Edit tour

Windows Analysis Report
ThBJg59JRC.exe

Overview

General Information

Sample name:	ThBJg59JRC.exe renamed because original name is a hash value
Original sample name:	7dcf4b6a9f116bacedf79a6551a385cda77c8167f49d8ba32831677566a556f3.exe
Analysis ID:	1587884
MD5:	66a2ae67ac3e5a8f0df4e0d304eee97f
SHA1:	1b8566d943b92bd4bbb74ff73e5d8d413c5e88a7
SHA256:	7dcf4b6a9f116bacedf79a6551a385cda77c8167f49d8ba32831677566a556f3
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ThBJg59JRC.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\ThBJg59JRC.exe" MD5: 66A2AE67AC3E5A8F0DF4E0D304EEE97F)

powershell.exe (PID: 7884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8056 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

ThBJg59JRC.exe (PID: 7908 cmdline: "C:\Users\user\Desktop\ThBJg59JRC.exe" MD5: 66A2AE67AC3E5A8F0DF4E0D304EEE97F)

ThBJg59JRC.exe (PID: 7936 cmdline: "C:\Users\user\Desktop\ThBJg59JRC.exe" MD5: 66A2AE67AC3E5A8F0DF4E0D304EEE97F)

ThBJg59JRC.exe (PID: 7952 cmdline: "C:\Users\user\Desktop\ThBJg59JRC.exe" MD5: 66A2AE67AC3E5A8F0DF4E0D304EEE97F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2034296368.00000000014F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: ThBJg59JRC.exe PID: 7488	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.ThBJg59JRC.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.ThBJg59JRC.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ThBJg59JRC.exe", ParentImage: C:\Users\user\Desktop\ThBJg59JRC.exe, ParentProcessId: 7488, ParentProcessName: ThBJg59JRC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe", ProcessId: 7884, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ThBJg59JRC.exe", ParentImage: C:\Users\user\Desktop\ThBJg59JRC.exe, ParentProcessId: 7488, ParentProcessName: ThBJg59JRC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe", ProcessId: 7884, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ThBJg59JRC.exe	Virustotal: Detection: 73%			Perma Link
Source: ThBJg59JRC.exe	ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 8.2.ThBJg59JRC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ThBJg59JRC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2034296368.00000000014F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ThBJg59JRC.exe

Joe Sandbox ML: detected

Source: ThBJg59JRC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ThBJg59JRC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: ThBJg59JRC.exe, 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ThBJg59JRC.exe, ThBJg59JRC.exe, 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Code function: 4x nop then jmp 09DA61FEh

