58de50e339461d36efb58
Instruction Fuzzy Hash: 2E31F172B016069FD720EFBCC881B6EBBF9AB80704F10842AD106D3255E730EB45CB91

Function 018692C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: d9383cb7838b736d001477ee73e0b6c717231761ecbf712d37c1f8d795d6e23c
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: DB3168B160824A8FCB01DF18D84095ABBEAEF99754F000569F855D73A1D734DE15CBA2

Function 0185C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b593b52807411cb9a506e69227febaf80c567cba728cb1b4dea4b1c3e45006ef
Instruction ID: 0d44c6552b497af5a75ed408c089b42321d8ca1add510b1159c66ef7d061aa36
Opcode Fuzzy Hash: b593b52807411cb9a506e69227febaf80c567cba728cb1b4dea4b1c3e45006ef
Instruction Fuzzy Hash: 2E3129725003019BD721AF6CCC80BE977B4EF91318F9482A9DD45DB342DA34DA86CB95

Function 0191C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: d2327ef13a563a7c11cdba7b5e4f1c6877ebfa28bd4af877abb2b6450565ff11
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: B121453664065A77DF159B998C00FBBFB75EF80B11F40801AFA59C76D1D634DA81C361

Function 0185E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9229d787f53d6bec34fe9a39bf08f5fd00a16ec20bce63f63dd5cd3611462bfd
Instruction ID: c2e439c17f325baaea75b87b9640df3a0f99fc825b80135fcc54aa952f2cba72
Opcode Fuzzy Hash: 9229d787f53d6bec34fe9a39bf08f5fd00a16ec20bce63f63dd5cd3611462bfd
Instruction Fuzzy Hash: 3D31B632A0152C9BEB31DF18CC81FEEBBB9EB15744F4101A1EA45E7290D6749F809F91

Function 01894588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 8080d9f2bcbd3224d5d2377e1f0bd0b8d35a26b2b74a2c1dece5bc20b6c58cc9
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: E2217172A00609EBDF16CF58CA80A8EBBB5FF48714F148569EE15DB241D671EB06CB90

Function 018944B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c232732f882940979fd3d0f340e911a4c2520cebb430bf50888fb2e7fa1d7142
Instruction ID: 8d7b3f8e690e64964280b35df13d382cd63f397b279f6afda86fe091e91eaac6
Opcode Fuzzy Hash: c232732f882940979fd3d0f340e911a4c2520cebb430bf50888fb2e7fa1d7142
Instruction Fuzzy Hash: C721C3726047459FCB22DF58C980B6BB7E5FB88760F044529FD54DB641D730EE018BA2

Function 0185E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: eef04ad63bf6fcc71e8fc2dcaf0cec951055a6c452f35b420233876a50c6852c
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 8E318A31600608EFD721CB68C884F6ABBF9EF85358F1045A9E952CB291E730EF42CB51

Function 0189D530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf69e3d8b80a57a871f5f096345c0eb375a6b9682f2e42be16d4b21e6d490395
Instruction ID: f94c21e6a1f55bcdcd07a702fc102561051c8a705793cf8c1ff708582bf5945c
Opcode Fuzzy Hash: cf69e3d8b80a57a871f5f096345c0eb375a6b9682f2e42be16d4b21e6d490395
Instruction Fuzzy Hash: 102102715053059BDB21EFACC940F1A7BE9EB65758F440929FA09E7290EA30DA00C7E7

Function 0188F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: f2ba530cf4ad638e4c26de021655b254a1e64775e22b80188a2a8d969ee56c52
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 4E21D1722002059FD719EF19C480B66BBE9EF95365F15416EE60ACB390EB70EE01CB94

Function 018E019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850bfc85356541fca84aee6ab39695ea1cf4e234954b668aeca48c07780ffeaf
Instruction ID: b1a5945a3d8457f0a8c640222e95a86c35ef463cc46b8a1d94aa972480df5ec9
Opcode Fuzzy Hash: 850bfc85356541fca84aee6ab39695ea1cf4e234954b668aeca48c07780ffeaf
Instruction Fuzzy Hash: 9A21EC71600605AFD715DB6CC844F2AB7E8FF49740F140069F904EB6A1D738EE40CB69

Function 019071F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74d11ba362c045353442a4401fd14428cbc521cf01cefacb90d1b4d58ef2d0f
Instruction ID: 515e2d6e744ebb3f633d06d9a612fb0332f902f0dd6333a2fa23e9f6efc89041
Opcode Fuzzy Hash: c74d11ba362c045353442a4401fd14428cbc521cf01cefacb90d1b4d58ef2d0f
Instruction Fuzzy Hash: 2D21C431A047428FC726DAAD8840A2BB7E9ABD5324F14492DF8EED3181DB60B9458792

Function 018E0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b94a4818421a12345eb68bf31c979c0b1b3cc784115a90c264ffc7d875ea25
Instruction ID: d0a76ff168cbcad68d87f95cb91ab57cfb33d43524fe3627a1ad2e71a83e76f2
Opcode Fuzzy Hash: b2b94a4818421a12345eb68bf31c979c0b1b3cc784115a90c264ffc7d875ea25
Instruction Fuzzy Hash: 2721D072A043469BD712EF5DC848B5BBBECAF92740F080856BD80C7251D774CB08C6A3

Function 018DD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 9c654a3bdacc0f5ea7da5d8380df4f4a47602ee0273c1b91b9cd9a383a3c500b
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 1621C272644B05ABD7219F2CCC41B5BBBA5FB88764F00062AF945DB3E0D730DA0187AA

Function 0189A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88101d22fbe5bbc00d1c53d9a309f271d194775be8aefb8aa398530b85d3667a
Instruction ID: 6c43060ea65bb45367366658a57a34e6b154de54e2c5bdf2035bc1a1d8b829bc
Opcode Fuzzy Hash: 88101d22fbe5bbc00d1c53d9a309f271d194775be8aefb8aa398530b85d3667a
Instruction Fuzzy Hash: CA218E752007019FCB29DF29CD01B56B7F5FF48B04F288468A509CBB61E371EA42DB95

Function 018F80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 6d8e143250d9e196648487a281b32b760e97f915e4b3c33bce756cdf6e594d8f
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: FD218172A00209EFDF129F58CC40B9EBBB9EF85310F204419FA00E7251D734DA50DB50

Function 018815A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 6662402b5e5af9b5420360c03dff1040e0e1a5430974ce1caf9701ebb0306720
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: 0A21F671600689DFE7169B9DC948B21BBE9AF40B44F0900A5ED05DB252FB38DE41C762

Function 01890124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 05df8d7511deaf3ed6726f0eef8944df2e63fd0776f3c0d3bf8fe0b1350f1102
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 0511D0B2600A15AFEB229A48CC41F9ABBBCEF80B54F180429F600CB180D671EE44CB55

Function 018ED080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750b0540f6fd64bc588da556ac2e8479e24d011d603e6ba410c07b91d49eee2e
Instruction ID: a4971267bd34eb6960c77ec5456130263e91e82a395538452b2b4e21e2bbe2e6
Opcode Fuzzy Hash: 750b0540f6fd64bc588da556ac2e8479e24d011d603e6ba410c07b91d49eee2e
Instruction Fuzzy Hash: 19112971140741EBC732AB6CCC44F22BBE9FB927A4F140528F908DB151D631DE01D791

Function 018680E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01122b8246d69b4fe7d9e300b573adbcfe4db28b61ec031a2f0ea0f3157c85d
Instruction ID: bc70fd34566d9ed3d3f040d4a0ecb0f0ce8707011d6446751dd3d82a5d22e6c1
Opcode Fuzzy Hash: c01122b8246d69b4fe7d9e300b573adbcfe4db28b61ec031a2f0ea0f3157c85d
Instruction Fuzzy Hash: 66216F75A00609DFCB14CF58C581A6EBBB9FB89718F24416DD109AB311D771AE06CBD0

Function 018FD5B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction ID: 3b952cc405ac383e47e39110c1ee4b31212ab062f17101940ff3e1e1d01ca998
Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction Fuzzy Hash: 8011E232210600AFDB22DFA8CC40F5AB7A9EF94764F104519E649DB680E734FB01CBA6

Function 01859240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8465ee5844a75ea3ebfb165037ade74607a4bd9900b26a90db9645f5139a5d84
Instruction ID: 4e4888e6664540682925355179f90593a3252d8335d52bfdccbba5c16400fb7b
Opcode Fuzzy Hash: 8465ee5844a75ea3ebfb165037ade74607a4bd9900b26a90db9645f5139a5d84
Instruction Fuzzy Hash: 8511017B019301EAD3319F69E941A727BF8FBA8BC4F504125E904E7358E234DE01CB65

Function 018ED250 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364a173a5a36e39c93113f798bbf5a1f3a53303a23b058dc93debee8036d9de0
Instruction ID: 0ea4b942ff77d910a883e52336c05a3f82ae1d1469603c62a5aa5dd697c1a7c4
Opcode Fuzzy Hash: 364a173a5a36e39c93113f798bbf5a1f3a53303a23b058dc93debee8036d9de0
Instruction Fuzzy Hash: 4101667360430017DB2195ED888CBABB799EB96774F140328BE04DF201DA28EB4583E2

Function 0188B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb6548da4ba14f98a0f03b4438ab46af6649b89f936abe08e269d057ce34dc3
Instruction ID: 4f58c462c187b7b03f31ac59440f3d285c88c02664e6edd86a691a86f6c08b52
Opcode Fuzzy Hash: 3bb6548da4ba14f98a0f03b4438ab46af6649b89f936abe08e269d057ce34dc3
Instruction Fuzzy Hash: F101F972B007056BE710BBAE9C90F6BBBE8DFD4714F040429E705D3241E674EF018622

Function 01857330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dc682cb6ac2500652eb7b0ec4882afa5e623e6f257fc05d827369217c1cb6d
Instruction ID: a986a14c376d549748b530c4ea83d9cc56d50ea8253d01da99c9ca30abae42c0
Opcode Fuzzy Hash: 85dc682cb6ac2500652eb7b0ec4882afa5e623e6f257fc05d827369217c1cb6d
Instruction Fuzzy Hash: 701170726106159FE721CF59C842BAB7BE8EF44364F858829EE85C7212D735ED40CBA1

Function 0188E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 6fbdb6fcf7c4d083a92293732d1a69da8626341c00d91de4e49d1efa5ccb09ca
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 8411E5712016C69BFB23A72CC954B657B95EB01B4CF1900A4EF41D7652F338CA42C262

Function 0188F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754fccbc610c51868f2080f564cc716a1bb2f950cc3eb04320ef791d7ddfa4bf
Instruction ID: 851bd243c4c1e40caaf7f5a9e53ee8b69126c8f2893bebbca22bac07626ba2c0
Opcode Fuzzy Hash: 754fccbc610c51868f2080f564cc716a1bb2f950cc3eb04320ef791d7ddfa4bf
Instruction Fuzzy Hash: 3211CE72A00748ABD720DF6DC884BAEBBA8FF54700F54006AFA05EB242DB39DE41C751

Function 018F72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: f06fd8e7f21946e02a0407deae4d79b33bbaca5ef0bd578f5b111d1a0153792f
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: E2019276140506BFF721AF5ACC80E52FB6EFFA4790B400529F35482560C731EDA1DAA5

Function 0185A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 9aac7643237fbe68e623bda06a781f27690ce036a73f999a9b88be008fbc2ce8
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: FC012632404725AFCB758F19E881A327FA5EF55BA07008A2DFC95CB281C331D600CB60

Function 018DE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99ae86efd0e7ddf4b23c312001cd2eadb16703783ed9c144e5bb0aeb8dc96df
Instruction ID: 8d2d56bb7904556133e8fe883f82c53802dd74e3bdfcc47652240c27d82fe020
Opcode Fuzzy Hash: a99ae86efd0e7ddf4b23c312001cd2eadb16703783ed9c144e5bb0aeb8dc96df
Instruction Fuzzy Hash: E2117932241241EFDB15EF19C990F16BBB8FB94B84F2000A9FA05DB661D635EA01CA91

Function 01866259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042efdc512a94d58446aa2bbac7650e39037230de3802692ebfb3e7e4f7d7e0f
Instruction ID: ed7dabdd62354b34676f928441aac957ec5c1fd6005a678ab1eb37824bf1e62e
Opcode Fuzzy Hash: 042efdc512a94d58446aa2bbac7650e39037230de3802692ebfb3e7e4f7d7e0f
Instruction Fuzzy Hash: 11115E71541219ABEB35AB68CC41FE9B379AB04710F9041D4A314E61E0D7709F81CF85

Function 0186208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: f941e18da8a792595a88fcb19c608abf02dd3ad9a77d3197fd3cfd091b2ab291
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 9D0124322001118BEF119A2DD8C0B92BB6BBFC4700F1945E9EE05CF246DA71CE81C392

Function 018E6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b457b7f8f0444bd216682dc4e48edd3f8525a4f8c802ead557f6e7b15a9330
Instruction ID: d4ecda3610a5c3b0e7d47ba6cf6b607ad2fa24af1686d763cc9afab1bdfe9696
Opcode Fuzzy Hash: f0b457b7f8f0444bd216682dc4e48edd3f8525a4f8c802ead557f6e7b15a9330
Instruction Fuzzy Hash: F5111773900119ABCB11DB98CC84EDFBBBCEF58358F044166A906E7211EA34EB15CBA1

Function 018F6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99c0025bc7099b9835a09393aea04c8e22ce8e56362bcfe877106e90333c42a
Instruction ID: 877b8f4aab9d229ae6e37dfe497cc58c4cae913f2e0da5c5387a85d935462ad6
Opcode Fuzzy Hash: f99c0025bc7099b9835a09393aea04c8e22ce8e56362bcfe877106e90333c42a
Instruction Fuzzy Hash: 3711E5326041459FD301CF18C800BA1BBB5FB5A314F188259F944DF315E732ED40CBA0

Function 018A20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8203a5ba126d412ece624a0a4d805a13d3c064414bc96813f5c2b9536b73ac5b
Instruction ID: 466aa4ed52e9689211a45cf2fd24a92e4dee2a4be3f892923662fa58bb712502
Opcode Fuzzy Hash: 8203a5ba126d412ece624a0a4d805a13d3c064414bc96813f5c2b9536b73ac5b
Instruction Fuzzy Hash: 1C11A975A0120DEBDF15EFA8C840BAE7BB6EB44340F104058E912EB280EB34EF11CB91

Function 0185C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: fbddf216bab3a1e5bef36acf53adfed7578db616b01bc6993c753a395d95d302
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 0A01B532100705AFEF2296A9C840EA777EDFFC5318F054519A956CB640DB74E642CF51

Function 0189E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6ab2d69f4428b259fb126f551ccb5c1e4bfa4ecdf6460adc996c5d0ab1958c
Instruction ID: 9c3fec8e487d062b9c4f7031ea18e83b0ce762bf4afa5fe8d922c64e49a821b3
Opcode Fuzzy Hash: 5f6ab2d69f4428b259fb126f551ccb5c1e4bfa4ecdf6460adc996c5d0ab1958c
Instruction Fuzzy Hash: 0501DF71600A02BBD311BB7DCD80E17BBACFB947A4B000629F609C3650DB24EE01C6A2

Function 01859353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: a44ed80a4ce43b3d6cec3e8421b835c04c08fc418254d755b4913b418ef0adaf
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 1511C432801B02DFE7719F19C880B62B7E4FF5076AF15986CD8898B5A6C374E981DB11

Function 0189D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 60987d96b65ea00ac048d1989ecb1c87287ea8a24542bfd0d00069d6132727eb
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 10012472A01204DBDF159AD8E800F6577A9EBC4734F288295FF25CB280CB74EA40C79A

Function 018833A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 579ce962870afbbcf83c05b0ccbfd273f63481ced9d2f57ce441d43d3dd2cf96
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: B8018136300105ABCB52AAAEDD90E9B7EACBF94B50B194429BE15D7560EA30DB02C760

Function 0191F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5f64a3a106a7a13304c0dca49fa3085a904b8116b1021770ec5e7b045c9a17
Instruction ID: 91174fe563a7875c315237b1a3473400a58354b1b2ccee133324338dc4f2f83f
Opcode Fuzzy Hash: bd5f64a3a106a7a13304c0dca49fa3085a904b8116b1021770ec5e7b045c9a17
Instruction Fuzzy Hash: AA019E71A0024DABDB04EF69D841FAEBBB8EF54340F404466B905EB280D674DA41CB91

Function 0191F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377af6d8fa37c1de414f16bd9376d64256e6c54f3533ff02df58bc683e1eaf87
Instruction ID: 246e8a1b678be4ea08e34a47d9d0b74c37d28a7174f4c1f78b95c4f09db6776a
Opcode Fuzzy Hash: 377af6d8fa37c1de414f16bd9376d64256e6c54f3533ff02df58bc683e1eaf87
Instruction Fuzzy Hash: 23019E71A0024DABDB04EF69D845FAEBBB8EF44710F404066B904EB281D674DA41CB91

Function 0187E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: b411c2c892eb6fd306a6b42176c81ec6d2f071d3d1dafcb7789cf3355fc0d9a5
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: C6018F726015849FE323871DC948F667BE8FF4A758F0904A5FA09CBAA1D778DE40C622

Function 0185826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b698fbefa9bf158f53b96388c6771f686633feba7dbf60b9778d8321daf9f1
Instruction ID: 8cb7a047370db4cfdcddb6e10accbf28fbcbf9ea0ad9ff61769401011b60372e
Opcode Fuzzy Hash: 64b698fbefa9bf158f53b96388c6771f686633feba7dbf60b9778d8321daf9f1
Instruction Fuzzy Hash: 4801D4317006099FD714DB6ED8089AEBBE9EF82390F45402A9E01E7644DE70DB01C792

Function 0191F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b6b4295f4c5628e895ee816d4e76861ab993f5d7b043f22d27d6e299567689
Instruction ID: 48ae36feeabd86f823fb66b52cfc4277894e18de531f107b3cce9a758fbe304e
Opcode Fuzzy Hash: a0b6b4295f4c5628e895ee816d4e76861ab993f5d7b043f22d27d6e299567689
Instruction Fuzzy Hash: 07018F71A00258ABEB10EBA9D805FAEBBB8EF54740F444066F905EB280E6B4DA01C795

Function 01862582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7845f1d20365347721b99c4f17460042082adbf5daf7cb48df02dd85d01e11
Instruction ID: ee71ddd08c21afe5302af511ecdbde39b15bd9f353b000eb1ba93cefe36c8022
Opcode Fuzzy Hash: 3b7845f1d20365347721b99c4f17460042082adbf5daf7cb48df02dd85d01e11
Instruction Fuzzy Hash: EDF0F432741A10B7C7319B5A8C44F47BEAEEBC4B90F044428BA0AD7600CA30EE01DBA1

Function 01935152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6c39b018d62f26def1f309a87f7490042dfe1f9c2afa2f2c09ca7a053a4629
Instruction ID: 0d9680a6a64866e1570463fc0bb73f96bb22a5340cb90e0391eaf6bc64a00ff5
Opcode Fuzzy Hash: ff6c39b018d62f26def1f309a87f7490042dfe1f9c2afa2f2c09ca7a053a4629
Instruction Fuzzy Hash: 17012C71A10249ABEB00DFA9D941AEEBBF8FF98300F10405AE905F7340D774EA018BA1

Function 019350D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6f2656f54f118bba475ebc1628ec1eacd0753655017901c8bb7979eefec397
Instruction ID: 59a416881b223e14839b4de0c1bfc5b4d031c53e31b0ca2413a225ed99d56300
Opcode Fuzzy Hash: 4f6f2656f54f118bba475ebc1628ec1eacd0753655017901c8bb7979eefec397
Instruction Fuzzy Hash: CF012CB1A00209ABDB00DFA9D941AEEBBF8FF58304F50405AE905F7381D774EA01CBA1

Function 01935060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b4a6924547f25a363c5f17418d6839af1e0750a7fbf8ba1e7a05e38c222bc3
Instruction ID: f645ec867f3751cca1bad9ddf864506d198d21d2830764521c4f558d5951cd9f
Opcode Fuzzy Hash: 57b4a6924547f25a363c5f17418d6839af1e0750a7fbf8ba1e7a05e38c222bc3
Instruction Fuzzy Hash: F3011A71A11209ABDB04DFA9D941AAEBBF8EF58300F50405AE905F7341D675EA018BA1

Function 0188C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: c9cd5079cc272a3e41bf13a6a912a93598a629c27e5a6c526ce1f1d0a6593404
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 14F0C2B3A00611ABE324DF4DDC40E57FBEADBD1B80F048528E645C7220EA31DE05CB90

Function 0185C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 742d7a00d6f74a74f9bdaf5699a5dcdcba53a3b4f870090da07bdc5b9f5276f1
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: BBF0FC732047279BD772175D4880BABA69DCFD1B65F190035EE05DB201CBA18F02AAD2

Function 01935537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96cc0b4e6432d1df6c6f8eac4cf3b81315f95bd00e6c5e02a0a3fbe93ebdcbf
Instruction ID: 2cafa5fa1394b07d9fb3c6817ba5c8e7079805c117fca33547bb75ed15130d2d
Opcode Fuzzy Hash: b96cc0b4e6432d1df6c6f8eac4cf3b81315f95bd00e6c5e02a0a3fbe93ebdcbf
Instruction Fuzzy Hash: B911CC71A1024ADFDB04DFA9D541B9DFBF4BF58300F144266E519EB382E634DA418B51

Function 019361E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b076bffe63d41686178c57b19bbdc529842cd0407dddc16539924747641b07fb
Instruction ID: f541539b4d0a9250efba07bcc40c5c0ad247fcba488c9650e189be658450c5dd
Opcode Fuzzy Hash: b076bffe63d41686178c57b19bbdc529842cd0407dddc16539924747641b07fb
Instruction Fuzzy Hash: B9014F71A01249ABDB04DFA9D445AEEBBF8BF58310F14405AE905F7280D774EB01CBA5

Function 018E63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 4bac27bb6d25efb3819fc61b818f0fe5e3ea1eb09c13702bc5d4c4139d08ef11
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 22F0FF7210001DBFEF019F94DD80DAF7BBDEB55398B104125BA1192160D631DE21A7A1

Function 0191F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08355ef4d830d76cd772fc238bd8453369f12abc4041302d9d7d81b034c66868
Instruction ID: c743cd372f8367701014e46124e368a6e17cd32e7b5b7d8314eb4abbb7f2a89a
Opcode Fuzzy Hash: 08355ef4d830d76cd772fc238bd8453369f12abc4041302d9d7d81b034c66868
Instruction Fuzzy Hash: 42F0A472A1024CABDB04DBBDC405AAEB7B8EF54710F008056E501F7280DA74DA058751

Function 0189724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 6d7b9ed86215edb01fe591307151196e36b3bd61a54e552ae25f08dc464b4545
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 23F0FC71A312556BEF14D7DC8540FAE7BA99FD0710F0C41D5B903D7181D630EB40CA50

Function 018EA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f639e1e1a780c6f42e84717694f0e45ac49239dc2a1f51c4227b10a5df530d2
Instruction ID: f64d59e0bfbc6bb539e0c7a67a192fe320514a3779c3bb38925d2cade4fbab60
Opcode Fuzzy Hash: 2f639e1e1a780c6f42e84717694f0e45ac49239dc2a1f51c4227b10a5df530d2
Instruction Fuzzy Hash: 6F018536110219ABCF129E94D844EDA3FA6FB4CB64F068105FE18A6220C332DA70EB91

Function 0185C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12cfc4a26bb1b2fe26c3e8697f087b0a7bc4d921c00fe985fceb701a4671af01
Instruction ID: 0e851132294604f4865ad64e60ea3469b78a8180eac23ec83b8d43e79d3ad076
Opcode Fuzzy Hash: 12cfc4a26bb1b2fe26c3e8697f087b0a7bc4d921c00fe985fceb701a4671af01
Instruction Fuzzy Hash: 1CF024B23847455BF7A4961D8C01B22329EE7C0791F29806AEF05CB2C1FB70DE018B94

Function 019353FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d61f21213cb25fb0003bef8bff368868dff976cfb4407274ac7c8d394d8647
Instruction ID: e4eff27278759686647f59698974eb3fa041736cca11d5b7f3658e702cf77c68
Opcode Fuzzy Hash: 13d61f21213cb25fb0003bef8bff368868dff976cfb4407274ac7c8d394d8647
Instruction Fuzzy Hash: 11011EB0A0020A9FEB04DFA9D545B9EF7F4FF18300F148165A919EB381E6749A408B91