0_2_09DA5DE7

Source: global traffic

TCP traffic: 192.168.2.9:60409 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: ThBJg59JRC.exe, 00000000.00000002.1515197073.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ThBJg59JRC.exe	String found in binary or memory: https://api.libertyreserve.com/beta/xml/
Source: ThBJg59JRC.exe	String found in binary or memory: https://api.libertyreserve.com/beta/xml/accountname.aspx
Source: ThBJg59JRC.exe	String found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx
Source: ThBJg59JRC.exe	String found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspx
Source: ThBJg59JRC.exe, 00000000.00000002.1515197073.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspxS
Source: ThBJg59JRC.exe	String found in binary or memory: https://api.libertyreserve.com/beta/xml/transfer.aspx
Source: ThBJg59JRC.exe	String found in binary or memory: https://sci.libertyreserve.com/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.ThBJg59JRC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ThBJg59JRC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2034296368.00000000014F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0042CF83 NtClose,	8_2_0042CF83
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_018E2DF0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_018E2C70
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E35C0 NtCreateMutant,LdrInitializeThunk,	8_2_018E35C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E4340 NtSetContextThread,	8_2_018E4340
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E4650 NtSuspendThread,	8_2_018E4650
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2B80 NtQueryInformationFile,	8_2_018E2B80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2BA0 NtEnumerateValueKey,	8_2_018E2BA0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2BE0 NtQueryValueKey,	8_2_018E2BE0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2BF0 NtAllocateVirtualMemory,	8_2_018E2BF0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2B60 NtClose,	8_2_018E2B60
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2AB0 NtWaitForSingleObject,	8_2_018E2AB0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2AD0 NtReadFile,	8_2_018E2AD0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2AF0 NtWriteFile,	8_2_018E2AF0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2DB0 NtEnumerateKey,	8_2_018E2DB0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2DD0 NtDelayExecution,	8_2_018E2DD0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2D00 NtSetInformationFile,	8_2_018E2D00
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2D10 NtMapViewOfSection,	8_2_018E2D10
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2D30 NtUnmapViewOfSection,	8_2_018E2D30
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2CA0 NtQueryInformationToken,	8_2_018E2CA0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2CC0 NtQueryVirtualMemory,	8_2_018E2CC0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2CF0 NtOpenProcess,	8_2_018E2CF0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2C00 NtQueryInformationProcess,	8_2_018E2C00
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2C60 NtCreateKey,	8_2_018E2C60
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2F90 NtProtectVirtualMemory,	8_2_018E2F90
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2FA0 NtQuerySection,	8_2_018E2FA0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2FB0 NtResumeThread,	8_2_018E2FB0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2FE0 NtCreateFile,	8_2_018E2FE0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2F30 NtCreateSection,	8_2_018E2F30
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2F60 NtCreateProcessEx,	8_2_018E2F60
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2E80 NtReadVirtualMemory,	8_2_018E2E80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2EA0 NtAdjustPrivilegesToken,	8_2_018E2EA0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2EE0 NtQueueApcThread,	8_2_018E2EE0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2E30 NtWriteVirtualMemory,	8_2_018E2E30
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E3090 NtSetValueKey,	8_2_018E3090
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E3010 NtOpenDirectoryObject,	8_2_018E3010
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E39B0 NtGetContextThread,	8_2_018E39B0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E3D10 NtOpenProcessToken,	8_2_018E3D10
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E3D70 NtOpenThread,	8_2_018E3D70

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E2328	0_2_010E2328
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E0860	0_2_010E0860
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E0EE8	0_2_010E0EE8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E76A8	0_2_010E76A8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E2118	0_2_010E2118
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E207C	0_2_010E207C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E20B1	0_2_010E20B1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010EA41A	0_2_010EA41A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E2BC9	0_2_010E2BC9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E2BD8	0_2_010E2BD8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E0E06	0_2_010E0E06
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E0E58	0_2_010E0E58
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E33B8	0_2_010E33B8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E3601	0_2_010E3601
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E3610	0_2_010E3610
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E16B8	0_2_010E16B8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E1BDE	0_2_010E1BDE
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E1AB9	0_2_010E1AB9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E1D15	0_2_010E1D15
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E1F02	0_2_010E1F02
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E1F57	0_2_010E1F57
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_010E1E09	0_2_010E1E09
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09242106	0_2_09242106
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_0924A91C	0_2_0924A91C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_0924BD78	0_2_0924BD78
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09242FC0	0_2_09242FC0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09500B90	0_2_09500B90
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09502CF8	0_2_09502CF8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09507F6C	0_2_09507F6C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09501E78	0_2_09501E78
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_0950E5E8	0_2_0950E5E8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09509590	0_2_09509590
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09501441	0_2_09501441
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09508950	0_2_09508950
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09508960	0_2_09508960
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_095018E3	0_2_095018E3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09503BD8	0_2_09503BD8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09500B8B	0_2_09500B8B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09508D11	0_2_09508D11
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09504DE0	0_2_09504DE0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09504FE8	0_2_09504FE8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09509E88	0_2_09509E88
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09500040	0_2_09500040
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09505278	0_2_09505278
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09508218	0_2_09508218
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09508228	0_2_09508228
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09508568	0_2_09508568
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09505454	0_2_09505454
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09505458	0_2_09505458
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_0950A440	0_2_0950A440
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09DA20A8	0_2_09DA20A8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09DA1838	0_2_09DA1838
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09DA1C70	0_2_09DA1C70
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09DA86C0	0_2_09DA86C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09DA5636	0_2_09DA5636
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00403095	8_2_00403095
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_004030A0	8_2_004030A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0040E959	8_2_0040E959
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00410963	8_2_00410963
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0040E963	8_2_0040E963
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0041710F	8_2_0041710F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00417113	8_2_00417113
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_004022D6	8_2_004022D6
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_004022E0	8_2_004022E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0040EAA8	8_2_0040EAA8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0040EAB3	8_2_0040EAB3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0040EB7B	8_2_0040EB7B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00402C50	8_2_00402C50
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0040248D	8_2_0040248D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00402490	8_2_00402490
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0042F5A3	8_2_0042F5A3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00410743	8_2_00410743
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00402780	8_2_00402780
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019641A2	8_2_019641A2
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019701AA	8_2_019701AA
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019681CC	8_2_019681CC
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A0100	8_2_018A0100
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194A118	8_2_0194A118
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01938158	8_2_01938158
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01942000	8_2_01942000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019703E6	8_2_019703E6
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BE3F0	8_2_018BE3F0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196A352	8_2_0196A352
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019302C0	8_2_019302C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01970591	8_2_01970591
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0535	8_2_018B0535
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195E4F6	8_2_0195E4F6
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01954420	8_2_01954420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01962446	8_2_01962446
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AC7C0	8_2_018AC7C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D4750	8_2_018D4750
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CC6E0	8_2_018CC6E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0197A9A6	8_2_0197A9A6
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C6962	8_2_018C6962
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018968B8	8_2_018968B8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE8F0	8_2_018DE8F0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BA840	8_2_018BA840
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B2840	8_2_018B2840
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01966BD7	8_2_01966BD7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196AB40	8_2_0196AB40
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C8DBF	8_2_018C8DBF
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AADE0	8_2_018AADE0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BAD00	8_2_018BAD00
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194CD1F	8_2_0194CD1F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950CB5	8_2_01950CB5
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A0CF2	8_2_018A0CF2
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0C00	8_2_018B0C00
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192EFA0	8_2_0192EFA0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A2FC8	8_2_018A2FC8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BCFE0	8_2_018BCFE0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01952F30	8_2_01952F30
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018F2F28	8_2_018F2F28
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D0F30	8_2_018D0F30
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01924F40	8_2_01924F40
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196CE93	8_2_0196CE93
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C2E90	8_2_018C2E90
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196EEDB	8_2_0196EEDB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196EE26	8_2_0196EE26
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0E59	8_2_018B0E59
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BB1B0	8_2_018BB1B0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E516C	8_2_018E516C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189F172	8_2_0189F172
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0197B16B	8_2_0197B16B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B70C0	8_2_018B70C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195F0CC	8_2_0195F0CC
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196F0E0	8_2_0196F0E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019670E9	8_2_019670E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018F739A	8_2_018F739A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196132D	8_2_0196132D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189D34C	8_2_0189D34C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B52A0	8_2_018B52A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CB2C0	8_2_018CB2C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019512ED	8_2_019512ED
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194D5B0	8_2_0194D5B0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019795C3	8_2_019795C3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01967571	8_2_01967571
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196F43F	8_2_0196F43F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A1460	8_2_018A1460
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196F7B0	8_2_0196F7B0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019616CC	8_2_019616CC
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018F5630	8_2_018F5630
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01945910	8_2_01945910
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B9950	8_2_018B9950
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CB950	8_2_018CB950
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B38E0	8_2_018B38E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191D800	8_2_0191D800
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CFB80	8_2_018CFB80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01925BF0	8_2_01925BF0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018EDBF9	8_2_018EDBF9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196FB76	8_2_0196FB76
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018F5AA0	8_2_018F5AA0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01951AA3	8_2_01951AA3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194DAAC	8_2_0194DAAC
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195DAC6	8_2_0195DAC6
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01967A46	8_2_01967A46
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196FA49	8_2_0196FA49
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01923A6C	8_2_01923A6C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CFDC0	8_2_018CFDC0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B3D40	8_2_018B3D40
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01961D5A	8_2_01961D5A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01967D73	8_2_01967D73
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196FCF2	8_2_0196FCF2
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01929C32	8_2_01929C32
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B1F92	8_2_018B1F92
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196FFB1	8_2_0196FFB1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196FF09	8_2_0196FF09
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B9EB0	8_2_018B9EB0