Function 0189656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8d15748512a9609ac58a680fcfd12d3f697adc1001a8d2a911d94d353419f2
Instruction ID: dadc7ad04767b18bc3f4bc1aef6e5ebd560ee56288f1a326c236b424a6c58ed0
Opcode Fuzzy Hash: 9b8d15748512a9609ac58a680fcfd12d3f697adc1001a8d2a911d94d353419f2
Instruction Fuzzy Hash: 2801AFB0204785DFFB369B6CCD48F293BE8BB40B04F5C0194BA11DBAD6EB78D6418612

Function 0190437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 5a034d6febbb33082e2a5bb292ffa7a196c94f26772b9bdd53c9c5326ecd65a2
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: D4F089353819134BEB77AA2D9A20B2EA75E9F90E52B09252C9759CB6C0DF60D8018791

Function 0191F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0248461e53feb6d040524bcc3f7ba5aac72987efb561b095b79f619106aee86b
Instruction ID: b09ecc4be0481cb0fb2bd807eff882b1f8e150063f0cc91b26a0dc851b0850fc
Opcode Fuzzy Hash: 0248461e53feb6d040524bcc3f7ba5aac72987efb561b095b79f619106aee86b
Instruction Fuzzy Hash: E0F08771A0020DAFCB04EFA8D509A9EBBF4EF18300F408069B909EB381E674EA40CB55

Function 018592FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015c89ad657011b081e54bf99f945d399a959381c628efe9fc53bb2b497428fb
Instruction ID: 8008174133312bc978356a49f478bd5d86a8892d20c15971ec8353c3d0cd16e5
Opcode Fuzzy Hash: 015c89ad657011b081e54bf99f945d399a959381c628efe9fc53bb2b497428fb
Instruction Fuzzy Hash: 8BF0FA32200340EBEB31AB19DC08F9ABBEDEF84B04F08011CE94693092C6A0EA08C760

Function 019355C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f466a0b45ef3b0534ccc7e3fb524bd2fad59291465a86f81ae6e83ba98ac93
Instruction ID: ac182068a79ff8ffe9cc2767b08f97befc6065bcedd5261a1d7c7e35d3369d11
Opcode Fuzzy Hash: 68f466a0b45ef3b0534ccc7e3fb524bd2fad59291465a86f81ae6e83ba98ac93
Instruction Fuzzy Hash: 5AF04F74A00249AFDB04EFA8D545A9EBBF4FF58304F504459B905EB381E774EB00DB55

Function 01920115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f24dbb07334dd826ffdb016c1773dbcd6a72eb72a57ff62caaad8a17c24e71
Instruction ID: 6439f90a311de9e9c9b2ad23502e3d155630b948e36504b3f5bfb804f254a280
Opcode Fuzzy Hash: d0f24dbb07334dd826ffdb016c1773dbcd6a72eb72a57ff62caaad8a17c24e71
Instruction Fuzzy Hash: 73F0277641A79506CB325B2C74602D16F78B782110F6D1485E8A87720FC6748483C320

Function 0193539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff67860c35f6bd232184a29b3d26871b132d072f13f3293b4930a9662318155
Instruction ID: 29155ce214ce61115f7b173adf0fca1e24e4e828aea9dfefeb665078fb93f70b
Opcode Fuzzy Hash: fff67860c35f6bd232184a29b3d26871b132d072f13f3293b4930a9662318155
Instruction Fuzzy Hash: C5F0B470A1024DEFEB04EB78D441F5DB7F4AF58300F508054E905EB281DA74DA018B15

Function 01935283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e44d05dd713ff9547dba15994210707ef5b6a61ba3e98f28f82ec33deede08
Instruction ID: def7a1a607a1f143bd48d9b65f3fca547a964f2d6aa3bed441637e386861cd59
Opcode Fuzzy Hash: 29e44d05dd713ff9547dba15994210707ef5b6a61ba3e98f28f82ec33deede08
Instruction Fuzzy Hash: FCF0BE70A10209ABEB04EBA8D501EAEB7F8BF58300F404458B905EB281EB34EA008B51

Function 019352E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de1ac558d81bc5c09df2a0dc41c1d1de1c6311803ca037225a34a2d3343dc76
Instruction ID: fb0e7702ffe4768b79bb53645c1d486e27e3194808ce209c8648ef5b6ea5c34f
Opcode Fuzzy Hash: 6de1ac558d81bc5c09df2a0dc41c1d1de1c6311803ca037225a34a2d3343dc76
Instruction Fuzzy Hash: 98F0BE70A10249EBEB04EFB9E501E6EB7B8BF58300F444458A905EB281EA74EA00CB15

Function 0189C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec2df2eb7b9cbe96050ab370fdcf7cf9b58165d4e77db0193ad2ba3060f29f8
Instruction ID: d74f60074ce1528e9f461aba1d071170b829c41c28ff6e18054ad9226dbe2ebe
Opcode Fuzzy Hash: 4ec2df2eb7b9cbe96050ab370fdcf7cf9b58165d4e77db0193ad2ba3060f29f8
Instruction Fuzzy Hash: 6FF0E2716116519FEF33979CC148B517BD49B807A4F0D942DD506C7552C761FB80CAD1

Function 019351CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09dd069bcba201feb5db71658c2bb4865b378f2860caf44b7858a0fc64a3c853
Instruction ID: d0061fab5b6281c37e6cddddeb0c28dda1bbd404c376f024da6ffabab39aa9d3
Opcode Fuzzy Hash: 09dd069bcba201feb5db71658c2bb4865b378f2860caf44b7858a0fc64a3c853
Instruction Fuzzy Hash: FCF08270A11249ABEB04EBA8D505E6EB7B8BF58304F440459B905EB2C1EA74EA00C755

Function 018DD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: d243988b819830f49033b0801360b5762a57dade87001fecb76ec6f0f0bdbdff
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 33F0A03254461467D230AA5D8C05F5ABBACDBE5B70F10431ABA249A1D0DA60AA01D7D6

Function 01935341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf96747e4807c2e704e2867e23ff9c23ce6d183f700a7028809b9f4eec35b80
Instruction ID: 55e4e65c032a6413a2e46cef04b3641474881511df91cd011480a49532d6801c
Opcode Fuzzy Hash: 1bf96747e4807c2e704e2867e23ff9c23ce6d183f700a7028809b9f4eec35b80
Instruction Fuzzy Hash: D6F02770A00209EBEB04DBBCD445E9EB7F8EF59300F500058E902FB2D0EA74DA008715

Function 01897208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4eeaee3c5205d3b8a8ad7d60f027bf8793862da362efd4c2ddd93f1dd47a9a7
Instruction ID: 5eda6a939ebb7588ec82a83270b3abf08bee70b9d0396e9e7f86b81f2efa3624
Opcode Fuzzy Hash: b4eeaee3c5205d3b8a8ad7d60f027bf8793862da362efd4c2ddd93f1dd47a9a7
Instruction Fuzzy Hash: 41F08C719257999FDB22D75CC188B2277E8AB41B74F4D8561E409CBD02C638DA80C791

Function 01935227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1252b09758fdd94f6cb2b8eab580854cb4950ed64c48102fba26ff0138d3177b
Instruction ID: 2477262ade536d1c046ff80b52b21b4a0b974c6f341fe33bd3635aefb2852baf
Opcode Fuzzy Hash: 1252b09758fdd94f6cb2b8eab580854cb4950ed64c48102fba26ff0138d3177b
Instruction Fuzzy Hash: 1FF08270A14249ABEB14EBA8D505E6EB7B8AF58704F440458B905EB281EA74DA008759

Function 019354DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c62623c7e6417f68b942f51d440836302fd90c9ffa9715bfa9bef5bd07974b
Instruction ID: 135404b8a219761f28f8714e7d3224fbb705428aa3a32b3ed410bc1c0092233e
Opcode Fuzzy Hash: a4c62623c7e6417f68b942f51d440836302fd90c9ffa9715bfa9bef5bd07974b
Instruction Fuzzy Hash: 7BF08270A10249ABEB04EBADD555E9EBBB9AF58304F540058A905FB2C1EA74EA009715

Function 018F6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: ed9753b370396955b0149883881204bc11cdd70556354f09abc4c76523160ae8
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 45F0A0721002049FE3208F09D840F52B7F8EB55368F25C129E708EB160E33AED40CBA0

Function 018955C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: 6f627302c718aa999783913b1da2961fae4d18d64b72629ba2999b45a19df74f
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: 5DE02B33100614BBD7221A1ADC00F12FB69FFA07B0F144116F558D79918770FE11DAD5

Function 018625E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03738cb30e3e20bf3991c04ed20b721ac9cf9fcaac3cd002590760b694906e02
Instruction ID: 3225f4b18801f48265648a0d506b2a4a82691740a69dc3fd3147f91173081a9e
Opcode Fuzzy Hash: 03738cb30e3e20bf3991c04ed20b721ac9cf9fcaac3cd002590760b694906e02
Instruction Fuzzy Hash: 88E092321006549BC321BB2DDD01F8A779AEBA0364F014515B115971A0CA30AE10C795

Function 018E4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 4a76d3d78dc925c233afe1c9e4f202c0df19ab5c19b63cf59249f3906d839e67
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 16E0AE343002058BE755CF1AC044B627BA6BFD6B10F28C078A9488F205EB32A9428A40

Function 0191B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 2c86820d15c16a2581041613da1046e30e989b8895d8483e31b0705b56d84f8f
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: E4E0CD31285219B7DB221A54CC00F757729DB50791F104031FE0D9A690C671DD91E6D5

Function 0185823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 0c384ce3766c7e3ed7ead31bea841abd72a6733b4cb037b3a9695677baa7392a
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 2EE08C31104A14EFEB322E2BDC00B517BA2FF95B90F10482AE482864A48670AA82DA46

Function 01862050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac4f2e4de0ee9cbba0d351c0d51b48cfbde077107ce294824e84243d5a3d9f1
Instruction ID: b729edb7e3eb86a83ea39dca488b180e7604203ceec5a1a56f0f8d559b2cc663
Opcode Fuzzy Hash: 4ac4f2e4de0ee9cbba0d351c0d51b48cfbde077107ce294824e84243d5a3d9f1
Instruction Fuzzy Hash: 03E0C2331015506BC311FB6DDD41F4A739EEFA4360F000221F151D72E0CA20EE00C796

Function 018E92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a598953a8a3427704841acd17f4be4c73700d4cb5d6004d0ed7175a124a97452
Instruction ID: 0bed56206b1f5e6c9d1390acb70fd188f027d2bafd23bda1c329db715bf7c3bb
Opcode Fuzzy Hash: a598953a8a3427704841acd17f4be4c73700d4cb5d6004d0ed7175a124a97452
Instruction Fuzzy Hash: 0BF0C234655B84CBFB2ACF08C1A5B5177B9FB46B48F501498D4468BFA2C77AAA42CB40

Function 0185B562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: 7daa3bb8e7988490806f77c3c5f1440946a13aa723d5f6ce05e5a09e55984d72
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 8ED02B31020610AFD7352F19ED00F423A72EFA0B00F0400147001964F08661DE44D692

Function 004172E6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f2057f9e492c92e7ae47557fad13d98136afa5d6244b4f0444a323c9eb176d
Instruction ID: 82935d7001f1d21749d5be0c6e94b51b0788fe24d3ef25176d2e7924cb82d0d0
Opcode Fuzzy Hash: 63f2057f9e492c92e7ae47557fad13d98136afa5d6244b4f0444a323c9eb176d
Instruction Fuzzy Hash: 8EC0122FE101900780244C6AF480174F3F1D25B166B5432DACE8863601C50398108389

Function 0189E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: cd511628931613b0d14ca2a3ba076f8ac2785bfa2ab5cee2f3280edec34b3b66
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 67D02233604620AFE732AA2CFC00FC333E8BB98720F060459F018C7050C360EC81DA84

Function 00407B23 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2374706562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_97q26I8OtN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91381c223d3e79ce1f750690824aa24ea4d23756e47ddee61a7ec50e393e534c
Instruction ID: 7f4a7498ca8d3d005c9e4eb6f127015ab2318149d8587cd1bac4bbf0afd31f93
Opcode Fuzzy Hash: 91381c223d3e79ce1f750690824aa24ea4d23756e47ddee61a7ec50e393e534c
Instruction Fuzzy Hash: 33C09232E2D31E87D520E84CB9812B5E7A9E3B7374E2173B3EC48E77109597DC528698

Function 0185A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 2db5ac1c2f2dd1c6d1c3381130e86fa8cd54d163d8b68635adc7d5b7b1d90626
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: B5D0223222203093DB2C56696880F637905FBC0B94F0A012C3C0AD3800C0048D43E2E1

Function 018E930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 4202498ca8cd9551b1bea05bb9f970a4582e02601cac6572ec254b1eae7e7e3a
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 45D05E75941AC4CFE727CB08C169B907BF4F706B44F852098E04287BA2C3BC9A84CB00

Function 01880310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 9ad0e48b9f4b01c22ca869574b8eb317647351d7f3b56962f51522e93b6a8524
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 98D01236100249EFCB02EF45D890D9A772AFBD8710F108019FD19076108A31ED62DB50

Function 0188340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: be039ea746556c81baee82540b40b3afb62b82e88c51ccf595afbf31410e05f5
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: A8C08C781415816AFB2B671CC940B283A50BB20B06F84019CAF40B94A2C368DA029219

Function 018A3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb817cd96746a3126095dfab62f59c494724ba4a229dc059ecc3d5945485abf
Instruction ID: 2e18b69970a9b80ff06336e79b669f291bf21ed2385868fdd946923bd503c9aa
Opcode Fuzzy Hash: 3bb817cd96746a3126095dfab62f59c494724ba4a229dc059ecc3d5945485abf
Instruction Fuzzy Hash: 8E90022124140806D14071588854747000AD7D1701F55D011A1029564DC6168B6D6BB2

Function 018A3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c122689344fd0ebc2a56d8477b72818b2a52bfe4a83ee9a715e515465ee96d4
Instruction ID: 43120a35a0552f68918f9c1dd2b7ce62025e8bd8655cbc71e4f82d29dc80b8b2
Opcode Fuzzy Hash: 5c122689344fd0ebc2a56d8477b72818b2a52bfe4a83ee9a715e515465ee96d4
Instruction Fuzzy Hash: F690022120184446D14072584C44B4F410997E2302F95D019A515B564CC9158A5D5B22

Function 018A4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95da57dea59217b02367e5a7bb4aee3d81b9fe3a5609cd13ae1832819dd4fbc2
Instruction ID: bd8a1795daef4b3cddff84a8c5b7a59145caa971803f39105b98914b8742c21f
Opcode Fuzzy Hash: 95da57dea59217b02367e5a7bb4aee3d81b9fe3a5609cd13ae1832819dd4fbc2
Instruction Fuzzy Hash: E790023160580016914071584CC45864009A7E1301B55D011E1429564CCA148B5E5762

Function 018A35C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809a2e628f88572af1226956f202b1efcaa5c2d9b4f759fe49f19a96f65bfdfa
Instruction ID: 524aa147dd48ff081a0707201e509533c43b346d61abf177f1a5ea88d7d72532
Opcode Fuzzy Hash: 809a2e628f88572af1226956f202b1efcaa5c2d9b4f759fe49f19a96f65bfdfa
Instruction Fuzzy Hash: 8690023160550406D10071584954746100997D1301F65D411A1429578DC7958B596AA3

Function 018A4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31807a34f7b18529507c21abb5d709b62355f3ae4f7a4eae43f46b16fd7cebc4
Instruction ID: 2332f337d6cca572a0c598001c4f755099f5f95ad7d1a866555f5eb6b7216c7b
Opcode Fuzzy Hash: 31807a34f7b18529507c21abb5d709b62355f3ae4f7a4eae43f46b16fd7cebc4
Instruction Fuzzy Hash: D190026160150046414071584C444466009A7E2301395D115A1559570CC6188A5D976A

Function 018A39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20969f2f34960f8fa1c76623e348aee613b52686794904b3fb0d6d285841fc1
Instruction ID: 03fb01c8d083812bdd08ced3b476842ff8550d0684e31d92c961884c174d83ad
Opcode Fuzzy Hash: d20969f2f34960f8fa1c76623e348aee613b52686794904b3fb0d6d285841fc1
Instruction Fuzzy Hash: 3290022124545106D150715C48446564009B7E1301F55D021A18195A4DC5558A5D6722

Function 018A2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a75f16b36fec44bd7664bc0bd67e0066d755a7f66c02b742113e9a96bbac977
Instruction ID: f4868a672c092634e62eaa317c63b51cdc75ab744532338beaf9fe6029a6f078
Opcode Fuzzy Hash: 5a75f16b36fec44bd7664bc0bd67e0066d755a7f66c02b742113e9a96bbac977
Instruction Fuzzy Hash: 4D90023120140806D10471584C446C6000997D1301F55D011A7029665ED6658A997632

Function 018A2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387941cc3d9ead37390c8fa03c11a44338d0e37a1a868a5e4832f2bd456abaff
Instruction ID: db9a1d26bb9356501573ee70ed6ef20ccb300257ea97376d4dd2d11d732d5f4e
Opcode Fuzzy Hash: 387941cc3d9ead37390c8fa03c11a44338d0e37a1a868a5e4832f2bd456abaff
Instruction Fuzzy Hash: 8690023160540806D15071584854786000997D1301F55D011A1029664DC7558B5D7BA2

Function 018A2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc59b7fde517867bd953a15ac3ade4cfb846bd5e277521736bb8b3c9e4e3b47
Instruction ID: 242b7171aeb29661a3dd002297d451330e3826d44fb65aec84edf8e440b39135
Opcode Fuzzy Hash: abc59b7fde517867bd953a15ac3ade4cfb846bd5e277521736bb8b3c9e4e3b47
Instruction Fuzzy Hash: DC90023120544846D14071584844A86001997D1305F55D011A10696A4DD6258F5DBB62

Function 018A2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b67033f0f6deb182830fa180763aa0bdb91a594d9b5cde8cdec4496a777915c
Instruction ID: bdfd9bf4adf5db0cca183e5fa6029d1d76a9ae1982cbb144e341c2485c6f5986
Opcode Fuzzy Hash: 4b67033f0f6deb182830fa180763aa0bdb91a594d9b5cde8cdec4496a777915c
Instruction Fuzzy Hash: 3C9002A1201540964500B2588844B4A450997E1301B55D016E2059570CC5258A599636

Function 018A2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5697d33aad45207c7a50dccebc0fa59e337f1b5901f189e5ade8f9cee6550a95
Instruction ID: ca21d4cb26c386bb0ecd70e14be343ddf250e07f25e447fc98441ebfbe225e73
Opcode Fuzzy Hash: 5697d33aad45207c7a50dccebc0fa59e337f1b5901f189e5ade8f9cee6550a95
Instruction Fuzzy Hash: A7900225221400060145B5580A4454B0449A7D7351395D015F241B5A0CC6218A6D5722

Function 018A2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634ca87bac1a292948bb196e323ec6363eba845819b313dd805da46b229563c
Instruction ID: 432302f11cb08f6cf6ac331ec8444e30948e3620d735e01a077c875aa4f88ed6
Opcode Fuzzy Hash: 1634ca87bac1a292948bb196e323ec6363eba845819b313dd805da46b229563c
Instruction Fuzzy Hash: BF90023124140406D14171584844646000DA7D1341F95D012A1429564EC6558B5EAF62

Function 018A2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f893a658d6131684763dec48aa70d89f8d9d142371afe8b90f7dd8faaad3dd46
Instruction ID: e23c7ea29546540d04fe1580bacf859cd375d3d34b81950020f66ed642e1ed04
Opcode Fuzzy Hash: f893a658d6131684763dec48aa70d89f8d9d142371afe8b90f7dd8faaad3dd46
Instruction Fuzzy Hash: F390022120544446D10075585848A46000997D1305F55E011A20695A5DC6358A59A632

Function 018A3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37f364ca163028ba253ab1d22f038758803670b358deb205e62f1d62352a661
Instruction ID: 3a8e21d84fdf1755b4dec124c85d9216e3c16341bd75099d64a15e78b608c61b
Opcode Fuzzy Hash: b37f364ca163028ba253ab1d22f038758803670b358deb205e62f1d62352a661
Instruction Fuzzy Hash: 5390023120240146954072585C44A8E410997E2302B95E415A101A564CC9148A695722

Function 018A3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc6a4510069606777bcf91a2d633b1669fd70434116aa00c35ac2bce67951ab
Instruction ID: 1ce540b83ec17c33dd2d196772abd6e623911758becf7e635d104e992c14fad8
Opcode Fuzzy Hash: 5cc6a4510069606777bcf91a2d633b1669fd70434116aa00c35ac2bce67951ab
Instruction Fuzzy Hash: 5F90023520140406D51071585C44686004A97D1301F55E411A1429568DC6548AA9A622

Function 018A2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbd9c4a3f62d3df78fdebd87c6b93aa49512bdde0df3928f965ff159e1286a4
Instruction ID: 104dfc23f476e55835fded525c2355680aa20b03b7be8113575346af5cd64e6f
Opcode Fuzzy Hash: 9bbd9c4a3f62d3df78fdebd87c6b93aa49512bdde0df3928f965ff159e1286a4
Instruction Fuzzy Hash: 5190022160540406D14071585858746001997D1301F55E011A1029564DC6598B5D6BA2

Function 018A2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6edc828046d245c74260a2e894110b849d6722b5f9814f93803f5b7b5259e23
Instruction ID: e08f8192d0cc025d4160cc1bb88e1ad293b0262042509f625c6a90ee9c93c015
Opcode Fuzzy Hash: e6edc828046d245c74260a2e894110b849d6722b5f9814f93803f5b7b5259e23
Instruction Fuzzy Hash: 7390023120140407D10071585948747000997D1301F55E411A1429568DD6568A596622

Function 018A2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3cb131ce94196ebdde521af7751f96e2cbdf146343e86c131ca9eab6f74ba9
Instruction ID: ccb542d19543b9539815910c64c726e0c062bfa139b515ca94d0e3ad06261f95
Opcode Fuzzy Hash: 1d3cb131ce94196ebdde521af7751f96e2cbdf146343e86c131ca9eab6f74ba9
Instruction Fuzzy Hash: FB90023120140846D10071584844B86000997E1301F55D016A1129664DC615CA597A22

Function 018A2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffa019f54ecbdedff10d10462c77645ac18c64aceda526f232be144720680f4
Instruction ID: ec35fdfdf13059428983a89dccce95521baf327f256994fc6683dc8f3f6f1f53
Opcode Fuzzy Hash: 5ffa019f54ecbdedff10d10462c77645ac18c64aceda526f232be144720680f4
Instruction Fuzzy Hash: FD90023120180406D10071584C48787000997D1302F55D011A6169565EC665CA996A32

Function 018A2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8859ecd6c9073f731bc50e783a4da1f94c6c8f391b168ae20e4ba4c69c000c2e
Instruction ID: dc24e854d8b23fb14759b99b0679a4e045222eca798760ee8ce835b66d7c05a0
Opcode Fuzzy Hash: 8859ecd6c9073f731bc50e783a4da1f94c6c8f391b168ae20e4ba4c69c000c2e
Instruction Fuzzy Hash: 0790026121140046D10471584844746004997E2301F55D012A3159564CC5298E695626

Function 018A2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3191241866ac120e660f0de327e85fc0a5dc809144be56c0262339c80a003608
Instruction ID: 5ba4826f5fd05252a55340d57cb3ad81fc43c2b0939edf4f9a30575b98242613
Opcode Fuzzy Hash: 3191241866ac120e660f0de327e85fc0a5dc809144be56c0262339c80a003608
Instruction Fuzzy Hash: 7290026120180407D14075584C44647000997D1302F55D011A3069565ECA298E596636

Function 018A2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75e5224ba9c146593dc3a6e2f690f6c9d60b4c6373b1dce5d57aca229deffd7
Instruction ID: 5d9c7b8bf1bef92e38af7e0338cf9d089849895ea98d29e7f2c854eb05e64963
Opcode Fuzzy Hash: a75e5224ba9c146593dc3a6e2f690f6c9d60b4c6373b1dce5d57aca229deffd7
Instruction Fuzzy Hash: 2F90022130140406D10271584854646000DD7D2345F95D012E2429565DC6258B5BA633

Function 018A2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 495660c6c6ebb40cda5277ddaf59ab26478b30a0221369676ecf7f655a56e0dd
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 018A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 018A293C
___swprintf_l.LIBCMT ref: 018A295E
___swprintf_l.LIBCMT ref: 018A29A3
___swprintf_l.LIBCMT ref: 018DA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 018DA54E
::%hs%u.%u.%u.%u, xrefs: 018DA527
ffff:, xrefs: 018DA504
:%u.%u.%u.%u, xrefs: 018DA5B8

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 4a32caf65a3db453b981b226abc97aea5978002fcff4fb4f17607b8c7e2b913d
Instruction ID: 405ee2b63be1e87b99eaef81be36d9ad88f1dac0735e08896355a61e03d99192
Opcode Fuzzy Hash: 4a32caf65a3db453b981b226abc97aea5978002fcff4fb4f17607b8c7e2b913d
Instruction Fuzzy Hash: E851F9B2A0021ABFDB25DB9C89D097EFBB9BB48740B948229F495D7641D334DF0087E0

Function 01912410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019124A6
___swprintf_l.LIBCMT ref: 019124E2
___swprintf_l.LIBCMT ref: 0191257D
___swprintf_l.LIBCMT ref: 019125A3
___swprintf_l.LIBCMT ref: 019125C8
___swprintf_l.LIBCMT ref: 01912608

Strings

::%hs%u.%u.%u.%u, xrefs: 0191249E
:%u.%u.%u.%u, xrefs: 019125FF
ffff:, xrefs: 0191247D, 0191249D
::ffff:0:%u.%u.%u.%u, xrefs: 019124DA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 59e87a61eb011a6e1281cd7d3359bc124b418f3f77e41ab29b1dd28dbb22841a
Instruction ID: 85f3fb51820a1b5a50e0cc5f3b2a7220a4ebc6063d379fe2a95485a3a8fa7039
Opcode Fuzzy Hash: 59e87a61eb011a6e1281cd7d3359bc124b418f3f77e41ab29b1dd28dbb22841a
Instruction Fuzzy Hash: 97512A71A006496ECB30EF5CC9D087FB7FCEB44301B648869F59AD7685E674DA808760

Function 01897630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 018D4742
Execute=1, xrefs: 018D4713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 018D4725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 018D4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018D46FC
CLIENT(ntdll): Processing section info %ws..., xrefs: 018D4787
ExecuteOptions, xrefs: 018D46A0

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: e574790721ea0dbc361ba05222f98e1319ad9ffc8d9ff3a8e79e129f4d1ec3dd
Instruction ID: 672e325399dc7e4e60828f12a082a32e844e3b8c2cf5da90e6cdca7e4f7c3457
Opcode Fuzzy Hash: e574790721ea0dbc361ba05222f98e1319ad9ffc8d9ff3a8e79e129f4d1ec3dd
Instruction Fuzzy Hash: 3251093165021D7BEF21AFA8DC89FAD77A8AF55304F0800A9D605EB181EB70AB45CF95

Function 018AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 018AB6BF

Strings

-, xrefs: 018AB650
0, xrefs: 018AB66F
+, xrefs: 018AB65A
0, xrefs: 018AB695

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 3b5e5b8a5e5c4832d1f5056523aa9ef1fc3ed7699cd2bc86bae7de93d48bcdca
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: CD81AF70E052499FFF298E6CC8917FEBFB1AF45360F984219D861E7291C7749A40CB51

Function 0189BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 018D7B7F
RTL: Resource at %p, xrefs: 018D7B8E
RTL: Re-Waiting, xrefs: 018D7BAC

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: cf74e81820845e573b8a1d2074f7d1feced16db1120b2f08a8066888cd67b14d
Instruction ID: 414991d08dccdf6cbbcd1bdd8a0a42e348d372938281198ce2f5ddb56376c209
Opcode Fuzzy Hash: cf74e81820845e573b8a1d2074f7d1feced16db1120b2f08a8066888cd67b14d
Instruction Fuzzy Hash: 924104313007069FDB20DE29D840F6AB7E5EF89714F140A1DFA5ADB780DB71EA058B91

Function 0189B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018D728C

Strings

RTL: Resource at %p, xrefs: 018D72A3
RTL: Re-Waiting, xrefs: 018D72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 018D7294

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: be0e6ca860be2148885babd6cf124c434543861580e76c2b1cee43e286543ad9
Instruction ID: 57be1ebb26e989b460472533eee0e708e4eb18a5e7b9830f888afb4b745bf629
Opcode Fuzzy Hash: be0e6ca860be2148885babd6cf124c434543861580e76c2b1cee43e286543ad9
Instruction Fuzzy Hash: B5411131700346ABDB21DE29CC81F6AB7A5FF95718F140619FA56EB240DB31FA428BD1

Function 01912300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0191238D
___swprintf_l.LIBCMT ref: 019123B3

Strings

%%%u, xrefs: 01912384
]:%u, xrefs: 019123AA

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: c4bb41950e83d5ef92e719e0ba6fa357ff93f6320842bf954dc9e15d0cb5587e
Instruction ID: 57d9816d619ef909ceb83edff5f3d2c2647594135042fae8198bdd361d9d11c3
Opcode Fuzzy Hash: c4bb41950e83d5ef92e719e0ba6fa357ff93f6320842bf954dc9e15d0cb5587e
Instruction Fuzzy Hash: 44317372A002199FDB20DF2DCC40BEEB7B8EB54751F940555E949E3244EB30AA458BA1

Function 018A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 018A7E8B

Strings

+, xrefs: 018A7DE8
-, xrefs: 018A7DDD

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: d3f2071d455bc2b0fa9422c931d90c9982220fcece1d1d376b2a8de536508cbb
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 5391C571E0020A9BFF24DF6DC8806BEBBB5AF44720F94451AEA55E72C4E7728B409761

Function 01869126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01869191
@, xrefs: 01869175

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 36f474deb1c9c282b4d2f9cd221f0a94258abc5044f7f57fbfe66fc818f720c4
Instruction ID: 52043a69ad0d5edee13e60bd6cc29fda7bf025da813aa1335014c7a95a6ec065
Opcode Fuzzy Hash: 36f474deb1c9c282b4d2f9cd221f0a94258abc5044f7f57fbfe66fc818f720c4
Instruction Fuzzy Hash: 67810B71D00269DBDB25DB58CC44BEAB7B8AB48714F0041DAEA19F7280D7309F85CF61

Function 018ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 018ECFBD

Strings

@, xrefs: 018ECF0A
@4Cw@4Cw, xrefs: 018ECFD5, 018ECFDA, 018ECFF1

Memory Dump Source

Source File: 00000006.00000002.2375435011.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_97q26I8OtN.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 931399416f48912549ea00024453760fa6a4e56add185580874ec6276ccd91d5
Instruction ID: 2507c04d562dcbdda05d1fb84761473ab54084bd2f2e30c60206b8345d6c1035
Opcode Fuzzy Hash: 931399416f48912549ea00024453760fa6a4e56add185580874ec6276ccd91d5
Instruction Fuzzy Hash: DD41AE71900219DFDB21DFA9C844AAEBBF8FF95B40F04412AE905EB254E770DA05CB62

Analysis Process: explorer.exePID: 4004, Parent PID: 7072COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	419
Total number of Limit Nodes:	15

Executed Functions

Function 0E2EE232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0E2EE449

Strings

`, xrefs: 0E2EE41D

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: d49b49146fd034394450378e86f2750aff7b092f1423048c3cc7ff965850d3b8
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 4C224C70A28A1A9FDB59DF28C4956AEF7E1FB58301F81062EE45ED3750DB30E851CB81

Function 0E2EFE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E2EFE67

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 487d218d1dae86eae70c780570698442af60be91e1aa668678dbc0056a1dbb8e
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 26019E34628B484F9B88EF6C948022AB7E4FBC9214F000B3EA99AC3254EB60D9414742

Function 0E2EFE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E2EFE67

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 7af9253c02350988d5cfaa8c8598d66e6019314bf8014cec86c793ddb7277c74
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 5C01A734628B884B8744EF2C94412A6B3E5FBCE314F400B3EE59AC3241DB21D5014782

Function 0E2EEF82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0E2EF12E

Strings

&sql, xrefs: 0E2EF471
Co, xrefs: 0E2EF323
GET , xrefs: 0E2EF318
nnec, xrefs: 0E2EF32A
: cl, xrefs: 0E2EF338
&un=, xrefs: 0E2EF4F1
ose, xrefs: 0E2EF33F
&br=, xrefs: 0E2EF509
dat=, xrefs: 0E2EF290
tion, xrefs: 0E2EF331

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: getaddrinfo
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 300660673-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: a4d5f73c90f2382fdec043517a4a720226cf6724092b358c0a964d286a0d04e7
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: D952A234624B198FDB29EF68C4947E9B7E1FB54300F90492EC49FC7646DE70A949CB81

Function 0E2E98C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E2E99A0

Strings

nt: , xrefs: 0E2E991E
on.d, xrefs: 0E2E9902
User-Agent: , xrefs: 0E2E9935, 0E2E9948
urlmon.dll, xrefs: 0E2E9959

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: a3eede77a7c55460ef66cb294756fc017a204bc67ff3c7a1445d5dfffcc76276
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: FC31D131624A1D8BCF44EFA8C884BEEBBE1FF58205F40062AD44ED7341DE788A45C789

Function 0E2E98BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E2E99A0

Strings

nt: , xrefs: 0E2E991E
on.d, xrefs: 0E2E9902
User-Agent: , xrefs: 0E2E9935, 0E2E9948
urlmon.dll, xrefs: 0E2E9959

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 7c3db1a2d89c4161417deb9f97be0bcc9ca832eda2eaf4cc986f0638da6ccc87
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 6121D270A20A5D8BCF04EFA8C894BEDBBE1FF58205F80462AD45AD7341DF748A45C789

Function 0E2E5B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0E2E5CCA

Strings

el32, xrefs: 0E2E5BA0
.dll, xrefs: 0E2E5BCD
kern, xrefs: 0E2E5B99

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 3fd517906a75998083fc6860aaf06cf89f99dfa04c86cf2d4369429b3d723813
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 48418E74924A18CFCB84EFA8C8D5BADB7E0FF58300F44067AC84ADB256DE309945CB81

Function 0E2E5B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0E2E5CCA

Strings

el32, xrefs: 0E2E5BA0
.dll, xrefs: 0E2E5BCD
kern, xrefs: 0E2E5B99

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: bbc1aa929ae2207dde837c8ee2ab9712ff0506317d9fa1de2aef0823f4b76a46
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: B0415A74928A088FDB84EFA8C499BADB7E0FF58300F44457AC94EDB256DE309945CB85

Function 0E2EB5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0E2EB611

Strings

sock, xrefs: 0E2EB5D9

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: e95bb798c41b3c55e8e108a8eca1504d88d053e9c1d8d88d5a3c53358905b7af
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 0C012170618A188FCB84EF1CD048B54BBE0FB59314F1545ADD45ECB366C7B0C9818B86

Function 0E2E32DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0E2E332D

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 5d0567cf3396ed92d99016552933cd835216932fb23aeb3cbbf0463e0887c8a1
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: B9318B74624B5ADFCB64EF6980986E5B3A0FB44302F84467EC92DCB606CB709854CFD1

Function 0E2E3412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0E2E3461

Memory Dump Source

Source File: 00000007.00000002.3533475165.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2b0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 04a733d36775268022d2e0aee9b7071c8bdbef95e19c7fd38f5203fd0736e820
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 2CF0C234668A494FD788EB2CD48562AF3E0FBA8215F450A3EA54DC3364DA29C9814756

Non-executed Functions

Function 0E07CD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

wini, xrefs: 0E07CF72
.dll, xrefs: 0E07CF2F
ll, xrefs: 0E07CF13
kern, xrefs: 0E07CF5A
user, xrefs: 0E07CF03
el32, xrefs: 0E07CF27
32.d, xrefs: 0E07CF0B
M, xrefs: 0E07D082
S, xrefs: 0E07D073
net., xrefs: 0E07CF44
dll, xrefs: 0E07CF4C

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 2b7ec3d9c5c8dc3ed0002aed81462333c619f4a8ea73f8258f2da483bff0d802
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 7DE15970618B488FCBA4EF68C4947EAB7E1FB58300F504A2E95DBC7255DF34A941CB89

Function 0E07F792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

Subm, xrefs: 0E07F855
user, xrefs: 0E07F876
ypte, xrefs: 0E07F8DA
guid, xrefs: 0E07F7CE
itUR, xrefs: 0E07F85D
encr, xrefs: 0E07F8D2
ypte, xrefs: 0E07F8A5
encr, xrefs: 0E07F89D
name, xrefs: 0E07F87D
dUse, xrefs: 0E07F8AD
d, xrefs: 0E07F8F2
form, xrefs: 0E07F84D
Fiel, xrefs: 0E07F884
swor, xrefs: 0E07F8EA
dPas, xrefs: 0E07F8E2
rnam, xrefs: 0E07F8B5
e, xrefs: 0E07F8BD

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 41e989cf5c090160ff2aadc67b9f39900b6b802d9c92ae9c3d634e6b51adc385
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: DBB18A30618B488EDB59EF68C485AEEB7F1FF98300F50491ED49AC7255EF709845CB86

Function 0E07D622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

u, xrefs: 0E07D661
d, xrefs: 0E07D67B
c, xrefs: 0E07D697
l, xrefs: 0E07D6AC
l, xrefs: 0E07D682
l, xrefs: 0E07D6D6
d, xrefs: 0E07D6CF
2, xrefs: 0E07D674
d, xrefs: 0E07D6A5
w, xrefs: 0E07D6B3
p, xrefs: 0E07D690
e, xrefs: 0E07D66D
n, xrefs: 0E07D6C1
i, xrefs: 0E07D69E
s, xrefs: 0E07D689
n, xrefs: 0E07D6BA
t, xrefs: 0E07D6C8

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: b3dea3291eaa138388b38e834f7ef611d1cc162d47d828e71f637987fdaec951
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: F841BE70A18B088FDB14DF98A4466BE7BE2FF88704F00025ED849D3245DBB59D46CBDA

Function 0E084AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

l, xrefs: 0E084C35
[, xrefs: 0E084CCD
D, xrefs: 0E084CDA
l, xrefs: 0E084CE2
e, xrefs: 0E084CA0
[, xrefs: 0E084C90
n, xrefs: 0E084C98
], xrefs: 0E084C3D
b, xrefs: 0E084C73
], xrefs: 0E084CA8
[, xrefs: 0E084BF6
[, xrefs: 0E084C66
c, xrefs: 0E084C0B
[, xrefs: 0E084C2D

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 948e0c4b1e64b5234dc76bea47b05c4c5c26b4ecb32897b2f7814547dfc67c89
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: FEC15C70618B098FC758FF28D895AEAF3E1FB94304F504B2E949AC7214DF30A915CB86

Function 0E084F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0E084FC0
c, xrefs: 0E084FC8
0, xrefs: 0E084F5B
r, xrefs: 0E084FB0
r, xrefs: 0E084FA0
n, xrefs: 0E084F6B
r, xrefs: 0E084FB8
r, xrefs: 0E084F90
., xrefs: 0E084F63
r, xrefs: 0E084FA8
r, xrefs: 0E084F88
r, xrefs: 0E084F98

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: bb47fd4fbf908788e8cd7cb38d2a357d082723b9632ed349bc702829e8eb08ff
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: D151E4315187488FDB19EF58D9812EAB7E5FBC5300F501A2EE8DBC7241DBB49906CB82

Function 0E07E2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 0E07E320
l, xrefs: 0E07E4E2
4.dl, xrefs: 0E07E4DB
nspr, xrefs: 0E07E4D4
opera_browser.dll, xrefs: 0E07E629
dll, xrefs: 0E07E32E
cli., xrefs: 0E07E327
dragon_s.dll, xrefs: 0E07E614

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: a0088d6ca8c394bcd5f35177390d91fcc7685a092f7a1e7e96c798cdfb64e5e3
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: D0C19170A18A198FCB58FB68D495AEAB3E1FB94300F55476E848AC7254DF30ED02C785

Function 0E07E2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 0E07E320
l, xrefs: 0E07E4E2
4.dl, xrefs: 0E07E4DB
nspr, xrefs: 0E07E4D4
opera_browser.dll, xrefs: 0E07E629
dll, xrefs: 0E07E32E
cli., xrefs: 0E07E327
dragon_s.dll, xrefs: 0E07E614

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: ed5a47d1349a65eaad8b05a1f5ed3c5a611e21495b2123b1b46d12d7bfe49781
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: DBC19070A18A198FCB58FF68D495AEAB3E1FB98300F55476E848AC7254DF30ED42C785

Function 0E07FCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

L: , xrefs: 0E07FD66
User, xrefs: 0E07FDAB
2, xrefs: 0E07FDE1
word, xrefs: 0E07FD9E
Pass, xrefs: 0E07FD97
name, xrefs: 0E07FDB2
UR, xrefs: 0E07FD5F

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: b002e51194de2b8fcc9835acaab798b7a712f1319d0c9bea191d149b40a02722
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: A9A181706187488FDB19EFA894447EEB7E1FF98300F40462ED48AD7255EF709945CB89

Function 0E07FCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

L: , xrefs: 0E07FD66
User, xrefs: 0E07FDAB
2, xrefs: 0E07FDE1
word, xrefs: 0E07FD9E
Pass, xrefs: 0E07FD97
name, xrefs: 0E07FDB2
UR, xrefs: 0E07FD5F

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 16ca0361ac879643cb6aafc6f028a0bea1bbaf0dfbb918bddad912bfe8508569
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 40918F70A187488BDB19EFA8D444BEEB7E1FF98300F40462ED48AD7255EF709945CB89

Function 0E07F352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 0E07F47C
v, xrefs: 0E07F4A0
., xrefs: 0E07F3B0
e, xrefs: 0E07F48E
n, xrefs: 0E07F3E7

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 1b092faaca20b971bb0c0d4ede72e33cd76d8015222a165f2576b8d7d5b40650
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: D5717031A18B498FD758EFA8D4886EAB7F1FF58304F00062ED48AC7261EB71D9458B85

Function 0E07AC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 0E07AC64
ole3, xrefs: 0E07AC5D
l32., xrefs: 0E07AC97
dll, xrefs: 0E07AC9E
shel, xrefs: 0E07AC90

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 8c7072fe6c5b3c1219433ed48da0db0a38c2c11abf1426b2cf5ec62cf92f5072
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: C3513BB0918B4C8BDB64EFA4D445AEEB7F1FF58300F404A2E949AE7214EF7095518B89

Function 0E07B86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

4, xrefs: 0E07B9E9
dll, xrefs: 0E07B8F4
ion., xrefs: 0E07B8EC
vers, xrefs: 0E07B8E4
\, xrefs: 0E07B9E0

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: b1991e4f77f596d6f7042a08b52fe46195fcb4860ae51a44d1e74ad016a459d4
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 46416230618B4C8BCBA5EF2898557EA77E5FB98301F50462E98DEC7240EF30D945CB86

Function 0E07D4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 0E07D515
user, xrefs: 0E07D4D3
32.d, xrefs: 0E07D4DA
sspi, xrefs: 0E07D50E
dll, xrefs: 0E07D51C

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 7b6b5f96f3b93a420460ebea86d8edcbfd7496050096ecb8775abf39c3b03767
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 9E415E30A28F0D8FCB98EF6880957AD77E1FF59344F50456AA88ED7250DA71D9408B8A

Function 0E07B432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 0E07B52A
el32, xrefs: 0E07B537
.dll, xrefs: 0E07B53F
h, xrefs: 0E07B51F

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 11a3c7bf62b3c84de8aabed7aecadd07a628b45ad897355f9a55a10f14ac018f
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: E6418270A18B488FD7A9DF6884983ABB7E1FB98340F104A2E94DEC3255DF70C945CB85

Function 0E0820B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 0E082154
, xrefs: 0E082184
f fr, xrefs: 0E08213D
om:, xrefs: 0E082146

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 1a96f3ebf2395e8376af5331f0af5c3d15f4c8e027a68e22112512c4d6c33b9c
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 4331E13151CB889FC71AEB28D5846DAB7D0FB94300F504D1EE4DBC7295EE31A94ACB42

Function 0E0820C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 0E082154
, xrefs: 0E082184
f fr, xrefs: 0E08213D
om:, xrefs: 0E082146

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: cc03302ff0f8b0b719c9d86a4c350f538f6ff8409fc6f9c7c4f5e2a19a783c7e
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 6231E071518B48AFD71AEB28D5846EAB7D4FBA4300F504D1EE4DBC3295EE30E946CA42

Function 0E07DFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

hild, xrefs: 0E07DFF6
me_c, xrefs: 0E07DFEE
chro, xrefs: 0E07E023
.dll, xrefs: 0E07DFFE

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: b4b831ef5f2bb1aebab5be936dfccbb1e87f384f0285ec387bc89959a8f782a9
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: B0316F70518B488FCB84FF688494BAAB7E1FB98200F94596E948ECB254DF30C945C796

Function 0E07DFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

hild, xrefs: 0E07DFF6
me_c, xrefs: 0E07DFEE
chro, xrefs: 0E07E023
.dll, xrefs: 0E07DFFE

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 450a6c9ef8e5ec8d5d168a659f5db724b1b2e501d11b643548c4ec465e840aa0
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 46317E70618B088FCB84EF688494BAAB7E1FF98200F945A6D948ACB254DF30C945C796

Function 0E0808C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0E080935, 0E080948
urlmon.dll, xrefs: 0E080959
on.d, xrefs: 0E080902
nt: , xrefs: 0E08091E

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 6f904e8fcfe769bc8ec26457a4960d2db5381f5f3bd695a79a053472f275eeba
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: F931D131614A0C8BCF45FFA8D8947EDB7E0FB58214F40462AD48ED7240DE788A45CB89

Function 0E0808BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0E080935, 0E080948
urlmon.dll, xrefs: 0E080959
on.d, xrefs: 0E080902
nt: , xrefs: 0E08091E

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: d8a08e9d153e1934b0479099dd3913fd5eb3476b08f789d22019bf26efdcb4be
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 6A21E130A10A0C8BDF45FFA8C9947EDBBE0FF58214F40462AD49AD7240DF748A49CB89

Function 0E081E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E081EF4
., xrefs: 0E081F1F
l, xrefs: 0E081F26
l, xrefs: 0E081F03

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 0da3a5dbc5cb3460f88f58d260b57b339fabc1a3c8938bbd46a966f319421bb1
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: B3214B70A24B0D9BDB44FFA8D0547E9BAF1FB58314F604A2ED089D3614DB7499918B84

Function 0E081E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E081EF4
., xrefs: 0E081F1F
l, xrefs: 0E081F26
l, xrefs: 0E081F03

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 6ef99603411eb0b1a402c5c0fd93bdd9fd73314020a99e81e1cbc32bb206f390
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 01217C70A24A0D9BDB04FFA8D0447E9BBF1FB18314F604A2ED089D3600DB7499918B84

Function 0E081FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 0E082022
user, xrefs: 0E082015
auth, xrefs: 0E08202F
logi, xrefs: 0E08203C

Memory Dump Source

Source File: 00000007.00000002.3533315688.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e030000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 28700f1ca3e5293f2c3923f03d7c28ed7b6e81218e64ef45d3a351171b7185aa
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 9721F030614B0C8BCB45EF9989802EEB7E1EF88340F04461AE44AEB209D7B4D9518BC2

Analysis Process: cmstp.exePID: 5256, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	0%
Total number of Nodes:	624
Total number of Limit Nodes:	77

Executed Functions

Function 0514A036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0514A19F

Strings

0, xrefs: 0514A227

Memory Dump Source

Source File: 00000009.00000002.3518126913.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5140000_cmstp.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: 59b26bdcd7494d17d20a43e3fc3289738ec5b965bb4c23e1519f9ce9cd20c43b
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: 3BF15F74618A8C8FDFA9EF68C898AEEB7E1FF98304F40462AD44AD7251DF349541CB41

Function 05149BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 05149C93
NtMapViewOfSection.NTDLL ref: 05149CFF
NtClose.NTDLL ref: 05149DC5

Strings

@, xrefs: 05149C8B
@, xrefs: 05149D0C

Memory Dump Source

Source File: 00000009.00000002.3518126913.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5140000_cmstp.jbxd