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: String function: 0189B970 appears 280 times
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: String function: 0191EA12 appears 86 times
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: String function: 018E5130 appears 58 times
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: String function: 018F7E54 appears 110 times
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: String function: 0192F290 appears 105 times

Source: ThBJg59JRC.exe, 00000000.00000000.1351754085.0000000000672000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBENES.exe4 vs ThBJg59JRC.exe
Source: ThBJg59JRC.exe, 00000000.00000002.1539614669.00000000091E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs ThBJg59JRC.exe
Source: ThBJg59JRC.exe, 00000000.00000002.1526992308.0000000004209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs ThBJg59JRC.exe
Source: ThBJg59JRC.exe, 00000000.00000002.1526992308.0000000004209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ThBJg59JRC.exe
Source: ThBJg59JRC.exe, 00000000.00000002.1514130185.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ThBJg59JRC.exe
Source: ThBJg59JRC.exe, 00000000.00000002.1544207209.000000000E8A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ThBJg59JRC.exe
Source: ThBJg59JRC.exe, 00000008.00000002.2034522019.000000000199D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ThBJg59JRC.exe
Source: ThBJg59JRC.exe	Binary or memory string: OriginalFilenameBENES.exe4 vs ThBJg59JRC.exe

Source: ThBJg59JRC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ThBJg59JRC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal88.troj.evad.winEXE@11/6@1/0

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ThBJg59JRC.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ebetdeg.uiz.ps1

Jump to behavior

Source: ThBJg59JRC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ThBJg59JRC.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ThBJg59JRC.exe	Virustotal: Detection: 73%
Source: ThBJg59JRC.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ThBJg59JRC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ThBJg59JRC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: ThBJg59JRC.exe, 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ThBJg59JRC.exe, ThBJg59JRC.exe, 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09243B04 push esp; iretd	0_2_09243B09
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 0_2_09243390 push 00000007h; ret	0_2_092433A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0041987C push ss; ret	8_2_00419884
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00412008 push edi; iretd	8_2_00412014
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0041B1C1 push esp; ret	8_2_0041B1C5
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0041524A push ebp; iretd	8_2_0041527D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00407258 push eax; retf	8_2_004072E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00407233 push eax; retf	8_2_004072E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_004072E1 push eax; retf	8_2_004072E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0041F352 push ebp; retf	8_2_0041F359
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0041F370 push edi; iretd	8_2_0041F37F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0041F373 push edi; iretd	8_2_0041F37F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00403310 push eax; ret	8_2_00403312
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0040AB25 push esp; ret	8_2_0040AB26
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_00412C0F push ebx; iretd	8_2_00412C2B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0187225F pushad ; ret	8_2_018727F9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018727FA pushad ; ret	8_2_018727F9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A09AD push ecx; mov dword ptr [esp], ecx	8_2_018A09B6
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0187283D push eax; iretd	8_2_01872858
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01871368 push eax; iretd	8_2_01871369

Source: ThBJg59JRC.exe

Static PE information: section name: .text entropy: 7.682768227873829

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: ThBJg59JRC.exe PID: 7488, type: MEMORYSTR

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: 10E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: 4A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: 50B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: 60B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: 61E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: 71E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: B310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: C310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: C7A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: D7A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: E940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: F940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Memory allocated: 10940000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Code function: 8_2_018E096E rdtsc

8_2_018E096E

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4410			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 604			Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

API coverage: 0.6 %

Source: C:\Users\user\Desktop\ThBJg59JRC.exe TID: 7508	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe TID: 7956	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: ThBJg59JRC.exe, 00000000.00000002.1514130185.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ThBJg59JRC.exe, 00000000.00000002.1514130185.0000000000D91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\L_

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Code function: 8_2_018E096E rdtsc