Similarity

API ID: Section$CloseCreateView
String ID: @$@
API String ID: 1133238012-149943524
Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction ID: 57b34b273f67b819bc97cbf4aff3a8e9ff2f92c68d65f6d812e9180a0360bbfd
Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction Fuzzy Hash: 9C61607061CB488FCB58EF68D8856AEBBE0FB98314F50062EE58AC3651DB35D441CB86

Function 05149BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 05149C93
NtMapViewOfSection.NTDLL ref: 05149CFF

Strings

@, xrefs: 05149C8B
@, xrefs: 05149D0C

Memory Dump Source

Source File: 00000009.00000002.3518126913.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5140000_cmstp.jbxd

Similarity

API ID: Section$CreateView
String ID: @$@
API String ID: 1585966358-149943524
Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction ID: 2d5e087884e7843807f520662beb725b5dad912814fc51874934e95e662f9b90
Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction Fuzzy Hash: 80517FB061CB088FCB58DF58D895AAABBE0FB88314F50062EE58EC3651DF35D441CB86

Function 0514A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0514A19F

Strings

0, xrefs: 0514A0CD

Memory Dump Source

Source File: 00000009.00000002.3518126913.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5140000_cmstp.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: ef784bafc99f3696db0c275c0adf5c19ae343e7532aa27fba4a20668ba4a1aa4
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: 48514D70918A8C8FDBA9EF68C8946EEBBF4FB98304F40462ED44AD7251DF349645CB41

Function 032DA382 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,032D4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,032D4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 032DA37D

Strings

.z`, xrefs: 032DA36D, 032DA378

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 8ec784265806de9398d5a8a8bf5c04919236b0974f2722abeb54408d36a7578a
Instruction ID: 0ce21393e4423f9c72df18a51abc4e42326011c618e981207769751a6e65caf8
Opcode Fuzzy Hash: 8ec784265806de9398d5a8a8bf5c04919236b0974f2722abeb54408d36a7578a
Instruction Fuzzy Hash: C20125B6618148AFCB48CF98EC81CAB37EDEF8C314B14864DF948C7241E630E8118BA0

Function 032DA330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,032D4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,032D4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 032DA37D

Strings

.z`, xrefs: 032DA36D, 032DA378

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 87a7f4c31d8a61e90800ba325c3555b428864d82cd4f48cbeeefa83f75bdc36d
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: AEF0BDB2211208AFCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630E8518BA4

Function 032DA58B Relevance: 1.5, APIs: 1, Instructions: 39memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,032C2D11,00002000,00003000,00000004), ref: 032DA549

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d71397d6e64b58d50571f319b12c622b7a6fe93955615abde15b126fdb0c6a64
Instruction ID: a541ae6e220bad69d3e00f5aa6e9b6a1a67459369778cff22ba81000617eb180
Opcode Fuzzy Hash: d71397d6e64b58d50571f319b12c622b7a6fe93955615abde15b126fdb0c6a64
Instruction Fuzzy Hash: EEF0BEB52102087FDB14EF98EC84DE7B7ADEF88660F144599F9489B201C531E944CBF0

Function 032DA3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(032D4D72,5EB65239,FFFFFFFF,032D4A31,?,?,032D4D72,?,032D4A31,FFFFFFFF,5EB65239,032D4D72,?,00000000), ref: 032DA425

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 8fe7b056fa772c89ad8ff8a2ddc66af10c4debc91d1ebe53aace4f9f3f8b8f8e
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: EEF0A4B6210208AFCB14DF89DC80EEB77ADEF8C754F158249BA1D97241D630E8518BA0

Function 032DA3DD Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(032D4D72,5EB65239,FFFFFFFF,032D4A31,?,?,032D4D72,?,032D4A31,FFFFFFFF,5EB65239,032D4D72,?,00000000), ref: 032DA425

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2a833da6bee607256d26486a53dc488f89c638afe47e36b38ea11586295ade73
Instruction ID: 09156243efa203e02694c761b7a1d01843a9dcc65fa81499d572170047151851
Opcode Fuzzy Hash: 2a833da6bee607256d26486a53dc488f89c638afe47e36b38ea11586295ade73
Instruction Fuzzy Hash: 62F0B7B6210109AFCB14DF99DC80EEB77A9EF8C364F158649FA5D97294C630E851CBA0

Function 032DA510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,032C2D11,00002000,00003000,00000004), ref: 032DA549

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 9f97231e9182ab2db2f5da2d8136a65c0b22f72830b1d8ac2c53652be06afe8b
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 9CF015B6210208AFCB14DF89CC80EAB77ADEF88654F118149FE089B241C630F811CBA0

Function 032DA45A Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(032D4D50,?,?,032D4D50,00000000,FFFFFFFF), ref: 032DA485

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 87039191fb6f0105beca3f00b3621d924706572783bb79f05d6defdb794ab7c0
Instruction ID: 685f0a0674e79ea0ee9005e93736f1967769487d346204bb297f01b254ca465e
Opcode Fuzzy Hash: 87039191fb6f0105beca3f00b3621d924706572783bb79f05d6defdb794ab7c0
Instruction Fuzzy Hash: EDE08C752102046BDB20EBB48C89EEB7B68EF44350F14419AFA4DAB652C970A6408A90

Function 032DA460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(032D4D50,?,?,032D4D50,00000000,FFFFFFFF), ref: 032DA485

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 6ca5044f545d373d327f6c3d4154025707cbf3caa8ea00d91fb14d31df278081
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: C2D01776210314ABD710EB98CC85EA77BACEF48660F154499BA589B242C570FA0086E0

Function 052A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2D1A

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbd29e801978bab90df877f62f7c1d2968f394ee6280ae9ce228951cf2c1e0e9
Instruction ID: e512b5d15af23790e48e36bb225fadcd2b1c80fdc64d8d50181ec652affdce20
Opcode Fuzzy Hash: cbd29e801978bab90df877f62f7c1d2968f394ee6280ae9ce228951cf2c1e0e9
Instruction Fuzzy Hash: D190026A22340002E1807158584864A00198BD1342FD5D415A1056558CC99589695721

Function 052A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2DFA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a12b58e11580c8a8d79709448b1f067c9c5886db17b2d121a457bef35a800ebd
Instruction ID: b17b866a9b2d358384226a793048046eae30c44e4b6a695ea9344cf676154c32
Opcode Fuzzy Hash: a12b58e11580c8a8d79709448b1f067c9c5886db17b2d121a457bef35a800ebd
Instruction Fuzzy Hash: 3B90027221140413E11171584944747001D8BD0381FD5C412A1465558D96D68A52A521

Function 052A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2DDA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c9771faf5bd047add5313f89f434b5ee22a052a41a989bbaab2a03845928ff6
Instruction ID: 4465cb5532b808ef66234e00a4f08de206d7b1f2e72054502a73aadf0546b99f
Opcode Fuzzy Hash: 2c9771faf5bd047add5313f89f434b5ee22a052a41a989bbaab2a03845928ff6
Instruction Fuzzy Hash: 74900262252441526545B1584844547401A9BE03817D5C012A2455950C85A69956DA21

Function 052A2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2C6A

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 414a1838f880b0cd269e751f1e3f1f4f52504018c5c16464664c440738a1f09f
Instruction ID: 3d68173cf658dee47ff9c98274bca8fc5fd0121424d50b53924517f8fcf81462
Opcode Fuzzy Hash: 414a1838f880b0cd269e751f1e3f1f4f52504018c5c16464664c440738a1f09f
Instruction Fuzzy Hash: 0A90027221140842E10071584844B8600198BE0341F95C016A1165654D8695C9517921

Function 052A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2C7A

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd113689a7bac2c95399399edad7d6baade294a67845079c006db008e822f8ec
Instruction ID: 22eceddf668759689d2491118442fa20ac2342cb4099abfb1a9ad4c5e8ba7096
Opcode Fuzzy Hash: dd113689a7bac2c95399399edad7d6baade294a67845079c006db008e822f8ec
Instruction Fuzzy Hash: 9F90027221148802E1107158884478A00198BD0341F99C411A5465658D86D589917521

Function 052A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2CAA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b3cd87e421f70988286d98b0c9de32386def4eb3820eddb5a6a1488e300430ae
Instruction ID: 1d29d6f75f423e57ff95f7f1a0e4dabe95e8822c2bf5cc265c37e87df918e254
Opcode Fuzzy Hash: b3cd87e421f70988286d98b0c9de32386def4eb3820eddb5a6a1488e300430ae
Instruction Fuzzy Hash: BF90027221140402E1007598584868600198BE0341F95D011A6065555EC6E589916531

Function 052A2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2F3A

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a0170455029d309408bd843f43dda32f753d28788b85681c7e86ea3c1988b41
Instruction ID: faed344fb9c937c8e37934255b6507649f9eea3da63a1050977524822f44303b
Opcode Fuzzy Hash: 5a0170455029d309408bd843f43dda32f753d28788b85681c7e86ea3c1988b41
Instruction Fuzzy Hash: C69002A235140442E10071584854B460019CBE1341F95C015E20A5554D8699CD526526

Function 052A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2FEA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36f7c35a4bfb11f5f197e685173fe64b6a79f3cd512a3e1a49433ff0f345796f
Instruction ID: a56271b1b67f2e192e9372bf95d2059cf5b4619287957d3ba67709afb43e9494
Opcode Fuzzy Hash: 36f7c35a4bfb11f5f197e685173fe64b6a79f3cd512a3e1a49433ff0f345796f
Instruction Fuzzy Hash: 55900262221C0042E20075684C54B4700198BD0343F95C115A1195554CC99589615921

Function 052A2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2EAA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 502fa1bb9dc25c2f2d03675c9c9f807998d001400f30655d41a467c42c1a59e4
Instruction ID: de489fc65f0b55f424b0914c0325a1952e24ddf890024a71aaa8a5a749199b76
Opcode Fuzzy Hash: 502fa1bb9dc25c2f2d03675c9c9f807998d001400f30655d41a467c42c1a59e4
Instruction Fuzzy Hash: 919002B221140402E1407158484478600198BD0341F95C011A60A5554E86D98ED56A65

Function 052A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2B6A

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 917b018dd69a55c5261338a03099f8ec86f8865b74fba223816e78eb080629af
Instruction ID: c43b92cad412c96c11b6e7ca58b71f7705f903cfa34a7652161ff2d3ca19b8ab
Opcode Fuzzy Hash: 917b018dd69a55c5261338a03099f8ec86f8865b74fba223816e78eb080629af
Instruction Fuzzy Hash: C29002A221240003510571584854656401E8BE0341B95C021E2055590DC5A589916525

Function 052A2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2BEA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 531ff983f5db345a8e04c2b34d7517ad9c724ea0a46e9a7d1f35caac4b82e397
Instruction ID: 4f45e3b491a505602afae3973bbf29b32f22f4a76d6771ee30de07ff94fe5adc
Opcode Fuzzy Hash: 531ff983f5db345a8e04c2b34d7517ad9c724ea0a46e9a7d1f35caac4b82e397
Instruction Fuzzy Hash: 3990027221544842E14071584844A8600298BD0345F95C011A10A5694D96A58E55BA61

Function 052A2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2BFA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa7d23ae12af6e271a03dfc0545b5caf9c0c8413da8cb516a23dc2b3f954d6bd
Instruction ID: 683a2bc65fc4cc520de9bb2d1d1962934a50ca5c5ea9ddd6395db588fc1563aa
Opcode Fuzzy Hash: aa7d23ae12af6e271a03dfc0545b5caf9c0c8413da8cb516a23dc2b3f954d6bd
Instruction Fuzzy Hash: BC90027221140802E1807158484468A00198BD1341FD5C015A1066654DCA958B597BA1

Function 052A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2ADA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bc256fc1babd0b11c1c80e4fdbdf3ef4fa9bca17696ef05801f5255f2770636
Instruction ID: b221183ca5bfb4b0d865e704f8bad04ba778761443929ff0cb863b1b6606fac9
Opcode Fuzzy Hash: 9bc256fc1babd0b11c1c80e4fdbdf3ef4fa9bca17696ef05801f5255f2770636
Instruction Fuzzy Hash: C2900266221400031105B5580B44547005A8BD5391395C021F2056550CD6A189615521

Function 052A35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A35CA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49a38b3abbcd82c0d373472d1286f455d7b31643959a237eafc3007aba132936
Instruction ID: 00844e4d47a91cce344d4478f250eba68b4e1cc819aa74a1ec78af7de1a56821
Opcode Fuzzy Hash: 49a38b3abbcd82c0d373472d1286f455d7b31643959a237eafc3007aba132936
Instruction Fuzzy Hash: 4190027261550402E1007158495474610198BD0341FA5C411A1465568D87D58A5169A2

Function 032D9050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 032D90F8

Strings

net.dll, xrefs: 032D90C1, 032D9147, 032D911F, 032D912B, 032D9153
wininet.dll, xrefs: 032D90AE, 032D90B7

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 97f5b2742c7a20207df6cd05a41e5c5d838a2148da8c0b3e46eeee33a577d05b
Instruction ID: e411cc6b57f0550c434cfa81c86ad5cae5f887907072fe5830fa17e2763d1681
Opcode Fuzzy Hash: 97f5b2742c7a20207df6cd05a41e5c5d838a2148da8c0b3e46eeee33a577d05b
Instruction Fuzzy Hash: 743192B6510345BBC724DF64D885F67B7B8BB48B00F04811DF62AAB245DB70B690CBA8

Function 032D904F Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 032D90F8

Strings

net.dll, xrefs: 032D90C1, 032D911F, 032D912B
wininet.dll, xrefs: 032D90AE, 032D90B7

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: e35cf1b2c95ba3f46dd28145ce5870e4e25c50029406349a918782c0e7a42873
Instruction ID: 6591c93b95325c0a418961409e71c64e0c51fba64a91d911964bf6421dafa7c4
Opcode Fuzzy Hash: e35cf1b2c95ba3f46dd28145ce5870e4e25c50029406349a918782c0e7a42873
Instruction Fuzzy Hash: F521B1B5910345BBC714EF68C885F67B7B8FB48B00F14811DFA29AB285D770B690CBA4

Function 032DA640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,032C3AF8), ref: 032DA66D

Strings

.z`, xrefs: 032DA65C, 032DA668

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 0d342376603f424f3f56a4408e4d8e7265285268bd3bba583bbd5287e32e5406
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: B4E012B5220208ABDB18EF99CC48EA777ACEF88650F018599FA085B241C631E9108AB0

Function 032C8310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 032C836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 032C838B

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
Instruction ID: 2665fb6208a01e3bc50d633051b8a2305af255e5d66006dec8f8e3ccef6c4d52
Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
Instruction Fuzzy Hash: 7401D431AA032877E720E6949C02FFE772C5F00A51F044219FF04BE1C0E6E4694542E5

Function 032DA745 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,032CF1D2,032CF1D2,?,00000000,?,?), ref: 032DA7D0

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 41da36e7b2189632b0396bdefc1b8be038fceca8c89dde02334715cc291fe110
Instruction ID: 0a46dddedac31c3d40261662f26d788fb3836f6a6c14d3ecec08a96a1f12e487
Opcode Fuzzy Hash: 41da36e7b2189632b0396bdefc1b8be038fceca8c89dde02334715cc291fe110
Instruction Fuzzy Hash: 530126B82143446FD711DF68DC80DDB7BA9EF85610F048599F8995B342C635E81687A0

Function 032DA791 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,032CF1D2,032CF1D2,?,00000000,?,?), ref: 032DA7D0

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 189592f576d2bd95a883775349b6870281d4547b84e51cc009a85d165165b5d4
Instruction ID: 3dbc83622e76c018908dbc6e3bf4ebd1bfcb83680bacd5ff3dfb6ad7ffc4db7c
Opcode Fuzzy Hash: 189592f576d2bd95a883775349b6870281d4547b84e51cc009a85d165165b5d4
Instruction Fuzzy Hash: 25012FB12103096FDB24DF58CC85EEB3BA8EF85210F1885A9FD4C5F202C635A811CBB0

Function 032CACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 032CAD62

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 88e36976e067ea8258b4d29ada5249b4259b2a4843ca1cd9d8507e4ba6623e2c
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: 54011EB9D5020EBBDB10EAA4DC51F9DB3789B44608F0486A9AA089B241F671EB54CB91

Function 032DA6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 032DA704

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: d5ee844ba5d3bfdd0b45599d26e2037f5c5f850ef8a87f54cb42207530db406c
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 9B01B2B2210208BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Function 032DA5C6 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b48fac173d6d0f0d899d53d60dada5125cb890092f4aa0e6a07ef5509b2794
Instruction ID: c8f4701ecab2b1f62cfc61b56d935624d8a3b8b550421d61fc5b23c2c3d1d661
Opcode Fuzzy Hash: 52b48fac173d6d0f0d899d53d60dada5125cb890092f4aa0e6a07ef5509b2794
Instruction Fuzzy Hash: 00F0E9B52103057FDB14DB58DC44DA7775CEF84260F044589FA5C47341D531F541C6E0

Function 032D9180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,032CF050,?,?,00000000), ref: 032D91BC

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
Instruction ID: f20f08740fabfeb5b19baa76a1ce6ddb7ba5a7ef375731989de9964d0ac850f2
Opcode Fuzzy Hash: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
Instruction Fuzzy Hash: 4CE092373903043AE330A599AC02FA7B39CCB81F20F140026FA0DEB2C0D9D5F44142E8

Function 032DA7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,032CF1D2,032CF1D2,?,00000000,?,?), ref: 032DA7D0

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 27b6ed9189e413fd200f233d637c85b09bec4055226257be2fcbb3c300675ba7
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 7CE01AB52102086BDB10DF49CC84EE737ADEF88650F018155FA085B241C935E8118BF5

Function 032DA600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(032D4536,?,032D4CAF,032D4CAF,?,032D4536,?,?,?,?,?,00000000,00000000,?), ref: 032DA62D

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: b4a694f6ea8177d75c5de5a844bfd9ef503502be84e522a7b883ff53bc067812
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 22E012B5220208ABDB14EF99CC40EA777ACEF88654F118599FA085B241C631F9118AB0

Function 032CF6C7 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,032C8D14,?), ref: 032CF6FB

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 000c20c3ab78cc68b142fe19b5625fbb3675551c76b3bbe5ab95d62b1f34ffab
Instruction ID: e701c137186430f75750752cdddab0945141778d5963cb7ef7c04f658d352850
Opcode Fuzzy Hash: 000c20c3ab78cc68b142fe19b5625fbb3675551c76b3bbe5ab95d62b1f34ffab
Instruction Fuzzy Hash: 44D02B757602013AEB00FAA09D02FA625C65741682F5A0028F559EA3C3DD61D0004210

Function 032CF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,032C8D14,?), ref: 032CF6FB

Memory Dump Source

Source File: 00000009.00000002.3516847049.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_32c0000_cmstp.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction ID: ddaa5b96d6f018678c398ed5ff23ed7a508068883e9fd8b96c3733ff130b4441
Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction Fuzzy Hash: 26D05E656603093AE610FAA59C02F2672895B44A00F5A0064F9489A2C3DDA0E0004165

Function 052A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2C24

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 965f156ac248a80d44cc7f92a2998ba9469519b1322dce9a97ab6b0be5ad5a77
Instruction ID: 46c42bb9ec035d8f39adfbc76de48f5305d381b8cf7ae42a3fd702ec301f73f6
Opcode Fuzzy Hash: 965f156ac248a80d44cc7f92a2998ba9469519b1322dce9a97ab6b0be5ad5a77
Instruction Fuzzy Hash: 2EB09B739115D5C6FA11E7604A08B1779157FD0741F56C061D3070641E4778C1D5E575

Non-executed Functions

Function 00CA6052 Relevance: 89.9, APIs: 40, Strings: 11, Instructions: 611stringlibrarywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAF80E: GetSystemInfo.KERNEL32(?,?,00000000,00CA6088,?,00000002,00000000), ref: 00CAF81E
Part of subcall function 00CAF80E: GetVersionExW.KERNEL32(?), ref: 00CAF82E

GetCommandLineW.KERNEL32(?,00000002,00000000), ref: 00CA6090
GetModuleHandleW.KERNEL32(00000000), ref: 00CA609D
LoadLibraryExA.KERNEL32(kernel32.dll,00000000,00000800), ref: 00CA60B2
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00CA60C4
GetProcessHeap.KERNEL32(00000001,00000000,00000000), ref: 00CA60D4
GetLastError.KERNEL32 ref: 00CA60E9
FreeLibrary.KERNEL32(00000000), ref: 00CA60F0
GetLastError.KERNEL32 ref: 00CA60FC
GetCurrentProcessId.KERNEL32 ref: 00CA6124
memset.MSVCRT ref: 00CA6158
CharNextW.USER32(00000000,?,0000020A,=====================================================), ref: 00CA61D3
lstrcmpiW.KERNEL32(?,00000000,?,0000020A,=====================================================), ref: 00CA6210
CharNextW.USER32(?,00000000,?,?,?,0000020A,=====================================================), ref: 00CA624F
lstrcmpiW.KERNEL32(?,00000000,?,0000020A,=====================================================), ref: 00CA62C3
CharNextW.USER32(?,00000000,?,?,?,0000020A,=====================================================), ref: 00CA6302
CharNextW.USER32(00000000,?,0000020A,=====================================================), ref: 00CA6334
lstrcmpiW.KERNEL32(?,00000000,?,0000020A,=====================================================), ref: 00CA6378

Part of subcall function 00CAB634: LoadStringW.USER32(?,000000D2,?,00000105), ref: 00CAB6ED
Part of subcall function 00CAB634: GetPrivateProfileStringW.KERNEL32(Strings,ServiceName,00CA1110,?,00000105), ref: 00CAB70C
Part of subcall function 00CAB634: GetPrivateProfileStringW.KERNEL32(Strings,ShortSvcName,00CA1110,?,00000105), ref: 00CAB72A
Part of subcall function 00CAB634: GetPrivateProfileIntW.KERNEL32(CMAK Status,InfVersion,00000000), ref: 00CAB752
Part of subcall function 00CAB634: LoadStringW.USER32(?,0000012C,?,00000105), ref: 00CAB780
Part of subcall function 00CAB634: MessageBoxW.USER32(00000000,?,?,00000010), ref: 00CAB797

CharNextW.USER32(?,?,0000020A,=====================================================), ref: 00CA63B0
GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000000,?,?,?,0000020A,=====================================================), ref: 00CA6546
CmFree.CMUTIL(?,?,0000020A,=====================================================), ref: 00CA6599
CmFree.CMUTIL(?,?,0000020A,=====================================================), ref: 00CA65A7
CmFree.CMUTIL(?), ref: 00CA664C
CmFree.CMUTIL(?), ref: 00CA665A
FreeLibrary.KERNEL32(00000000), ref: 00CA6670
CmFree.CMUTIL(00000000), ref: 00CA667F
FreeLibrary.KERNEL32(00000000), ref: 00CA6695
CmFree.CMUTIL(00000000), ref: 00CA66A4
FreeLibrary.KERNEL32(00000000), ref: 00CA66BA
CmFree.CMUTIL(00000000), ref: 00CA66C9
FreeLibrary.KERNEL32(00000000), ref: 00CA66DF
CmFree.CMUTIL(00000000), ref: 00CA66EE
CmMalloc.CMUTIL(00000FD2), ref: 00CA672A
LoadStringW.USER32(?,000000D2,?,00000104), ref: 00CA674D
LoadStringW.USER32(?,000000C8,00000000,000007E8), ref: 00CA675F
MessageBoxW.USER32(00000000,00000000,?,00000040), ref: 00CA6771
CmFree.CMUTIL(00000000), ref: 00CA6778
GetCurrentProcessId.KERNEL32 ref: 00CA67AA
LoadStringW.USER32(?,000000D2,?,00000104), ref: 00CA6825
LoadStringW.USER32(?,000000D1,?,00000104), ref: 00CA683E
MessageBoxW.USER32(00000000,?,?,00000000), ref: 00CA6856

Strings

ProcessCmdLn - ValidSwitch is %s, xrefs: 00CA626E, 00CA6320, 00CA63EB
Cmstp.exe -- InstallInf failed with error %d (0x%lx), xrefs: 00CA6619
CMSTP.EXE -- Entering Flag Processing Loop, dwFlags = %u and szInfPath = %s, xrefs: 00CA6454
kernel32.dll, xrefs: 00CA60A9
Throwing away, first token: %s, xrefs: 00CA61E6, 00CA6299, 00CA634E
CMSTP.EXE - UNLOADING - Process ID is 0x%x , xrefs: 00CA67B1
Cmstp.exe -- Usage Error!, xrefs: 00CA6709
HeapSetInformation, xrefs: 00CA60BE
CMSTP.EXE - LOADING - Process ID is 0x%x , xrefs: 00CA612B
CProcessCmdLn::GetCmdLineArgs - Command line is %s, xrefs: 00CA616F
=====================================================, xrefs: 00CA6116, 00CA611B, 00CA613E, 00CA6797, 00CA679C, 00CA67C4

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Free$String$Load$Library$CharNext$CurrentMessagePrivateProcessProfilelstrcmpi$ErrorLast$AddressCommandDirectoryHandleHeapInfoLineMallocModuleProcSystemVersionmemset
String ID: CMSTP.EXE - LOADING - Process ID is 0x%x $ CMSTP.EXE - UNLOADING - Process ID is 0x%x $=====================================================$CMSTP.EXE -- Entering Flag Processing Loop, dwFlags = %u and szInfPath = %s$CProcessCmdLn::GetCmdLineArgs - Command line is %s$Cmstp.exe -- InstallInf failed with error %d (0x%lx)$Cmstp.exe -- Usage Error!$HeapSetInformation$ProcessCmdLn - ValidSwitch is %s$Throwing away, first token: %s$kernel32.dll
API String ID: 3103637246-2018170306
Opcode ID: d4ad156167fdf410afb493868e200f26fa098793352de3a0265f293722e802bc
Instruction ID: 03e2f8f7524a2d83f7ed24a1d785f7d4915584ca8a5ebb3da6c0d242ed46e034
Opcode Fuzzy Hash: d4ad156167fdf410afb493868e200f26fa098793352de3a0265f293722e802bc
Instruction Fuzzy Hash: A022C071208302AFD7209F24DC45B6FBBB9EF8A708F184629F59693261DB30DE41CB52

Function 00CA894B Relevance: 56.3, APIs: 14, Strings: 18, Instructions: 323fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CA897D
memset.MSVCRT ref: 00CA898F
memset.MSVCRT ref: 00CA89A1
SHGetFolderPathW.SHELL32(00000000,00000028,00000000,00000001,?,?,?,?,?,?,?,00000105,?,00000000), ref: 00CA89B6
memset.MSVCRT ref: 00CA8A07
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00000105,?), ref: 00CA8A22
CmFree.CMUTIL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?), ref: 00CA8AAE
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CA8B37
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00CA8B44
memset.MSVCRT ref: 00CA8BFF
memset.MSVCRT ref: 00CA8CAD
memset.MSVCRT ref: 00CA8AD5

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000105,?,00000000), ref: 00CA8D9B

Strings

StringCchPrintEx on szHiddenCmpFile failed, xrefs: 00CA8D3B
Microsoft\Network\Connections\_hiddencm, xrefs: 00CA8C10, 00CA8CBE
%s\%s\%s\%s\%s.cmp, xrefs: 00CA8CD2
StringCchLength failed with Error %x, xrefs: 00CA89E1
SHGetFolderPath failed with Error: %x, xrefs: 00CA8A2D
Error - DeleteFolderRecursively for file: %d, xrefs: 00CA8D24
Something seriously wrong. The appdata folder is outside User Profile!!, xrefs: 00CA8D6D
StringCchPrintEx on szHiddenProfile failed, xrefs: 00CA8C8D
Folder - %s, xrefs: 00CA8BE1
TO DELETE - CMP File : %s, xrefs: 00CA8CFF
Documents Path: %s, xrefs: 00CA8ABB
SHGetFolderPath failed with Error %x, xrefs: 00CA8D82
szFindPath: %s, xrefs: 00CA8B16
%s\*, xrefs: 00CA8AE1
%s\%s\%s\%s\%s, xrefs: 00CA8C24
TO DELETE - Profile Folder: %s, xrefs: 00CA8C51
StringCchLength failed with Error: %x, xrefs: 00CA8A4B
Error - DeleteFolderRecursively for folder: %d, xrefs: 00CA8C76

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: memset$ByteCharFindFolderFreeLocalMultiPathWide$AllocCloseErrorFileFirstLastlstrlen
String ID: %s\%s\%s\%s\%s$%s\%s\%s\%s\%s.cmp$%s\*$Documents Path: %s$Error - DeleteFolderRecursively for file: %d$Error - DeleteFolderRecursively for folder: %d$Folder - %s$Microsoft\Network\Connections\_hiddencm$SHGetFolderPath failed with Error %x$SHGetFolderPath failed with Error: %x$Something seriously wrong. The appdata folder is outside User Profile!!$StringCchLength failed with Error %x$StringCchLength failed with Error: %x$StringCchPrintEx on szHiddenCmpFile failed$StringCchPrintEx on szHiddenProfile failed$TO DELETE - CMP File : %s$TO DELETE - Profile Folder: %s$szFindPath: %s
API String ID: 3311909984-2541312914
Opcode ID: ebe7318a95c1498a95b5f7936fba25f6fb4c8a32acf04584edfad1e6e176299b
Instruction ID: b7eeb9f31084dd67e1d4131e3ff636a1b44f954d948b8de99193489f79972e35
Opcode Fuzzy Hash: ebe7318a95c1498a95b5f7936fba25f6fb4c8a32acf04584edfad1e6e176299b
Instruction Fuzzy Hash: 11B1E371A4021BABDB209B24DC46FEE737CEB16708F5401A5F905E20D1EF719E89DB60

Function 00CAA6EE Relevance: 40.6, APIs: 15, Strings: 8, Instructions: 333stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB02F8: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00CB0321

Part of subcall function 00CAF80E: GetSystemInfo.KERNEL32(?,?,00000000,00CA6088,?,00000002,00000000), ref: 00CAF81E
Part of subcall function 00CAF80E: GetVersionExW.KERNEL32(?), ref: 00CAF82E

GetPrivateProfileIntW.KERNEL32(CMAK Status,IncludeCMCode,00000000,000000D2), ref: 00CAA764

Part of subcall function 00CA841A: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Connection Manager\Mappings,00000000,00020019,00000105,00000001,?,?,?,00CAA7F4,?,?,?,?,00CAB8BC,?), ref: 00CA8438
Part of subcall function 00CA841A: RegQueryInfoKeyW.ADVAPI32(00000105,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00CAA7F4), ref: 00CA8453
Part of subcall function 00CA841A: RegCloseKey.ADVAPI32(00000105,?,?,?,00CAA7F4,?,?,?,?,00CAB8BC,?,?,00000000,?,00000000), ref: 00CA8466

GetPrivateProfileIntW.KERNEL32(CmDial32.Dll,Build,4A610000,000000D2), ref: 00CAA786
GetPrivateProfileIntW.KERNEL32(CmDial32.Dll,Version,00070002,000000D2), ref: 00CAA7A2
LoadStringW.USER32(?,000000E7,?,00000209), ref: 00CAA7E2
LoadStringW.USER32(?,000000D8,?,00000209), ref: 00CAA896
lstrlenW.KERNEL32(cmstp.exe,?,?,?,?,00CAB8BC,?,?,00000000,?,00000000), ref: 00CAA94D
lstrlenW.KERNEL32(?,?,?,?,00CAB8BC,?,?,00000000,?,00000000), ref: 00CAA95C
lstrlenW.KERNEL32(?,?,?,?,00CAB8BC,?,?,00000000,?,00000000), ref: 00CAA96B
LoadStringW.USER32(?,000000ED,?,00000208), ref: 00CAAA3D
LoadStringW.USER32(?,000000DA,?,00000208), ref: 00CAAACB
MessageBoxW.USER32(00000000,?,?,00000134), ref: 00CAAAE5
LoadStringW.USER32(?,000000D0,?,00000104), ref: 00CAAB2C
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CAAB62
LoadStringW.USER32(?,000000CF,?,00000209), ref: 00CAAB96
MessageBoxW.USER32(00000000,?,?,00000000), ref: 00CAABA6

Strings

CMAK Status, xrefs: 00CAA75F
cmstp.exe, xrefs: 00CAA947, 00CAA94C, 00CAA97E
IncludeCMCode, xrefs: 00CAA75A
%s%s%s, xrefs: 00CAA992
Version, xrefs: 00CAA792
Build, xrefs: 00CAA77C
%u.%u.%u.%u, xrefs: 00CAA85F
CmDial32.Dll, xrefs: 00CAA781, 00CAA797

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: LoadString$PrivateProfileSystemlstrlen$DirectoryInfoMessage$CloseOpenQueryVersion
String ID: %s%s%s$%u.%u.%u.%u$Build$CMAK Status$CmDial32.Dll$IncludeCMCode$Version$cmstp.exe
API String ID: 1075542838-2152694038
Opcode ID: 41e30bbb07bb08a0e746db09f3cd529ed4d1910c006643121f39295ca176dee7
Instruction ID: b26bb21ffdcb8cfb2f6e4c71dd26a2ad58f2ebc30acf6b5db47c6429ba17ade5
Opcode Fuzzy Hash: 41e30bbb07bb08a0e746db09f3cd529ed4d1910c006643121f39295ca176dee7
Instruction Fuzzy Hash: 2AC18371A4026A9BDB30DB64DC85FEEB3BCEB4A744F1040A6F919A2181D7709F80CF61

Function 00CA5DEC Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 177registrylibraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CA5E21
GetPrivateProfileStringW.KERNEL32(Strings,Allow32bit,00CA1110,?,00000002,?), ref: 00CA5E48
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00CA5E53
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00CA5E6A
GetCurrentProcess.KERNEL32(?), ref: 00CA5E81
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE,00000000,00020019,?), ref: 00CA5F29
RegQueryValueExW.ADVAPI32(?,CmstpExtensionDll,00000000,?,?,?), ref: 00CA5F64
RegCloseKey.ADVAPI32(?), ref: 00CA5F72
GetProcAddress.KERNEL32(?,CmstpExtensionProc2), ref: 00CA5FAF
GetProcAddress.KERNEL32(?,CmstpExtensionProc), ref: 00CA5FC9
FreeLibrary.KERNEL32(?), ref: 00CA6045

Strings

Allow32bit, xrefs: 00CA5E3E
kernel32.dll, xrefs: 00CA5E4E
CmstpExtensionDll, xrefs: 00CA5F59
Strings, xrefs: 00CA5E43
CmstpExtensionProc2, xrefs: 00CA5FA9
cmcfg32.dll, xrefs: 00CA5ED7
CmstpExtensionProc, xrefs: 00CA5FC3
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE, xrefs: 00CA5F1F
IsWow64Process, xrefs: 00CA5E64

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: AddressProc$CloseCurrentFreeHandleLibraryModuleOpenPrivateProcessProfileQueryStringValuememset
String ID: Allow32bit$CmstpExtensionDll$CmstpExtensionProc$CmstpExtensionProc2$IsWow64Process$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE$Strings$cmcfg32.dll$kernel32.dll
API String ID: 2712949887-1332449732
Opcode ID: 0aef178b2e126dab698d6857df2d0e851ccf7d307ceadcf676c4dde9c30e83af
Instruction ID: b2ec477bf1bef24bb62bfeca1217d2858be459e9787561d88fa6994390658f10
Opcode Fuzzy Hash: 0aef178b2e126dab698d6857df2d0e851ccf7d307ceadcf676c4dde9c30e83af
Instruction Fuzzy Hash: DC51C475A4162AAFCB209FA1DC8CBEEB6B8EF55748F0441A5F905E2250D7349F80CF50

Function 00CACAB4 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 216registryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CACB46
memset.MSVCRT ref: 00CACBA2
GetPrivateProfileStringW.KERNEL32(Strings,DesktopGUID,00CA1110,?,00000104,?), ref: 00CACBCC

Part of subcall function 00CAEC40: memset.MSVCRT ref: 00CAEC59
Part of subcall function 00CAEC40: memset.MSVCRT ref: 00CAEC80
Part of subcall function 00CAEC40: memset.MSVCRT ref: 00CAEC91
Part of subcall function 00CAEC40: memset.MSVCRT ref: 00CAECA2
Part of subcall function 00CAEC40: CharNextW.USER32(00CAA51E,00CAA51E,00CAA51E,00CAA51E,00000900,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00CAED6B
Part of subcall function 00CAEC40: CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00CAED75

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 00CACCBC
RegDeleteValueW.ADVAPI32(?,DisplayName), ref: 00CACCD1
RegDeleteValueW.ADVAPI32(?,UninstallString), ref: 00CACCEA
RegCloseKey.ADVAPI32(?), ref: 00CACCFD
CmFree.CMUTIL(00000000,00000000,00000001), ref: 00CACDA7

Strings

%s\%s%s, xrefs: 00CACB5F
%s\%s, xrefs: 00CACBED, 00CACC7C
%s%s%s\%s%s, xrefs: 00CACB09
DisplayName, xrefs: 00CACCC6
DesktopGUID, xrefs: 00CACBC2
.inf, xrefs: 00CACAEE, 00CACB4C
Strings, xrefs: 00CACBC7
SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace, xrefs: 00CACBE8
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00CACC77
UninstallString, xrefs: 00CACCD9
CLSID\%s, xrefs: 00CACC31

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: memset$CharDeleteNextValue$CloseDirectoryFreeOpenPrivateProfileStringSystem
String ID: %s%s%s\%s%s$%s\%s$%s\%s%s$.inf$CLSID\%s$DesktopGUID$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace$Strings$UninstallString
API String ID: 4069408614-1133111835
Opcode ID: f70a520cef0d4a0e75c9669ffbd0dcc0fabdc319d8960a7dcc9eda7e1203d85a
Instruction ID: 5c37586dbea01b8af37c35178930349e212ae18d3224f1e01a058869e7191e90
Opcode Fuzzy Hash: f70a520cef0d4a0e75c9669ffbd0dcc0fabdc319d8960a7dcc9eda7e1203d85a
Instruction Fuzzy Hash: 49717671B8031EABEB50D660CC86FEE73BCAB45708F4041B5B609E61D1EEB49B948F50

Function 00CAB3C4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 192fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CAB404
GetPrivateProfileStringW.KERNEL32(Strings,Allow32bit,00CA1110,?,00000002,?), ref: 00CAB453
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAB4A5
memset.MSVCRT ref: 00CAB571
FindNextFileW.KERNEL32(00000000,00000010,?,?,?,?,?,?,?,?,?,?), ref: 00CAB60C

Strings

cmd.exe, xrefs: 00CAB5B2, 00CAB5EE
Allow32bit, xrefs: 00CAB449
/k certutil.exe -f -enterprise -v -addstore Root "%s", xrefs: 00CAB580
.cer, xrefs: 00CAB4EB
Strings, xrefs: 00CAB44E
%s\%s\%s, xrefs: 00CAB53E
%s\%s\*, xrefs: 00CAB410

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: FileFindmemset$FirstNextPrivateProfileString
String ID: %s\%s\%s$%s\%s\*$.cer$/k certutil.exe -f -enterprise -v -addstore Root "%s"$Allow32bit$Strings$cmd.exe
API String ID: 3263955703-3700740230
Opcode ID: 2de20aa67e7bcca1ddcfcf38417f851fb0d848b7198339e9ffa2a556fb91b8ce
Instruction ID: a517c3807737cf6cfd39b6212281a08c28f3776b6b50118afa03859a2cc730c0
Opcode Fuzzy Hash: 2de20aa67e7bcca1ddcfcf38417f851fb0d848b7198339e9ffa2a556fb91b8ce
Instruction Fuzzy Hash: A35106B1E4121B6AEB24AA60CC46FFB73A8DB56728F0545A5FD09E7143E770DF808760

Function 00CA8DB2 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88librarymemoryloaderCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(000000D2,?,0000000B,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000D2), ref: 00CA8E03
GetModuleHandleA.KERNEL32(advapi32.dll,00000000,?,?,?,?,000000D2), ref: 00CA8E14
LoadLibraryExA.KERNEL32(advapi32.dll,00000000,00000000,?,?,?,?,000000D2), ref: 00CA8E23
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00CA8E35
FreeSid.ADVAPI32(?,?,?,?,?,000000D2), ref: 00CA8E5D
FreeLibrary.KERNEL32(00000000,?,?,?,000000D2), ref: 00CA8E69

Strings

CheckTokenMembership, xrefs: 00CA8E2F
advapi32.dll, xrefs: 00CA8E0E, 00CA8E13, 00CA8E22

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateHandleInitializeLoadModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2973883830-1888249752
Opcode ID: ae1568a685b5f932aff880f50f2489fd610956d937b8611f789bdee60d14d9b4
Instruction ID: a85d49f5629f44c10765e98ec37fd44c33bc7414ffb2accf60009522632fded4
Opcode Fuzzy Hash: ae1568a685b5f932aff880f50f2489fd610956d937b8611f789bdee60d14d9b4
Instruction Fuzzy Hash: 95218076D0021AAF9B119B69EC84EBFB7BDEF85754B050629B812E3250DB34DF048A70

Function 00CB0FE7 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 00CB0DE1: lstrlenA.KERNEL32(00000000,?,00CB1021,00000000,00000000,00000000,00000000,000003F2,00000000), ref: 00CB0E1E

GetLastError.KERNEL32(?), ref: 00CB10BB

Strings

CCryptFunctions::DecryptDataWithKey - Math overflow detected. Bailing out..., xrefs: 00CB1149
DecryptDataWithKey: not enough buffer = %d bytes, xrefs: 00CB1113

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: ErrorLastlstrlen
String ID: CCryptFunctions::DecryptDataWithKey - Math overflow detected. Bailing out...$DecryptDataWithKey: not enough buffer = %d bytes
API String ID: 8355439-135248520
Opcode ID: 9fecd2baa50c50e924a92f4b6a801c8c6543734f2c59838d7f62bee2d751f967
Instruction ID: e9c1f42392e6165b0a7ab50b75b17ec33ff17a80a26712e3becb972d983bd82b
Opcode Fuzzy Hash: 9fecd2baa50c50e924a92f4b6a801c8c6543734f2c59838d7f62bee2d751f967
Instruction Fuzzy Hash: D2416F75A00206EFCB14AF69ECA8BAE7BB5FF44701F544128FD16A7290C7309E41DB50

Function 00CB1945 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00CB1972
GetCurrentProcessId.KERNEL32 ref: 00CB1981
GetCurrentThreadId.KERNEL32 ref: 00CB198A
GetTickCount.KERNEL32 ref: 00CB1993
QueryPerformanceCounter.KERNEL32(?), ref: 00CB19A8

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 97f2b8e0bd36ea23e5507f1f51dc9fc436421dae5c7df1979d321e6be5dd789e
Instruction ID: 12f6e2ff2084aae97f6f32c0c8e583f9cc64bd625c2b74fe20d3c0f1e243bed1
Opcode Fuzzy Hash: 97f2b8e0bd36ea23e5507f1f51dc9fc436421dae5c7df1979d321e6be5dd789e
Instruction Fuzzy Hash: 28111875E01258EFCB10EBB8EA5879EBBF4EF48311F954966E902E7250E6309B00CB40

Function 00CB14D0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00CB1606,00CA1000), ref: 00CB14D7
UnhandledExceptionFilter.KERNEL32(00CB1606,?,00CB1606,00CA1000), ref: 00CB14E0
GetCurrentProcess.KERNEL32(C0000409,?,00CB1606,00CA1000), ref: 00CB14EB
TerminateProcess.KERNEL32(00000000,?,00CB1606,00CA1000), ref: 00CB14F2

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 3c894d86ecba3548ec419088a883845e4a24ce5a5508115d51275b35d635d379
Instruction ID: 1d4247ed5ea8e7fa0c70de64ec335d9948578d069ae9ae8909d265aaa2bb601f
Opcode Fuzzy Hash: 3c894d86ecba3548ec419088a883845e4a24ce5a5508115d51275b35d635d379
Instruction Fuzzy Hash: C3D0C932448189BBCB003BE1FE0EB4D3E28EF44212F050110F70982020EA3156018B55

Function 00CA99C0 Relevance: 61.5, APIs: 32, Strings: 3, Instructions: 258windowregistryCOMMON

Download Yara Rule

APIs

CheckRadioButton.USER32(?,00000065,00000066,00000066), ref: 00CA9A33
GetDlgItem.USER32(?,00000066), ref: 00CA9A3D
SetFocus.USER32(00000000), ref: 00CA9A44

Part of subcall function 00CA90D5: CoUninitialize.OLE32(?,00CAB7BF,?,00CA6609,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,0000020A), ref: 00CA9126

CheckRadioButton.USER32(?,00000065,00000066,00000066), ref: 00CA9A75
GetDlgItem.USER32(?,00000066), ref: 00CA9A7D
SetFocus.USER32(00000000), ref: 00CA9A84
CheckRadioButton.USER32(?,00000065,00000066,00000065), ref: 00CA9A97
GetDlgItem.USER32(?,00000066), ref: 00CA9AA7
SetFocus.USER32(00000000), ref: 00CA9AAE
IsDlgButtonChecked.USER32(?,00000065), ref: 00CA9AC6
IsDlgButtonChecked.USER32(?,0000006A), ref: 00CA9AD7
RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Network\Network Connections,00000000,00000000,00000000,00020006,00000000,?,?), ref: 00CA9B01
IsDlgButtonChecked.USER32(?,0000006A), ref: 00CA9B0E
RegSetValueExW.ADVAPI32(?,DesktopShortcut,00000000,00000004,?,00000004), ref: 00CA9B29
RegCloseKey.ADVAPI32(?), ref: 00CA9B32
EndDialog.USER32(?,00000000), ref: 00CA9B3A
CheckDlgButton.USER32(?,0000006A,00000000), ref: 00CA9B8A
SetWindowTextW.USER32(?,?), ref: 00CA9BF6
CheckRadioButton.USER32(?,00000065,00000066,00000065), ref: 00CA9C12
GetDlgItem.USER32(?,00000066), ref: 00CA9C2B
SetFocus.USER32(00000000), ref: 00CA9C36
GetOSVersion.CMUTIL ref: 00CA9C3C
GetOSMajorVersion.CMUTIL ref: 00CA9C47
GetDlgItem.USER32(?,0000006C), ref: 00CA9C55
GetOSVersion.CMUTIL ref: 00CA9C72
GetOSMajorVersion.CMUTIL ref: 00CA9C7D
GetDlgItem.USER32(?,0000006C), ref: 00CA9C8D

Strings

Software\Microsoft\Windows NT\CurrentVersion\Network\Network Connections, xrefs: 00CA9AF7, 00CA9BA3
DesktopShortcut, xrefs: 00CA9B21, 00CA9BD0
StringCchCopy failed with error: 0x%x, xrefs: 00CA9B6E

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Button$Item$Check$FocusRadioVersion$Checked$Major$CloseCreateDialogTextUninitializeValueWindow
String ID: DesktopShortcut$Software\Microsoft\Windows NT\CurrentVersion\Network\Network Connections$StringCchCopy failed with error: 0x%x
API String ID: 4111633905-571462050
Opcode ID: 5b1d9dd3d04fbb48b2f0db43c9233eccb176fe5b81b02e4503d31ac167bc5e03
Instruction ID: d1608327fb64346834378728d253090c85dec0070c2c19e5f9bffdbddf43c4ad
Opcode Fuzzy Hash: 5b1d9dd3d04fbb48b2f0db43c9233eccb176fe5b81b02e4503d31ac167bc5e03
Instruction Fuzzy Hash: F7818F71604256BBDB306BA9AC4EFAF7F6DEF06769F000615F506D50A0DA318B40DB60

Function 00CA7B5A Relevance: 49.4, APIs: 12, Strings: 16, Instructions: 361COMMON

Download Yara Rule

APIs

Part of subcall function 00CAF80E: GetSystemInfo.KERNEL32(?,?,00000000,00CA6088,?,00000002,00000000), ref: 00CAF81E
Part of subcall function 00CAF80E: GetVersionExW.KERNEL32(?), ref: 00CAF82E

memset.MSVCRT ref: 00CA7C07
memset.MSVCRT ref: 00CA7C19
GetPrivateProfileIntW.KERNEL32(Connection Manager,Dialup,00000001,?), ref: 00CA7C52
GetPrivateProfileIntW.KERNEL32(Connection Manager,Direct,00000001,?), ref: 00CA7C6D
GetPrivateProfileIntW.KERNEL32(Connection Manager,ConnectionType,00000000,?), ref: 00CA7C8D

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

CmMalloc.CMUTIL(00001618,?,?,00000001,?,?,00000900,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CA7D6A
memset.MSVCRT ref: 00CA7E58
CmFree.CMUTIL(?,?,?,00000900,?,?,?,00000900,?,?,?,00000900,?,?,00000900), ref: 00CA7F76
memset.MSVCRT ref: 00CA7F99
CmFree.CMUTIL(00000000,?,?,00000900,?,?,?,00000900,?,?,?,00000900,?,?,00000900), ref: 00CA8021