8_2_018E096E

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Code function: 8_2_004180A3 LdrLoadDll,

8_2_004180A3

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E0185 mov eax, dword ptr fs:[00000030h]	8_2_018E0185
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192019F mov eax, dword ptr fs:[00000030h]	8_2_0192019F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192019F mov eax, dword ptr fs:[00000030h]	8_2_0192019F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192019F mov eax, dword ptr fs:[00000030h]	8_2_0192019F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192019F mov eax, dword ptr fs:[00000030h]	8_2_0192019F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01944180 mov eax, dword ptr fs:[00000030h]	8_2_01944180
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01944180 mov eax, dword ptr fs:[00000030h]	8_2_01944180
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195C188 mov eax, dword ptr fs:[00000030h]	8_2_0195C188
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195C188 mov eax, dword ptr fs:[00000030h]	8_2_0195C188
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189A197 mov eax, dword ptr fs:[00000030h]	8_2_0189A197
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189A197 mov eax, dword ptr fs:[00000030h]	8_2_0189A197
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189A197 mov eax, dword ptr fs:[00000030h]	8_2_0189A197
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0191E1D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0191E1D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E1D0 mov ecx, dword ptr fs:[00000030h]	8_2_0191E1D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0191E1D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0191E1D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019661C3 mov eax, dword ptr fs:[00000030h]	8_2_019661C3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019661C3 mov eax, dword ptr fs:[00000030h]	8_2_019661C3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019761E5 mov eax, dword ptr fs:[00000030h]	8_2_019761E5
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D01F8 mov eax, dword ptr fs:[00000030h]	8_2_018D01F8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01960115 mov eax, dword ptr fs:[00000030h]	8_2_01960115
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194A118 mov ecx, dword ptr fs:[00000030h]	8_2_0194A118
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194A118 mov eax, dword ptr fs:[00000030h]	8_2_0194A118
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194A118 mov eax, dword ptr fs:[00000030h]	8_2_0194A118
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194A118 mov eax, dword ptr fs:[00000030h]	8_2_0194A118
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov eax, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov ecx, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov eax, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov eax, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov ecx, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov eax, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov eax, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov ecx, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov eax, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E10E mov ecx, dword ptr fs:[00000030h]	8_2_0194E10E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D0124 mov eax, dword ptr fs:[00000030h]	8_2_018D0124
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01938158 mov eax, dword ptr fs:[00000030h]	8_2_01938158
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01934144 mov eax, dword ptr fs:[00000030h]	8_2_01934144
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01934144 mov eax, dword ptr fs:[00000030h]	8_2_01934144
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01934144 mov ecx, dword ptr fs:[00000030h]	8_2_01934144
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01934144 mov eax, dword ptr fs:[00000030h]	8_2_01934144
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01934144 mov eax, dword ptr fs:[00000030h]	8_2_01934144
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A6154 mov eax, dword ptr fs:[00000030h]	8_2_018A6154
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A6154 mov eax, dword ptr fs:[00000030h]	8_2_018A6154
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189C156 mov eax, dword ptr fs:[00000030h]	8_2_0189C156
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974164 mov eax, dword ptr fs:[00000030h]	8_2_01974164
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974164 mov eax, dword ptr fs:[00000030h]	8_2_01974164
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A208A mov eax, dword ptr fs:[00000030h]	8_2_018A208A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018980A0 mov eax, dword ptr fs:[00000030h]	8_2_018980A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019660B8 mov eax, dword ptr fs:[00000030h]	8_2_019660B8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019660B8 mov ecx, dword ptr fs:[00000030h]	8_2_019660B8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019380A8 mov eax, dword ptr fs:[00000030h]	8_2_019380A8
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019220DE mov eax, dword ptr fs:[00000030h]	8_2_019220DE
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A80E9 mov eax, dword ptr fs:[00000030h]	8_2_018A80E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189A0E3 mov ecx, dword ptr fs:[00000030h]	8_2_0189A0E3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019260E0 mov eax, dword ptr fs:[00000030