Strings

<NULL>, xrefs: 00CA7BB9, 00CA7BBE
Direct, xrefs: 00CA7C63
*******Writing szDeviceType - %s and szDeviceName %s, xrefs: 00CA7D51
.cmp, xrefs: 00CA7E22
%s%s, xrefs: 00CA7DCA
WriteCmPhonebookEntry() - RasSetEntryProperties failed with error %d, xrefs: 00CA8031
Unavailable device (), xrefs: 00CA7D29
modem, xrefs: 00CA7D0A
*******Failed to pick a dial-up device!!!!, xrefs: 00CA7CAE
WriteCmPhonebookEntry failed to alloc mem, xrefs: 00CA7D8C
ConnectionType, xrefs: 00CA7C83, 00CA7E40
*******Failed to pick a VPN device!!!!, xrefs: 00CA7CEB
%windir%\system32\cmdial32.dll, xrefs: 00CA7C2D
Dialup, xrefs: 00CA7C48
WriteCmPhonebookEntry() - szLongServiceName is %s, szFullPathtoPBK is %s, xrefs: 00CA7BC0
Connection Manager, xrefs: 00CA7C4D, 00CA7C68, 00CA7C88, 00CA7E45

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: memset$FreePrivateProfile$ByteCharLocalMultiWide$AllocInfoMallocSystemVersionlstrlen
String ID: %s%s$%windir%\system32\cmdial32.dll$*******Failed to pick a VPN device!!!!$*******Failed to pick a dial-up device!!!!$*******Writing szDeviceType - %s and szDeviceName %s$.cmp$<NULL>$Connection Manager$ConnectionType$Dialup$Direct$Unavailable device ()$WriteCmPhonebookEntry failed to alloc mem$WriteCmPhonebookEntry() - RasSetEntryProperties failed with error %d$WriteCmPhonebookEntry() - szLongServiceName is %s, szFullPathtoPBK is %s$modem
API String ID: 3464910354-2583153358
Opcode ID: 7bd0f4475c2401606d19c7e15852bbefd1b0a5c589778042a94eebf60196f60c
Instruction ID: 8febbd810ddeae28f160ce38a5386a5eab9bb9b474e894d026993ae77ef484c5
Opcode Fuzzy Hash: 7bd0f4475c2401606d19c7e15852bbefd1b0a5c589778042a94eebf60196f60c
Instruction Fuzzy Hash: ACC171B1941359AFEB249B20CC45FEF77B9EF45708F1405A9F909B2180EB706E85DB60

Function 00CA9248 Relevance: 47.6, APIs: 18, Strings: 9, Instructions: 323libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CA92A2
LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,00000000,00000000), ref: 00CA92C9
GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 00CA92DF
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 00CA92ED
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 00CA92FF
GetProcAddress.KERNEL32(00000000,FreeSid), ref: 00CA9311
GetProcAddress.KERNEL32(00000000,BuildTrusteeWithSidW), ref: 00CA931F
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00CA9331
GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 00CA9340
GetCurrentProcess.KERNEL32(00020008,?), ref: 00CA9448
CmMalloc.CMUTIL(00000000), ref: 00CA94AA
CloseHandle.KERNEL32(00000000), ref: 00CA9507
GetLastError.KERNEL32 ref: 00CA95FF
GetLastError.KERNEL32 ref: 00CA9607
GetLastError.KERNEL32 ref: 00CA9625
CmFree.CMUTIL(?), ref: 00CA9645
LocalFree.KERNEL32(00000000), ref: 00CA96B1
FreeLibrary.KERNEL32(00000000), ref: 00CA96BC

Strings

SetEntriesInAclW, xrefs: 00CA92E5
SetNamedSecurityInfoW, xrefs: 00CA92F3
advapi32.dll, xrefs: 00CA92C4
FreeSid, xrefs: 00CA9305
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CMEXCEPT, xrefs: 00CA95EA
GetTokenInformation, xrefs: 00CA9337
OpenProcessToken, xrefs: 00CA9325
AllocateAndInitializeSid, xrefs: 00CA92D9
BuildTrusteeWithSidW, xrefs: 00CA9317

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: AddressProc$ErrorFreeLast$Library$CloseCurrentHandleLoadLocalMallocProcessmemset
String ID: AllocateAndInitializeSid$BuildTrusteeWithSidW$FreeSid$GetTokenInformation$MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CMEXCEPT$OpenProcessToken$SetEntriesInAclW$SetNamedSecurityInfoW$advapi32.dll
API String ID: 4000403568-2528121261
Opcode ID: bc7ee50f06b68216451112c6f0369a16ab1bbfe4d70d0aed65822f2f5c69d732
Instruction ID: cff110c695604ed210f58465d00b07b3487bb7e49afabdfef11ce6435920fc3d
Opcode Fuzzy Hash: bc7ee50f06b68216451112c6f0369a16ab1bbfe4d70d0aed65822f2f5c69d732
Instruction Fuzzy Hash: 4BC14D71D40229EBDB219F64CD89BADBBB8FF05709F0041A9E909E7291DB709E84CF51

Function 00CA73A4 Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 280stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAF80E: GetSystemInfo.KERNEL32(?,?,00000000,00CA6088,?,00000002,00000000), ref: 00CAF81E
Part of subcall function 00CAF80E: GetVersionExW.KERNEL32(?), ref: 00CAF82E

CmMalloc.CMUTIL(00000418,?,00000000,00000000,?,00000105,?,00000000,?,00CAE2EB,?,00000001,?,?), ref: 00CA744B
CmFree.CMUTIL(00000000,00000001,?,?), ref: 00CA74B1
lstrlenW.KERNEL32(?,00000001,?,?), ref: 00CA74F3
lstrcmpW.KERNEL32(?,?,00000004,?,?,00000900), ref: 00CA7590
memset.MSVCRT ref: 00CA75AB
memset.MSVCRT ref: 00CA7607

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

CmFree.CMUTIL(00000000,?,00000000,?,00CAE2EB,?,00000001,?,?), ref: 00CA776B

Strings

RemovePhonebookEntry -- RasSetEntryProperties failed on entry %s in %s, dwRet = %u, xrefs: 00CA766F
RemovePhonebookEntry -- RasEnumEntries successful, %u entries enumerated., xrefs: 00CA74DA
RemovePhonebookEntry -- Unable to get RAS apis., xrefs: 00CA7420
RemovePhonebookEntry -- RasEnumEntries Failed, dwRet == %u, xrefs: 00CA778E
RemovePhonebookEntry -- Invalid Parameter passed in., xrefs: 00CA77A3
(null), xrefs: 00CA752E, 00CA7533, 00CA7667, 00CA766D, 00CA7698, 00CA769D, 00CA76E9, 00CA76EF, 00CA7713, 00CA7718
RemovePhonebookEntry -- RasEnumEntries returned %s in %s, xrefs: 00CA7538
RemovePhonebookEntry -- RasDeleteEntry failed on entry %s in %s, dwRet = %u, xrefs: 00CA76F1
RemovePhonebookEntry -- RasEnumEntries said our buffer was too small, New Size=%u, xrefs: 00CA749D
RemovePhonebookEntry -- Deleted entry %s in %s, xrefs: 00CA771A
RemovePhonebookEntry -- Clearing CustomDialDll setting with RasSetEntryProperties on entry %s in %s, xrefs: 00CA769F

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Freememset$ByteCharLocalMultiWidelstrlen$AllocInfoMallocSystemVersionlstrcmp
String ID: RemovePhonebookEntry -- Clearing CustomDialDll setting with RasSetEntryProperties on entry %s in %s$RemovePhonebookEntry -- Deleted entry %s in %s$RemovePhonebookEntry -- RasDeleteEntry failed on entry %s in %s, dwRet = %u$RemovePhonebookEntry -- RasSetEntryProperties failed on entry %s in %s, dwRet = %u$RemovePhonebookEntry -- RasEnumEntries returned %s in %s$(null)$RemovePhonebookEntry -- Invalid Parameter passed in.$RemovePhonebookEntry -- RasEnumEntries Failed, dwRet == %u$RemovePhonebookEntry -- RasEnumEntries said our buffer was too small, New Size=%u$RemovePhonebookEntry -- RasEnumEntries successful, %u entries enumerated.$RemovePhonebookEntry -- Unable to get RAS apis.
API String ID: 1551382554-4217847784
Opcode ID: 7f305bfba6f6b771679939234339a4cbc3fd45d99212df8b95d9eb2f825aba9c
Instruction ID: 98a226b4391d81a2b1a630f583725ec03026ee725415bb64b8934ad6f2494ccd
Opcode Fuzzy Hash: 7f305bfba6f6b771679939234339a4cbc3fd45d99212df8b95d9eb2f825aba9c
Instruction Fuzzy Hash: B2A1E671D4421AAFDB21DB14DC85BEE73B8FF41309F4402A6F90AA6291DB705E80DFA1

Function 00CACDC0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 178registrystringfileCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00CAD507,00000104), ref: 00CACE03

Part of subcall function 00CB02B1: CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00CB0358), ref: 00CB02C9
Part of subcall function 00CB02B1: GetFileType.KERNEL32(00000000,?,?,?,?,?,?,?,000000D2,000000D2,?,00000105,?,00CA6609,00000000,00000000), ref: 00CB02D8
Part of subcall function 00CB02B1: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,000000D2,000000D2,?,00000105,?,00CA6609,00000000,00000000,00000000), ref: 00CB02E8

CopyFileW.KERNEL32(?,?,00000000), ref: 00CACECF
lstrcmpiW.KERNEL32(00CAD507,?,?,?,?,?,?,?,?,?), ref: 00CACF20
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,000F003F,?,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE,?,?,00000900), ref: 00CACF62
lstrlenW.KERNEL32(?,?,?,00000900,?,?,?,?,?,?,?,?), ref: 00CACF77
RegSetValueExW.ADVAPI32(?,OldPath,00000000,00000001,?,00000000,?,?,00000900), ref: 00CACF9B
memset.MSVCRT ref: 00CACFB2
LoadStringW.USER32(?,000000D2,?,00000104), ref: 00CACFD1
RegDeleteValueW.ADVAPI32(?,OldPath,Remove,?,00000001,?,?,00000900,?,?,?,?,?,?,?,?), ref: 00CACFF9
RegCloseKey.ADVAPI32(?,?,?,00000900,?,?,?,?,?,?,?,?), ref: 00CAD008

Strings

%sinstcm.inf, xrefs: 00CACE26, 00CACE77
%sremovecm.inf, xrefs: 00CACE4D, 00CACE9E
Remove, xrefs: 00CACFE2
OldPath, xrefs: 00CACF7D, 00CACF94, 00CACFF2
%s%s, xrefs: 00CACEFC
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE, xrefs: 00CACF37

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: File$CloseValue$CopyCreateDeleteDirectoryHandleLoadOpenStringSystemTypelstrcmpilstrlenmemset
String ID: %s%s$%sinstcm.inf$%sremovecm.inf$OldPath$Remove$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE
API String ID: 4110044689-4000150000
Opcode ID: 469349896f09aa3e4379ecbe9a0bfb47903baac0898d10a5e66040ef00c52a28
Instruction ID: f2faeca23bc3ae5995e8932fd6048f4fc4f36b959696dc88f09916e6f9016c48
Opcode Fuzzy Hash: 469349896f09aa3e4379ecbe9a0bfb47903baac0898d10a5e66040ef00c52a28
Instruction Fuzzy Hash: 455186B1A412197FEB20AB61DC4AFEF777CEF45744F4000A5B50AE6091EA709F94DBA0

Function 00CAD599 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 168registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CAD5C2
GetCurrentDirectoryW.KERNEL32(00000104,?,00000004,00000000,00000000), ref: 00CAD5D6
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Connection Manager\Mappings,00000000,000F003F,?,00CA13E0), ref: 00CAD619
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 00CAD775
RegCloseKey.ADVAPI32(?), ref: 00CAD789
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000002,?), ref: 00CAD7BC
RegDeleteValueW.ADVAPI32(?,Connection Manager Profiles Upgrade), ref: 00CAD7DD
RegCloseKey.ADVAPI32(?), ref: 00CAD7E9

Strings

MigrateCmProfilesForWin2kUpgrade -- MigratePhonebookEntry for profile %s failed. Cmp path is %s, xrefs: 00CAD697
MigrateCmProfilesForWin2kUpgrade -- UpdateProfileDesktopIconsOnNT5 for profile %s failed. Cmp path is %s, xrefs: 00CAD6D0
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00CAD7B2
SOFTWARE\Microsoft\Connection Manager\Mappings, xrefs: 00CAD60F
MigrateCmProfilesForWin2kUpgrade -- RemoveOldCmInstalls for profile %s failed. Cmp path is %s, xrefs: 00CAD725
No CM mappings key to migrate., xrefs: 00CAD791
Connection Manager Profiles Upgrade, xrefs: 00CAD7D2

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: CloseOpenValue$CurrentDeleteDirectoryEnummemset
String ID: Connection Manager Profiles Upgrade$MigrateCmProfilesForWin2kUpgrade -- MigratePhonebookEntry for profile %s failed. Cmp path is %s$MigrateCmProfilesForWin2kUpgrade -- RemoveOldCmInstalls for profile %s failed. Cmp path is %s$MigrateCmProfilesForWin2kUpgrade -- UpdateProfileDesktopIconsOnNT5 for profile %s failed. Cmp path is %s$No CM mappings key to migrate.$SOFTWARE\Microsoft\Connection Manager\Mappings$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1909122164-1887270053
Opcode ID: a3f7b87512e0a297ff53f9ab9ff546ca0a344f5e2d42777181767b5a805c806d
Instruction ID: a0a2b710335cc2416df6fb608a3cd1307b413bc723c17ac79a081c56a3441563
Opcode Fuzzy Hash: a3f7b87512e0a297ff53f9ab9ff546ca0a344f5e2d42777181767b5a805c806d
Instruction Fuzzy Hash: AD5122B2A4125EABDB60DB51DC85FEE77BCEB15305F4041A6F54AE2050EE309F849FA0

Function 00CA85B6 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 175libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAF80E: GetSystemInfo.KERNEL32(?,?,00000000,00CA6088,?,00000002,00000000), ref: 00CAF81E
Part of subcall function 00CAF80E: GetVersionExW.KERNEL32(?), ref: 00CAF82E

CmMalloc.CMUTIL(00000004,?,?,00000000), ref: 00CA860C
GetProcAddress.KERNEL32(00000000,RasDeleteEntryW), ref: 00CA8654
GetProcAddress.KERNEL32(00000000,RasEnumEntriesW), ref: 00CA8693
GetProcAddress.KERNEL32(00000000,RasSetEntryPropertiesW), ref: 00CA86D8
GetProcAddress.KERNEL32(00000000,RasEnumDevicesW), ref: 00CA871D
GetProcAddress.KERNEL32(00000000,RasGetEntryPropertiesW), ref: 00CA875E
GetProcAddress.KERNEL32(00000000,RasSetCredentialsW), ref: 00CA879E

Strings

RasEnumEntriesW, xrefs: 00CA868D
RasDeleteEntryW, xrefs: 00CA864E
RasSetEntryPropertiesW, xrefs: 00CA86D2
RasGetEntryPropertiesW, xrefs: 00CA8758
RasEnumDevicesW, xrefs: 00CA8717
RasSetCredentialsW, xrefs: 00CA8797
rasapi32.dll, xrefs: 00CA8625

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: AddressProc$InfoMallocSystemVersion
String ID: RasDeleteEntryW$RasEnumDevicesW$RasEnumEntriesW$RasGetEntryPropertiesW$RasSetCredentialsW$RasSetEntryPropertiesW$rasapi32.dll
API String ID: 2328568155-2870886424
Opcode ID: b9a0c6b652390f1e1af7eab84fd741baa153d8b333bb34ad0d86b2eedef53b7d
Instruction ID: 6262afc68dc9847886f45ee065f2cf3cfc58dee608ed3ae577cc6df4a692d05a
Opcode Fuzzy Hash: b9a0c6b652390f1e1af7eab84fd741baa153d8b333bb34ad0d86b2eedef53b7d
Instruction Fuzzy Hash: 9B515A787123139FEF29CF29D890B6D77A9AB5AB09B14016CA45ADB760DF309D089F10

Function 00CA9CA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAF80E: GetSystemInfo.KERNEL32(?,?,00000000,00CA6088,?,00000002,00000000), ref: 00CAF81E
Part of subcall function 00CAF80E: GetVersionExW.KERNEL32(?), ref: 00CAF82E

WzToSzWithAlloc.CMUTIL(?,00000000,00000000), ref: 00CA9CFE
lstrlenA.KERNEL32(00000000), ref: 00CA9D0F
lstrlenA.KERNEL32(cmexcept.inf), ref: 00CA9D1D
CmMalloc.CMUTIL(00000001), ref: 00CA9D26
SzToWzWithAlloc.CMUTIL(00000000), ref: 00CA9D5D
CmFree.CMUTIL(00000000), ref: 00CA9DD9

Part of subcall function 00CB02B1: CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00CB0358), ref: 00CB02C9
Part of subcall function 00CB02B1: GetFileType.KERNEL32(00000000,?,?,?,?,?,?,?,000000D2,000000D2,?,00000105,?,00CA6609,00000000,00000000), ref: 00CB02D8
Part of subcall function 00CB02B1: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,000000D2,000000D2,?,00000105,?,00CA6609,00000000,00000000,00000000), ref: 00CB02E8

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

Part of subcall function 00CAFE40: WzToSzWithAlloc.CMUTIL(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00CAA6B8,DefaultUninstall_NoPrompt,00000100), ref: 00CAFE9C
Part of subcall function 00CAFE40: WzToSzWithAlloc.CMUTIL(?,?,?,?,?,?,?,00CAA6B8,DefaultUninstall_NoPrompt,00000100), ref: 00CAFEA7
Part of subcall function 00CAFE40: CmFree.CMUTIL(00000000,00CAA6B8,?,?,?,?,?,?,00CAA6B8,DefaultUninstall_NoPrompt,00000100), ref: 00CAFEBF
Part of subcall function 00CAFE40: CmFree.CMUTIL(00000000,?,?,?,?,?,?,00CAA6B8,DefaultUninstall_NoPrompt,00000100), ref: 00CAFEC6

CmFree.CMUTIL(00000000), ref: 00CA9DE7
CmFree.CMUTIL(?,00000000,00000000), ref: 00CA9E01

Strings

cmexcept.inf, xrefs: 00CA9D15, 00CA9D3C
%s%s, xrefs: 00CA9D42
DefaultUninstall_NoPrompt, xrefs: 00CA9DB3
DefaultInstall, xrefs: 00CA9D82
InstallWhistlerCmOnWin2k -- LaunchInfSectionHelperEx failed with hr=0x%x, xrefs: 00CA9D93
InstallWhistlerCmOnWin2k -- Rolling back. LaunchInfSectionHelperEx returned hr=0x%x, xrefs: 00CA9DBE

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Free$Alloc$With$lstrlen$ByteCharFileLocalMultiWide$CloseCreateHandleInfoMallocSystemTypeVersionmemset
String ID: %s%s$DefaultInstall$DefaultUninstall_NoPrompt$InstallWhistlerCmOnWin2k -- LaunchInfSectionHelperEx failed with hr=0x%x$InstallWhistlerCmOnWin2k -- Rolling back. LaunchInfSectionHelperEx returned hr=0x%x$cmexcept.inf
API String ID: 610551511-3531355139
Opcode ID: 3ae331e0ae57ec57c0e5c907f50b8ce7318f2fd3d1955f5f46c45cdc74570a2a
Instruction ID: 51810e52a7131667ccb418ae31fecf71cfa1783848558be6478d737b3e46bed2
Opcode Fuzzy Hash: 3ae331e0ae57ec57c0e5c907f50b8ce7318f2fd3d1955f5f46c45cdc74570a2a
Instruction Fuzzy Hash: 52316732E40223ABC72067699C4BBAF7679CF83719F140238F8067B2A1DF748E419790

Function 00CB0ED9 Relevance: 24.1, APIs: 2, Strings: 14, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00CAF8CF: LoadLibraryExA.KERNEL32(Advapi32.dll,00000000,00000000,00000008,0000000B,00000000), ref: 00CAF8F3

GetLastError.KERNEL32(00000000,?,0000000B,00000000), ref: 00CB0F64
GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB0F9F

Strings

CryptGenRandom, xrefs: 00CB0F43
CryptDestroyKey, xrefs: 00CB0F27
Calling CryptAcquireContext again to create keyset, xrefs: 00CB0F7B
CryptDestroyHash, xrefs: 00CB0F1C
CryptHashData, xrefs: 00CB0F35
CryptEncrypt, xrefs: 00CB0F2E
CryptReleaseContext, xrefs: 00CB0F3C
Advapi32.dll, xrefs: 00CB0EEF
CryptDeriveKey, xrefs: 00CB0F11
CryptCreateHash, xrefs: 00CB0F00
CryptAcquireContext failed with error 0x%x. Will try a second call, xrefs: 00CB0F6B
CryptAcquireContextA, xrefs: 00CB0EF7
Fatal Error 0x%x during second call to CryptAcquireContext, xrefs: 00CB0FA6
CryptDecrypt, xrefs: 00CB0F07

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: ErrorLast$LibraryLoad
String ID: Advapi32.dll$Calling CryptAcquireContext again to create keyset$CryptAcquireContext failed with error 0x%x. Will try a second call$CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptEncrypt$CryptGenRandom$CryptHashData$CryptReleaseContext$Fatal Error 0x%x during second call to CryptAcquireContext
API String ID: 1136134869-3484811394
Opcode ID: cdcdbd8b2851e47f57ef5df0b44b9c756a848519f8788c8c08d19e99e463ec47
Instruction ID: 358a3b8ba80f3dbddfc9912909d1415a4014d54c66769a4e7692010dd806e94c
Opcode Fuzzy Hash: cdcdbd8b2851e47f57ef5df0b44b9c756a848519f8788c8c08d19e99e463ec47
Instruction Fuzzy Hash: 252199B0A40716ABCF10EFA5DC05BAF7BB4AF0570CF108128E411AA2D1D7789A05DB95

Function 00CAAEE6 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00CAB2D3,?), ref: 00CAAEFA
lstrlenW.KERNEL32(?,?,00CAB2D3,?), ref: 00CAAF1D
WzToSzWithAlloc.CMUTIL(00000000), ref: 00CAAF65
WzToSzWithAlloc.CMUTIL(?), ref: 00CAAF6E
lstrlenA.KERNEL32(00000000), ref: 00CAAF83
SzToWzWithAlloc.CMUTIL(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CAAFBF
GetLastError.KERNEL32 ref: 00CAAFD4

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

CmFree.CMUTIL(00000000), ref: 00CAB006
CmFree.CMUTIL(00000000), ref: 00CAB00D

Part of subcall function 00CB0C15: CmMalloc.CMUTIL(00000034,000003F2,00CAAF4B,?,00CAB2D3,?), ref: 00CB0C1A
Part of subcall function 00CB0C15: memset.MSVCRT ref: 00CB0C31

Strings

DecryptPresharedKeyUsingPIN - PIN is too long, xrefs: 00CAAF28
DecryptPresharedKeyUsingPIN - DecryptString failed with %d, xrefs: 00CAAFDB
DecryptPresharedKeyUsingPIN - PIN is too short, xrefs: 00CAAF05
DecryptPresharedKeyUsingPIN - Allocation failed., xrefs: 00CAAFF3

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Alloclstrlen$FreeWith$ByteCharLocalMultiWidememset$ErrorLastMalloc
String ID: DecryptPresharedKeyUsingPIN - Allocation failed.$DecryptPresharedKeyUsingPIN - DecryptString failed with %d$DecryptPresharedKeyUsingPIN - PIN is too long$DecryptPresharedKeyUsingPIN - PIN is too short
API String ID: 4061677600-137451593
Opcode ID: 9e180320c541d38a289c647b6e4535b5af209086691a050aec83debdea678eb3
Instruction ID: 43f1bb72bcf3ba0a6a278873c75aafc7938ee50acc0f114b8696918c7447576e
Opcode Fuzzy Hash: 9e180320c541d38a289c647b6e4535b5af209086691a050aec83debdea678eb3
Instruction Fuzzy Hash: AF31E9B2500343AFE7196BA9EC49B7F77ACEF1231AF104329F522910A1EB719E41DB11

Function 00CAE6F5 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(RTUTILS.DLL,00000000,00000800,00000000,00CAE7C1,00000000,00CA6111), ref: 00CAE70C
GetProcAddress.KERNEL32(00000000,TraceRegisterExA), ref: 00CAE721
GetProcAddress.KERNEL32(TraceDeregisterExA), ref: 00CAE73B
GetProcAddress.KERNEL32(TracePrintfA), ref: 00CAE755
GetProcAddress.KERNEL32(TracePrintfExA), ref: 00CAE76F
GetProcAddress.KERNEL32(TraceDumpExA), ref: 00CAE789
GetLastError.KERNEL32 ref: 00CAE798

Strings

TraceDumpExA, xrefs: 00CAE77E
TracePrintfExA, xrefs: 00CAE764
RTUTILS.DLL, xrefs: 00CAE707
TraceDeregisterExA, xrefs: 00CAE730
TracePrintfA, xrefs: 00CAE74A
TraceRegisterExA, xrefs: 00CAE71B

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: AddressProc$ErrorLastLibraryLoad
String ID: RTUTILS.DLL$TraceDeregisterExA$TraceDumpExA$TracePrintfA$TracePrintfExA$TraceRegisterExA
API String ID: 856020675-1543069151
Opcode ID: 32eefbc7e96809ee363dfcc8912bc73bbc412c60efae15dd7c921357dc3c4f84
Instruction ID: f0f0f68b9b7d4e16c927f1e0ed70c71e74f3baad44017f22470898d5dae9ec53
Opcode Fuzzy Hash: 32eefbc7e96809ee363dfcc8912bc73bbc412c60efae15dd7c921357dc3c4f84
Instruction Fuzzy Hash: 67114036540353ABE7516F64BC0870E3EE8EB5675AB040725E815D52F0DB72C681EB90

Function 00CB0040 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000104,00000000,00000000,?), ref: 00CB0087
GetFileVersionInfoSizeA.VERSION(?,?,?,?), ref: 00CB00D9
GetLastError.KERNEL32 ref: 00CB00EB
GetProcessHeap.KERNEL32 ref: 00CB0109
HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 00CB020B

Strings

\VarFileInfo\Translation, xrefs: 00CB01C9

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Heap$ByteCharErrorFileFreeInfoLastMultiProcessSizeVersionWide
String ID: \VarFileInfo\Translation
API String ID: 3320532130-675650646
Opcode ID: 283552bbd5000dc525ce3977e358dae2874932d554c7abd389a46fa6ec5e6ced
Instruction ID: 95c3abc1f0cab0bf650b2ffc63ecf0c8361bbef9844b9faa6ada0ed7b7e1bdbb
Opcode Fuzzy Hash: 283552bbd5000dc525ce3977e358dae2874932d554c7abd389a46fa6ec5e6ced
Instruction Fuzzy Hash: 66516376A402299BDB15CF59DC85BEEB7BCBF09310F2042A9EA15E7250D770DE848F90

Function 052A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 052A293C
___swprintf_l.LIBCMT ref: 052A295E
___swprintf_l.LIBCMT ref: 052A29A3
___swprintf_l.LIBCMT ref: 052DA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 052DA527
::ffff:0:%u.%u.%u.%u, xrefs: 052DA54E
:%u.%u.%u.%u, xrefs: 052DA5B8
ffff:, xrefs: 052DA504

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: dd08d76dbab8faf5fb492b6817554e64f9449cec3a10b9d7837f6bd2e8befbea
Instruction ID: 5c25954d71bc8606cd462a0b8073a82e61e32a1b009dbb79d6ad9cda8ea1d01f
Opcode Fuzzy Hash: dd08d76dbab8faf5fb492b6817554e64f9449cec3a10b9d7837f6bd2e8befbea
Instruction Fuzzy Hash: A751E5BAB24117BFCB20DFA889C097EF7B9BF08740B508669E469D7641D374DE0087A0

Function 05312410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 053124A6
___swprintf_l.LIBCMT ref: 053124E2
___swprintf_l.LIBCMT ref: 0531257D
___swprintf_l.LIBCMT ref: 053125A3
___swprintf_l.LIBCMT ref: 053125C8
___swprintf_l.LIBCMT ref: 05312608

Strings

:%u.%u.%u.%u, xrefs: 053125FF
::%hs%u.%u.%u.%u, xrefs: 0531249E
ffff:, xrefs: 0531247D, 0531249D
::ffff:0:%u.%u.%u.%u, xrefs: 053124DA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: da77b9c52daac271db6915a53e24aea684372f3cdb67c6e37daa56c7085cc15b
Instruction ID: 0a315660aa3175e98068ca698a15ee4f51ee786a3f02fac80db999ab0e5226a7
Opcode Fuzzy Hash: da77b9c52daac271db6915a53e24aea684372f3cdb67c6e37daa56c7085cc15b
Instruction Fuzzy Hash: DA510879A00645AEDB38DF6EC89097FF7FAFF44340B048859F896C7641EAB4DA408764

Function 00CB03F5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMAK.EXE,00000000,00020019,?,00000000,00000001,?), ref: 00CB043C
memset.MSVCRT ref: 00CB0457
RegQueryValueExW.ADVAPI32(?,Path,00000000,00000001,?,0000020A), ref: 00CB0494
memset.MSVCRT ref: 00CB04AB
ExpandEnvironmentStringsW.KERNEL32(?,?,00000105), ref: 00CB04C6
RegCloseKey.ADVAPI32(?), ref: 00CB051E

Strings

%s\cmak.exe, xrefs: 00CB04F3
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMAK.EXE, xrefs: 00CB0432
Path, xrefs: 00CB0489

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: memset$CloseEnvironmentExpandOpenQueryStringsValue
String ID: %s\cmak.exe$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMAK.EXE
API String ID: 1858524815-1085455010
Opcode ID: 1ff9fb24a6bbb9c22c55e656d7a3dc425521d73bf0d4457d1a5e4bd8681d5cb2
Instruction ID: 56633e860f78c71aa285b71dfdc58ea98b78c48d9e4d95d114bb44fcad7dc88a
Opcode Fuzzy Hash: 1ff9fb24a6bbb9c22c55e656d7a3dc425521d73bf0d4457d1a5e4bd8681d5cb2
Instruction Fuzzy Hash: F63146B174021C6BD7209B60DC89FEF77BCEF48744F5045A9BA05E6141E670AE848F64

Function 00CAACB3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94stringwindowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CAACE9
memset.MSVCRT ref: 00CAACFC
memset.MSVCRT ref: 00CAAD0F
GetPrivateProfileStringW.KERNEL32(Connection Manager,ServiceName,00CA1110,?,00000105,?), ref: 00CAAD4A
lstrcmpW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00CAAD58
LoadStringW.USER32(?,000000E8,?,00000208), ref: 00CAAD7A
MessageBoxW.USER32(00000000,?,?,00041000), ref: 00CAADC0

Part of subcall function 00CB02B1: CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00CB0358), ref: 00CB02C9
Part of subcall function 00CB02B1: GetFileType.KERNEL32(00000000,?,?,?,?,?,?,?,000000D2,000000D2,?,00000105,?,00CA6609,00000000,00000000), ref: 00CB02D8
Part of subcall function 00CB02B1: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,000000D2,000000D2,?,00000105,?,00CA6609,00000000,00000000,00000000), ref: 00CB02E8

Strings

ServiceName, xrefs: 00CAAD40
Connection Manager, xrefs: 00CAAD45

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: memset$FileString$CloseCreateHandleLoadMessagePrivateProfileTypelstrcmp
String ID: Connection Manager$ServiceName
API String ID: 2763677561-4140531980
Opcode ID: b7e2509e6c99e9a4f1c2cb1c7c79859d34dd96599b3a43fa89366499bfd1c06b
Instruction ID: e951f61e077f468e603b8703f416df097bbcf4442b6ce97bce0de1fb7b3b5a2c
Opcode Fuzzy Hash: b7e2509e6c99e9a4f1c2cb1c7c79859d34dd96599b3a43fa89366499bfd1c06b
Instruction Fuzzy Hash: 3231C571A4020D7AEB20DBB49C4AFEF73BCEB49745F540465B609E6080DAB0EB44DB20

Function 00CAF1E7 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(CMLUA.DLL,00000000,00000000,00000000,00000068,?,?,?,?,00CA905B), ref: 00CAF202
GetLastError.KERNEL32(?,?,?,?,00CA905B), ref: 00CAF20E

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

GetProcAddress.KERNEL32(00000000,_GetCoCreateInstanceAsAdminHandle), ref: 00CAF231
GetLastError.KERNEL32(?,?,?,?,00CA905B), ref: 00CAF23D
FreeLibrary.KERNEL32(00000000), ref: 00CAF297

Strings

GetProcAddress failed in GetCoCreateInstanceAsAdminHandle. GLE = %#x, xrefs: 00CAF244
_GetCoCreateInstanceAsAdminHandle, xrefs: 00CAF22B
LoadLibrary failed in GetCoCreateInstanceAsAdminHandle. GLE = %#x, xrefs: 00CAF215
CMLUA.DLL, xrefs: 00CAF1F5

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: ByteCharErrorFreeLastLibraryLocalMultiWide$AddressAllocLoadProclstrlenmemset
String ID: CMLUA.DLL$GetProcAddress failed in GetCoCreateInstanceAsAdminHandle. GLE = %#x$LoadLibrary failed in GetCoCreateInstanceAsAdminHandle. GLE = %#x$_GetCoCreateInstanceAsAdminHandle
API String ID: 2923616674-3980287433
Opcode ID: 0030001fde53590989e8695c21893d4bf07cd17be4e5fbc657878178721a48fc
Instruction ID: 553cc264b527b1863e77086459c91254817df5b5588b5268240c605a3f7daa93
Opcode Fuzzy Hash: 0030001fde53590989e8695c21893d4bf07cd17be4e5fbc657878178721a48fc
Instruction Fuzzy Hash: E8110671A40742FBC7016BA4AC4AB9E7B78DF9771AF104239F901F2290D7B48F018A61

Function 00CAF2A6 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(CMLUA.DLL,00000000,00000000,00000066,?,00000000,?,00CA9C66), ref: 00CAF2BF
GetLastError.KERNEL32(?,00CA9C66), ref: 00CAF2CB

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

GetProcAddress.KERNEL32(00000000,_SetShieldIcon), ref: 00CAF2EE
GetLastError.KERNEL32(?,00CA9C66), ref: 00CAF2FA
FreeLibrary.KERNEL32(00000000,?,00CA9C66), ref: 00CAF326

Strings

LoadLibrary failed in SetShieldIcon. GLE = %#x, xrefs: 00CAF2D2
_SetShieldIcon, xrefs: 00CAF2E8
CMLUA.DLL, xrefs: 00CAF2B2
GetProcAddress failed in SetShieldIcon. GLE = %#x, xrefs: 00CAF301

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: ByteCharErrorFreeLastLibraryLocalMultiWide$AddressAllocLoadProclstrlenmemset
String ID: CMLUA.DLL$GetProcAddress failed in SetShieldIcon. GLE = %#x$LoadLibrary failed in SetShieldIcon. GLE = %#x$_SetShieldIcon
API String ID: 2923616674-1625282375
Opcode ID: 2751f11960ab6a28e6e98f15738372fabb39ccb9d0b146fc2605c7dd034b907f
Instruction ID: 0add474f35491c856aad73c093626de8a02f5e907b6c53b834e58bb6ccb817c6
Opcode Fuzzy Hash: 2751f11960ab6a28e6e98f15738372fabb39ccb9d0b146fc2605c7dd034b907f
Instruction Fuzzy Hash: 53014E31281642FBD70127A5BC0DF6E3F68DFDB715F110234F901D22A0DBB48E029561

Function 05297630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 052D4725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 052D4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 052D46FC
Execute=1, xrefs: 052D4713
CLIENT(ntdll): Processing section info %ws..., xrefs: 052D4787
ExecuteOptions, xrefs: 052D46A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 052D4742

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: a58070a75170af8e11e0a085bf17b347e9281563598c238bdd42665e4b2f0dc2
Instruction ID: bf37e4624147ec35148e2cccd07bfbdc95a7b14d51ba1fc88c426be81c11273b
Opcode Fuzzy Hash: a58070a75170af8e11e0a085bf17b347e9281563598c238bdd42665e4b2f0dc2
Instruction Fuzzy Hash: C8510A367302597AEF18EBA4DC49FF977A9FF45304F080099E509AB290EB709A41CF50

Function 00CAEAA4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CAEB5B
GetCurrentDirectoryW.KERNEL32(00000105,?,00000000,SOFTWARE\Microsoft\Connection Manager\), ref: 00CAEB6F
memset.MSVCRT ref: 00CAEB86
SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000900), ref: 00CAEBE0
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000900,?,?,?,?,?,00000900), ref: 00CAEBF2
GetLastError.KERNEL32(?,?,00000900,?,?,?,?,?,00000900), ref: 00CAEBFE
SetCurrentDirectoryW.KERNEL32(?,?,?,00000900), ref: 00CAEC18

Strings

SOFTWARE\Microsoft\Connection Manager\, xrefs: 00CAEABA

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Directory$Current$memset$CreateErrorLast
String ID: SOFTWARE\Microsoft\Connection Manager\
API String ID: 525523854-3670741069
Opcode ID: 3572467afc110aead4cc223b9c81db432de6c83cf5ffd4a4ea28053847769224
Instruction ID: 72c2c89bd784740e15e0cb6505c95829a6a00124e1aa548377009a5f8230d646
Opcode Fuzzy Hash: 3572467afc110aead4cc223b9c81db432de6c83cf5ffd4a4ea28053847769224
Instruction Fuzzy Hash: 9E41FC71A4022A4BDB20DB60EC8D7EE73E8FF45708F5445A5E916D7181E6709E81CB98

Function 00CAEC40 Relevance: 13.7, APIs: 9, Instructions: 170COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CAEC59
memset.MSVCRT ref: 00CAEC80
memset.MSVCRT ref: 00CAEC91
memset.MSVCRT ref: 00CAECA2
CharPrevW.USER32(00CAA51E,?,00CAA51E,00CAA51E,00CAA51E,00000900,?,?,?,?,?,?,?,?,?,?), ref: 00CAED28
CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAED5A
CharNextW.USER32(00CAA51E,00CAA51E,00CAA51E,00CAA51E,00000900,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00CAED6B
CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00CAED75
CharNextW.USER32(00000000,?,00000001,00CAA51E,00CAA51E,00000900,?,?,?,?,?,?,?,?,?,?), ref: 00CAEDB0

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Char$Nextmemset$Prev
String ID:
API String ID: 124700820-0
Opcode ID: f749a4f3077b5c54d397b9fb9d10316a5c9e798599f0d103abd45404341f615a
Instruction ID: a6afebb1d49339977b180ce1d40983303c5a5d02f72610457f6c039878516b44
Opcode Fuzzy Hash: f749a4f3077b5c54d397b9fb9d10316a5c9e798599f0d103abd45404341f615a
Instruction Fuzzy Hash: 52518271E0010AAFDB149FB8CD8C9AF7ABEEB8A748F544529E811D7240DA74DE41C7A4

Function 00CA77B7 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00CAF80E: GetSystemInfo.KERNEL32(?,?,00000000,00CA6088,?,00000002,00000000), ref: 00CAF81E
Part of subcall function 00CAF80E: GetVersionExW.KERNEL32(?), ref: 00CAF82E

memset.MSVCRT ref: 00CA77F8
LoadStringW.USER32(?,000000F3,?,00000104), ref: 00CA7821
LoadStringW.USER32(?,000000C9,?,00000104), ref: 00CA783C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,000000C9,?,00000104,?,-00000010), ref: 00CA789C
SHFileOperationW.SHELL32(?,?,?,?,?,?,?,000000C9,?,00000104,?,-00000010), ref: 00CA78EB

Strings

%s\%s %s.lnk, xrefs: 00CA7842
%s\%s - %s.lnk, xrefs: 00CA7829, 00CA7857

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: FileLoadString$AttributesInfoOperationSystemVersionmemset
String ID: %s\%s %s.lnk$%s\%s - %s.lnk
API String ID: 3023855805-2072813738
Opcode ID: 62324ecab2535b2ab3bcec7f5d5ba0ba25ae6382a3a919297d632200cae3ef59
Instruction ID: 31f7ff49f29c7feaf136c829ded59d3e2748fb8d37d49e8cf86eb6c331d660d3
Opcode Fuzzy Hash: 62324ecab2535b2ab3bcec7f5d5ba0ba25ae6382a3a919297d632200cae3ef59
Instruction Fuzzy Hash: B93170B1E4061CAFDB20DF68DC89FEEB7B8BF09305F4401A9A509A7180DA709E85CF50

Function 00CB02F8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84registryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00CB0321
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE,00000000,00020019,00000105,?,?,?,?,?,?,000000D2,000000D2,?,00000105), ref: 00CB037A
RegQueryValueExW.ADVAPI32(00000105,Path,00000000,000000D2,?,?,?,?,?,?,?,?,000000D2), ref: 00CB03A4
RegCloseKey.ADVAPI32(00000105,?,?,?,?,?,?,000000D2), ref: 00CB03DF

Strings

%s\cmdial32.dll, xrefs: 00CB0328, 00CB03AF
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE, xrefs: 00CB0370
Path, xrefs: 00CB039C

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: CloseDirectoryOpenQuerySystemValue
String ID: %s\cmdial32.dll$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE
API String ID: 2669017811-174292050
Opcode ID: 300774274394996cd36e8919ef37715ccbfc22ff0423c45d39fff252bb2bd6a0
Instruction ID: 9109c92c421be1a459de0816a23a77b4dd1e206d049bbd52daf05baebb34f715
Opcode Fuzzy Hash: 300774274394996cd36e8919ef37715ccbfc22ff0423c45d39fff252bb2bd6a0
Instruction Fuzzy Hash: AE216274640719BFE7106F619C8DFEFB6ACEF50748F20012AF905E6161E7B05E4087A5

Function 00CADB8B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CADBB6
LoadStringW.USER32(?,000000D2,?,00000104), ref: 00CADBD0
GetPrivateProfileStringW.KERNEL32(Strings,ServiceName,00CA1110,?,00000104,?), ref: 00CADBF3
LoadStringW.USER32(?,000000CA,?,00000104), ref: 00CADC12
MessageBoxW.USER32(00000000,?,?,00000104), ref: 00CADC51

Strings

ServiceName, xrefs: 00CADBE9
Strings, xrefs: 00CADBEE

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: String$Load$MessagePrivateProfilememset
String ID: ServiceName$Strings
API String ID: 2209871614-786735791
Opcode ID: 5cacb0241568882fbf69cd77d3381651f235155ad7620539cf6e6db21ace6a2e
Instruction ID: 4859475cc92fed929ca98724b0e78bc232719ba80b28569ead697c7606cc7c71
Opcode Fuzzy Hash: 5cacb0241568882fbf69cd77d3381651f235155ad7620539cf6e6db21ace6a2e
Instruction Fuzzy Hash: 1821C3B2A4111C7BD720D7659C8AFEF77BCEB85704F4440A5BA05E7080D5B09F84CBA0

Function 00CAF4CB Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53synchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CAF4E3
ShellExecuteExW.SHELL32(?), ref: 00CAF50E
WaitForSingleObject.KERNEL32(?,0000EA60), ref: 00CAF525
CloseHandle.KERNEL32(?), ref: 00CAF52E
GetLastError.KERNEL32 ref: 00CAF536

Strings

cmd.exe, xrefs: 00CAF4D5
<, xrefs: 00CAF501

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastObjectShellSingleWaitmemset
String ID: <$cmd.exe
API String ID: 4236448690-3849938778
Opcode ID: 51f459ba2b4d70781c77be7fb948365dcef6fc78cef1e4c0efd7d754ea2ec9a2
Instruction ID: 93d99115a445975e3367b021c51767c1e04e29cca47002be7ebbb764c0c1e015
Opcode Fuzzy Hash: 51f459ba2b4d70781c77be7fb948365dcef6fc78cef1e4c0efd7d754ea2ec9a2
Instruction Fuzzy Hash: 3C117C71E00249EBDB11DFE9E8C4ACEBBF8AF49314F14413AF914E2250DB709A059B24

Function 00CB1240 Relevance: 12.1, APIs: 8, Instructions: 146sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?,00CB1AD8,00000058), ref: 00CB125F
Sleep.KERNEL32(000003E8), ref: 00CB1294
_amsg_exit.MSVCRT ref: 00CB12A9
_initterm.MSVCRT ref: 00CB12FD
__IsNonwritableInCurrentImage.LIBCMT ref: 00CB1329
exit.MSVCRT ref: 00CB139F
_ismbblead.MSVCRT ref: 00CB13BA

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 359039474-0
Opcode ID: ff32c7c002ab0f45085e7a82a73a5e5da3bf6ed1c877dd5614d7f7c614101572
Instruction ID: b89c9722430c501096ee93709dc32dd2ccd281a8ddd5f89da95b62fd98a23ce8
Opcode Fuzzy Hash: ff32c7c002ab0f45085e7a82a73a5e5da3bf6ed1c877dd5614d7f7c614101572
Instruction Fuzzy Hash: 43410731A403699FDB219F59D8257EEB7F8FB45720F68022AEC55D36A0DB709E40CB80

Function 00CA8146 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00CA8061: CmMalloc.CMUTIL(?,?,?,?,?,?,?,00CA817C,?), ref: 00CA80E3
Part of subcall function 00CA8061: CmFree.CMUTIL(?,?,?,?,?,?,?,?,?,?,?,?,00CA817C,?), ref: 00CA8128

CmFree.CMUTIL(?,00000000,?), ref: 00CA8280

Part of subcall function 00CAF80E: GetSystemInfo.KERNEL32(?,?,00000000,00CA6088,?,00000002,00000000), ref: 00CAF81E
Part of subcall function 00CAF80E: GetVersionExW.KERNEL32(?), ref: 00CAF82E

CompareStringW.KERNEL32(-00000409,00000001,?,000000FF,isdn,000000FF,00000001,00000000,?), ref: 00CA81F4
CompareStringW.KERNEL32(-00000409,00000001,?,000000FF,modem,000000FF), ref: 00CA8211

Strings

vpn, xrefs: 00CA81DD
isdn, xrefs: 00CA81E4
modem, xrefs: 00CA8201

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: CompareFreeString$InfoMallocSystemVersion
String ID: isdn$modem$vpn
API String ID: 801637981-2211633186
Opcode ID: 6d16c926d6d8950b8158523733f8eb022e61c335c40fabbe250684a6c2327920
Instruction ID: eda7d2ddc4570648eb13327e6a740e026d690778075c08dadb3a9a9d3acdf613
Opcode Fuzzy Hash: 6d16c926d6d8950b8158523733f8eb022e61c335c40fabbe250684a6c2327920
Instruction Fuzzy Hash: 1931B632A00625ABDF349B58CC85BEE7775EF46728F1403A4F51DB62E0DE749E85CA40

Function 00CA87CA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

CmMalloc.CMUTIL(00000004,0000001A,?,?,?,?,?,?,?,?,00CA82B7,00000000,00000000,0000001A,0000001A), ref: 00CA8809
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CA8857
GetProcAddress.KERNEL32(00000000,?), ref: 00CA8890

Strings

SHGetSpecialFolderPathW, xrefs: 00CA87FC
shell32.dll, xrefs: 00CA8822
SHGetFolderPathW, xrefs: 00CA87EA

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: AddressProc$Malloc
String ID: SHGetFolderPathW$SHGetSpecialFolderPathW$shell32.dll
API String ID: 1345222435-1047280340
Opcode ID: 20784046388c7d84916a18a62a9cf7b62792baa46fed56f591699beda3c90393
Instruction ID: 4b7432e498485603ba1fdc5035c77bedd01a91e3e9b895bc490530965e9fdb4d
Opcode Fuzzy Hash: 20784046388c7d84916a18a62a9cf7b62792baa46fed56f591699beda3c90393
Instruction Fuzzy Hash: B631B131A122179FCB28DF65D84077E77B9EF47718B85053CA811AB290DF349E04CB50

Function 00CB0DE1 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00CB1021,00000000,00000000,00000000,00000000,000003F2,00000000), ref: 00CB0E1E
GetLastError.KERNEL32(?,00CB1021,00000000,00000000,00000000,00000000,000003F2,00000000), ref: 00CB0E81
GetLastError.KERNEL32(?,00CB1021,00000000,00000000,00000000,00000000,000003F2,00000000), ref: 00CB0E8F
GetLastError.KERNEL32(?,000003F2,00000000,00000000,?,00CB1021,00000000,00000000,00000000,00000000,000003F2,00000000), ref: 00CB0E9D

Strings

Error 0x%x during CryptDeriveKey, xrefs: 00CB0E88
Error 0x%x during CryptCreateHash, xrefs: 00CB0EA4
Error 0x%x during CryptHashData, xrefs: 00CB0E96

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: ErrorLast$lstrlen
String ID: Error 0x%x during CryptCreateHash$Error 0x%x during CryptDeriveKey$Error 0x%x during CryptHashData
API String ID: 5083882-3835767217
Opcode ID: db02eddc029a07ee92574a0adae57c18a07bf21a6aff07d635c7cfbb80b01c24
Instruction ID: 767b754b4e39a7ce3878c86fb760530acede58b3e00a7ae78855a6dc6bf3a26a
Opcode Fuzzy Hash: db02eddc029a07ee92574a0adae57c18a07bf21a6aff07d635c7cfbb80b01c24
Instruction Fuzzy Hash: 9C218631640A58FFDB216F65DC44F6F7B7AEF84B41F244A29B851A2170CB31EE019AA1

Function 00CA72A1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Connection Manager\Guid Mappings,00000000,000F003F,?,00000001,?,00000000), ref: 00CA72CD
memset.MSVCRT ref: 00CA72F9
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00CA7358
RegCloseKey.ADVAPI32(?), ref: 00CA736E
RegDeleteKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Connection Manager\Guid Mappings), ref: 00CA737E

Strings

SOFTWARE\Microsoft\Connection Manager\Guid Mappings, xrefs: 00CA72CB, 00CA737C

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: CloseDeleteEnumOpenmemset
String ID: SOFTWARE\Microsoft\Connection Manager\Guid Mappings
API String ID: 2657547098-3028025146
Opcode ID: 174ac793fa397c82a19342673ba5d748773b951dda99b3f0a1d14aba127575c2
Instruction ID: 3c63b6a2161391bf8a3d66ad82d8da73b14ce0ab4686a8e35625296a0c2ca26f
Opcode Fuzzy Hash: 174ac793fa397c82a19342673ba5d748773b951dda99b3f0a1d14aba127575c2
Instruction Fuzzy Hash: 802180B694113DABDB219690EC89FFFB67CEB05750F0103A5BD05A7150DA709E449AE0

Function 00CAF6F4 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00CAF60A: CreateFileW.KERNEL32(00000000,00000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00CAF65E,?,00000004,00000000,00000000), ref: 00CAF621
Part of subcall function 00CAF60A: CloseHandle.KERNEL32(00000000,?,00CAF65E,?,00000004,00000000,00000000), ref: 00CAF62E

memset.MSVCRT ref: 00CAF76F
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 00CAF784

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

Strings

ProcessCmdLn - %s is not a valid path, xrefs: 00CAF7E2
ProcessCmdLn - expanded path is %s, xrefs: 00CAF795
ProcessCmdLn - Invalid token is %s, xrefs: 00CAF7E9
ProcessCmdLn - ValidFilePath is %s, xrefs: 00CAF74C

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: ByteCharLocalMultiWidememset$AllocCloseCreateEnvironmentExpandFileFreeHandleStringslstrlen
String ID: ProcessCmdLn - %s is not a valid path$ProcessCmdLn - Invalid token is %s$ProcessCmdLn - ValidFilePath is %s$ProcessCmdLn - expanded path is %s
API String ID: 284219289-2165559247
Opcode ID: a113abae653b65d9faf4b534c61f42c5080779b7c15be9de67fdc245859b7ffd
Instruction ID: 173f877afbdd3fea8c0fe2ac8e01061689fc6fbb838ab41748608b9ad5e76ab3
Opcode Fuzzy Hash: a113abae653b65d9faf4b534c61f42c5080779b7c15be9de67fdc245859b7ffd
Instruction Fuzzy Hash: F021C7B1640219BBDB10EB65EC86FDE73BCAB16304F540579B509E2181D7B09E41DAB1

Function 00CA8FC7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetOSVersion.CMUTIL(?,00000000,00CAAC6D), ref: 00CA8FCD
GetOSMajorVersion.CMUTIL ref: 00CA8FDC
CoInitialize.OLE32(00000000), ref: 00CA9011
IsWindow.USER32 ref: 00CA9044

Part of subcall function 00CAF1E7: LoadLibraryExW.KERNEL32(CMLUA.DLL,00000000,00000000,00000000,00000068,?,?,?,?,00CA905B), ref: 00CAF202
Part of subcall function 00CAF1E7: GetLastError.KERNEL32(?,?,?,?,00CA905B), ref: 00CAF20E

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

Strings

CoCreateInstance failed with error %#x, xrefs: 00CA9087, 00CA90B8
CoInitialize failed with error %#x, xrefs: 00CA9021

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: ByteCharLocalMultiVersionWide$AllocErrorFreeInitializeLastLibraryLoadMajorWindowlstrlenmemset
String ID: CoCreateInstance failed with error %#x$CoInitialize failed with error %#x
API String ID: 549505080-2502270487
Opcode ID: 53476cf6db4d3099158732bc24338380507a15b86243698ee9bb96c6d432a5c4
Instruction ID: 1998267a315db1990c998f12aead6d49d1da2e5e8adcffb30524240f7b2ffa29
Opcode Fuzzy Hash: 53476cf6db4d3099158732bc24338380507a15b86243698ee9bb96c6d432a5c4
Instruction Fuzzy Hash: 9521C6306806139FC701AB39EC4BB2E37A9E79B75AB100625F506D3270DB309D56DBA1

Function 00CA8E8D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

CmMalloc.CMUTIL(00000208,?,00000000,00000000,00CA1110,?,00CAB1AB,00000000,00000000), ref: 00CA8EAD
GetPrivateProfileStringW.KERNEL32(Connection Manager,PresharedKey,?,00000000,00000104,?), ref: 00CA8EC9
CmRealloc.CMUTIL(00000000,00000000,?,00CAB1AB,00000000,00000000), ref: 00CA8EE5
CmFree.CMUTIL(00000000,?,00CAB1AB,00000000,00000000), ref: 00CA8EF6

Strings

PresharedKey, xrefs: 00CA8EBF
Connection Manager, xrefs: 00CA8EC4

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: FreeMallocPrivateProfileReallocString
String ID: Connection Manager$PresharedKey
API String ID: 2632375670-1975814712
Opcode ID: 1915101856c13443c4f2b0be8ab2ed39c52db082395f37756492aa996384f550
Instruction ID: 2c5e4c0a4e0db8083197067b8a625bf2c296b323b7d307cf16fb305be4b44f82
Opcode Fuzzy Hash: 1915101856c13443c4f2b0be8ab2ed39c52db082395f37756492aa996384f550
Instruction Fuzzy Hash: A701D136700117BB9721579E8D49F6FBA9DEF97B9AB100124F911E2100FF709E0497A4

Function 00CAF8CF Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(Advapi32.dll,00000000,00000000,00000008,0000000B,00000000), ref: 00CAF8F3

Strings

ppvPfn=%p] LoadLibrary() failed., xrefs: 00CAF920
(null), xrefs: 00CAF903, 00CAF90B
LinkToDll - Loading library - %s, xrefs: 00CAF8DB
Advapi32.dll, xrefs: 00CAF8DA, 00CAF8F2
LinkToDll[phInst=%p, *pszDll=%s, ppszPfn=%p,, xrefs: 00CAF90D

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: LibraryLoad
String ID: ppvPfn=%p] LoadLibrary() failed.$(null)$Advapi32.dll$LinkToDll - Loading library - %s$LinkToDll[phInst=%p, *pszDll=%s, ppszPfn=%p,
API String ID: 1029625771-3672097443
Opcode ID: 58af9db54722ce14caaab5552af5a3ec4f81b7a1f924b1132f7f15e0fb7ec1da
Instruction ID: cc2b58579572b008de08e79021e0f44af1833d1cd4b5deafe2c5eb0b486ebca0
Opcode Fuzzy Hash: 58af9db54722ce14caaab5552af5a3ec4f81b7a1f924b1132f7f15e0fb7ec1da
Instruction Fuzzy Hash: 9DF0D135640216BBCB112B6AEC02F5F3E259B933B8F204134F918552A1D6B18D22A6D1

Function 00CAFF4A Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CAFF91
memset.MSVCRT ref: 00CAFFA4
lstrlenW.KERNEL32(00CB26C0,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CAFFD7

Strings

/c /q /t:%s, xrefs: 00CAFFB3
%s\cmbins.exe, xrefs: 00CAFFEF, 00CAFFF5
%scmbins.exe, xrefs: 00CAFFE8

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: memset$lstrlen
String ID: %s\cmbins.exe$%scmbins.exe$/c /q /t:%s
API String ID: 810095026-4287561306
Opcode ID: 9d5f53029583ade25351efe096bfd6a02543d5754603706ef790d998a1e9dc09
Instruction ID: a5996d66c6b6b5f9f05d5ec99051da73a29a4b226ac2802976da355c229407d9
Opcode Fuzzy Hash: 9d5f53029583ade25351efe096bfd6a02543d5754603706ef790d998a1e9dc09
Instruction Fuzzy Hash: 0421EEF2B4021C7BD720AA64AC86FEF736CDB44754F940069BA05D7191F9B0DE80C6B4

Function 052AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 052AB6BF

Strings

-, xrefs: 052AB650
+, xrefs: 052AB65A
0, xrefs: 052AB695
0, xrefs: 052AB66F

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: d4db9adeed4e4241c39541e3e23e5956dddee4d7bedbccca6a83129f572d19e0
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 1581D433E2524A9FDF25CF68C891BFEBBB2BF85710F184259D8A5A7291C7749840CB50

Function 053120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0531214F
___swprintf_l.LIBCMT ref: 05312172

Strings

]:%u, xrefs: 05312169
[, xrefs: 0531212B
%%%u, xrefs: 05312146

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: a2ca796cbbc76a00c2212898c2b2e9efecf5789c750887371e947751a5b893a0
Instruction ID: e5f608e68df8427bb95fbafb5bdec89f61819a6f2391a5e2ce532f15dc1a58c9
Opcode Fuzzy Hash: a2ca796cbbc76a00c2212898c2b2e9efecf5789c750887371e947751a5b893a0
Instruction Fuzzy Hash: D721537AE10119ABDB14DF7ACC44AFFB7E9AF54654F040126FD05E3200EB70D9018BA5

Function 00CADA90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,02000080,00000000,00000000,00000000,00000000), ref: 00CADACB
CloseHandle.KERNEL32(00000000), ref: 00CADADB
memset.MSVCRT ref: 00CADAEE
SHFileOperationW.SHELL32(?,?,?,?,00000100), ref: 00CADB5A

Strings

SHFileOperation Failed with error: %d, xrefs: 00CADB67

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: File$CloseCreateHandleOperationmemset
String ID: SHFileOperation Failed with error: %d
API String ID: 2747852314-291918080
Opcode ID: 9a3124c531313cbc31f20ad6e350d2f4d649fb8bd6c5fa1ad2cc470960d77bb0
Instruction ID: cd075b3c378af825a90b7aa50197dcd31833a4fde537e19f49fedf8eebe41aa7
Opcode Fuzzy Hash: 9a3124c531313cbc31f20ad6e350d2f4d649fb8bd6c5fa1ad2cc470960d77bb0
Instruction Fuzzy Hash: FF2188B1901229ABD7209B55AC8DBDFBBBCEF55754F150296F81A93180D7704F80CBA4

Function 00CAB043 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA5DB1: LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,00CA5F9F,?), ref: 00CA5DD6

GetProcAddress.KERNEL32(?,RasSetAutodialAddressW), ref: 00CAB09A
memset.MSVCRT ref: 00CAB0B7
FreeLibrary.KERNEL32(?,rasapi32.dll,?,-00000010), ref: 00CAB10C

Strings

RasSetAutodialAddressW, xrefs: 00CAB094
rasapi32.dll, xrefs: 00CAB070

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Library$AddressFreeLoadProcmemset
String ID: RasSetAutodialAddressW$rasapi32.dll
API String ID: 2465613599-1082389147
Opcode ID: 4be35591e06e68f12d3a5d2451b728595a147bf1d6cc75f3f035fc992a2a9918
Instruction ID: 61ee11ebd3bf885c90536ece2c8acb313db63e88cacb78b2e3ce8e6158a7ce2d
Opcode Fuzzy Hash: 4be35591e06e68f12d3a5d2451b728595a147bf1d6cc75f3f035fc992a2a9918
Instruction Fuzzy Hash: 51210674A4131D7FDB20AF60EC99BEF7378EF41704F1401A8B805A7282DBB49F419AA0

Function 00CAFE40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

WzToSzWithAlloc.CMUTIL(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00CAA6B8,DefaultUninstall_NoPrompt,00000100), ref: 00CAFE9C
WzToSzWithAlloc.CMUTIL(?,?,?,?,?,?,?,00CAA6B8,DefaultUninstall_NoPrompt,00000100), ref: 00CAFEA7
CmFree.CMUTIL(00000000,00CAA6B8,?,?,?,?,?,?,00CAA6B8,DefaultUninstall_NoPrompt,00000100), ref: 00CAFEBF
CmFree.CMUTIL(00000000,?,?,?,?,?,?,00CAA6B8,DefaultUninstall_NoPrompt,00000100), ref: 00CAFEC6

Part of subcall function 00CA5D50: CmFree.CMUTIL(000000AC,?,00CA6040), ref: 00CA5D70

Strings

LaunchInfSectionEx for Inf - "%s", Section - "%s" returned %x, xrefs: 00CAFED4

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Free$AllocWith
String ID: LaunchInfSectionEx for Inf - "%s", Section - "%s" returned %x
API String ID: 1505831064-764098538
Opcode ID: 810c890e428e05b2349a77863f270ee776c7040141a664163865b9b16b39a65a
Instruction ID: 9fc1f8838ae10df54a2808bfa7f202bb6fb32b7952f08c336a4556f50739b11e
Opcode Fuzzy Hash: 810c890e428e05b2349a77863f270ee776c7040141a664163865b9b16b39a65a
Instruction Fuzzy Hash: FC114276D00615BFCF109FA9CC48A9EBFB9EF49355F108569F805A3221D7359E05CBA0

Function 00CAF94D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00CAF984

Part of subcall function 00CAE951: memset.MSVCRT ref: 00CAE978
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000,=====================================================,00000000,00000000), ref: 00CAE99D
Part of subcall function 00CAE951: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CAE9AC
Part of subcall function 00CAE951: WideCharToMultiByte.KERNEL32(00000000,00000400,00CA6122,000000FF,00000000,00000000,00000000,00000000), ref: 00CAE9C7
Part of subcall function 00CAE951: lstrlenA.KERNEL32(?,00000000,00000000,?), ref: 00CAE9FA
Part of subcall function 00CAE951: LocalFree.KERNEL32(00000000,=====================================================,00000000,00000000), ref: 00CAEA01

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00CAF947,?,?), ref: 00CAF9AB

Strings

Advapi32.dll, xrefs: 00CAF96D
BindLinkage(hInstDll=%d,ppszPfn=%p,ppvPfn=%p), xrefs: 00CAF998
GetProcAddress(hInstDll=%d,*pszProc=%S) failed, GLE=%u., xrefs: 00CAF9B7

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AddressAllocErrorFreeLastProclstrlenmemset
String ID: GetProcAddress(hInstDll=%d,*pszProc=%S) failed, GLE=%u.$Advapi32.dll$BindLinkage(hInstDll=%d,ppszPfn=%p,ppvPfn=%p)
API String ID: 1524284223-2394752687
Opcode ID: 1cfaefd178466affb18f2fc98de83c4a4d336e8143cd1a0da12106aa43cc0de5
Instruction ID: 3db6785746caaf80d89a23859611c889d07adaa39ad2a68e2706f7a32df426b6
Opcode Fuzzy Hash: 1cfaefd178466affb18f2fc98de83c4a4d336e8143cd1a0da12106aa43cc0de5
Instruction Fuzzy Hash: 10119076D04206FFCF049FA9D841A9EBBB5EF55315F20807EF845E2210E7319A52DB60

Function 00CAF55D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60stringCOMMON

Download Yara Rule

APIs

CmMalloc.CMUTIL(0000000D,=====================================================,00000000,00000000,00CA6167,00000000,0000020A,=====================================================), ref: 00CAF589
lstrlenW.KERNEL32(00CB20D4), ref: 00CAF59C
CmMalloc.CMUTIL(00000000), ref: 00CAF5A9

Strings

CProcessCmdLn::CProcessCmdLn() - Arithmetic operation failed: %ld, xrefs: 00CAF5EF
=====================================================, xrefs: 00CAF561

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Malloc$lstrlen
String ID: =====================================================$CProcessCmdLn::CProcessCmdLn() - Arithmetic operation failed: %ld
API String ID: 1153220847-236544058
Opcode ID: e6782c6c3a9a709b77a9b8663a9673c33996c5dfe46367a84a9984c7a0e69b24
Instruction ID: a6fa05d170f01d578955b056d1de4f7d83269ccaaff54a971fe5cd88548f1af7
Opcode Fuzzy Hash: e6782c6c3a9a709b77a9b8663a9673c33996c5dfe46367a84a9984c7a0e69b24
Instruction Fuzzy Hash: 3B11E270A40607ABD7249FA4DC48E1AFBA9FF45324B10C62EF829C3290D730E812CB94

Function 0528F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 052D02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 052D02BD
RTL: Re-Waiting, xrefs: 052D031E

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: d41c2e305c01b3f58d21873cedbdfba867d9a0732c6e455681113cec707c5147
Instruction ID: 2b34eb5319f0cb8987a20657e108f6bad5eb2589c40f1a11965c3eac688e8b7f
Opcode Fuzzy Hash: d41c2e305c01b3f58d21873cedbdfba867d9a0732c6e455681113cec707c5147
Instruction Fuzzy Hash: C1E1D430629742DFD725DF68C988B2AB7E1BF84314F140A1DF5A98B2E0E774E844CB52

Function 0529BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 052D7B7F
RTL: Re-Waiting, xrefs: 052D7BAC
RTL: Resource at %p, xrefs: 052D7B8E

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 0d418838fc518d52017659559c0dda809ac1a16bb19565d9cbf0be042581b355
Instruction ID: bf4365e341342f05ccb425c1068aa8d7d5a39829cc2ed1c8b6973ab04327b91a
Opcode Fuzzy Hash: 0d418838fc518d52017659559c0dda809ac1a16bb19565d9cbf0be042581b355
Instruction Fuzzy Hash: 8441E5353287039FCB24DE25D840B6AB7E6FF88710F100A2DF95A9B780D771E8058B91

Function 0529B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 052D728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 052D7294
RTL: Re-Waiting, xrefs: 052D72C1
RTL: Resource at %p, xrefs: 052D72A3

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 4117bf1ac7592ee3a2aae9ac5c37bf5eaf5d5b5ef2bb2f1b436ea400e6b9ec86
Instruction ID: dbb8a8b024cad05bcc77d6e993559f74290fde6a43934a748250d835dfbcf427
Opcode Fuzzy Hash: 4117bf1ac7592ee3a2aae9ac5c37bf5eaf5d5b5ef2bb2f1b436ea400e6b9ec86
Instruction Fuzzy Hash: EC411071724242ABCB24DE24CC45F6AB7A6FF84710F140619F959AB340DB30F802DBE0

Function 05312300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0531238D
___swprintf_l.LIBCMT ref: 053123B3

Strings

%%%u, xrefs: 05312384
]:%u, xrefs: 053123AA

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: ac9e087efe2b64d18713f464b2b75dd2dd68f92370fb54c21b05f838d145e142
Instruction ID: 54968a78bffa8fa75acd96a4b705a0bf4c57ce8b27d250bc676c130d42658011
Opcode Fuzzy Hash: ac9e087efe2b64d18713f464b2b75dd2dd68f92370fb54c21b05f838d145e142
Instruction Fuzzy Hash: D7317176A10219AFDB24DE79CC44BEFB7A8BF44750F440956FC49E3200EB70AA548BA4

Function 00CAF9EF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CAF9FB

Part of subcall function 00CAF8CF: LoadLibraryExA.KERNEL32(Advapi32.dll,00000000,00000000,00000008,0000000B,00000000), ref: 00CAF8F3

FreeLibrary.KERNEL32(?,00CB2070,?,0000000C,00000000,00CAFC0E,00000000), ref: 00CAFA27
memset.MSVCRT ref: 00CAFA31

Strings

advapi32.dll, xrefs: 00CAFA06

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: Librarymemset$FreeLoad
String ID: advapi32.dll
API String ID: 2581557833-4050573280
Opcode ID: a51cf6eee477ad008fd624be782543c3f119cfaeeeed1b86f3a4dbc99f73df95
Instruction ID: d7f7b4dee5b11ea0af3c298a3f50c4a7ccddbfa27bc46bc02cbb14a7c158c838
Opcode Fuzzy Hash: a51cf6eee477ad008fd624be782543c3f119cfaeeeed1b86f3a4dbc99f73df95
Instruction Fuzzy Hash: CDE02B7134112273D22136957C16FEBAF6DDFC6F54F180139B908851D4DAB15D13E2E1

Function 00CB1190 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00CB17A8: GetModuleHandleW.KERNEL32(00000000), ref: 00CB17AF

__set_app_type.MSVCRT ref: 00CB11A2
__p__fmode.MSVCRT ref: 00CB11B8
__p__commode.MSVCRT ref: 00CB11C6
__setusermatherr.MSVCRT ref: 00CB11E7

Memory Dump Source

Source File: 00000009.00000002.3516658502.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_cmstp.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 01b9d0646e5d745c69ef07cdd615cf509bbd4631b4a08f50d99ed13fa364d9df
Instruction ID: 66892a8db54fb022ec47066e1d63e310c35d3ca3e80d770a49e557e68aa20fd3
Opcode Fuzzy Hash: 01b9d0646e5d745c69ef07cdd615cf509bbd4631b4a08f50d99ed13fa364d9df
Instruction Fuzzy Hash: 6BF01C715003408FDB28AF34EC6A74D3BA5BB01322F540B69E861962F1CF358644DF10

Function 052A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 052A7E8B

Strings

-, xrefs: 052A7DDD
+, xrefs: 052A7DE8

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 13ca16a774fc57b839835c62e91eb92e2d7253a1ec453ce3f2997940bf06ffdd
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 1691B472F242079BDF24DF69C980ABEB7A6FF44320F18451AE959E72C0D7709A418B58

Function 05269126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 05269175
$, xrefs: 05269191

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 6ba2d09044d22f08f5922f756c4bc5a79ca633b64b1c675489c39acc348ee940
Instruction ID: a92008963e78e3219779414f4cd966e59546ea228c88587bfd5369e013c11001
Opcode Fuzzy Hash: 6ba2d09044d22f08f5922f756c4bc5a79ca633b64b1c675489c39acc348ee940
Instruction Fuzzy Hash: 75810A75D10269DBDB25DB54CC45BEEBBB8AF08750F1041EAA91DB7280EB705E84CFA0

Function 052ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 052ECFBD

Strings

@4Cw@4Cw, xrefs: 052ECFD5, 052ECFDA, 052ECFF1
@, xrefs: 052ECF0A

Memory Dump Source

Source File: 00000009.00000002.3518287769.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000009.00000002.3518287769.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3518287769.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5230000_cmstp.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 732335c2b32a302b51d5d44aeb2d94c2bfd4c2c51e974911732e1857cea50e9a
Instruction ID: 679f25225e1a53ed087a850b50e56684d5a0546905ddfc54aafa5d0b7abbc602
Opcode Fuzzy Hash: 732335c2b32a302b51d5d44aeb2d94c2bfd4c2c51e974911732e1857cea50e9a
Instruction Fuzzy Hash: 8E41C2B1A20219DFCB22DFA4C844AADFBB8FF44B10F44452EE905EB250D770D801DB61

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 97q26I8OtN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\97q26I8OtN.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fsttans.nxw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhpy20f1.sdb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfzcpt1e.xgr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pcasdjby.dyi.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
97q26I8OtN.exe

Function 052AADA8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 052A44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 052A5914 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 052AD27C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 052AD688 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 052AB031 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 052AA0CC Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 08ED5C71 Relevance: 1.4, Strings: 1, Instructions: 156
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre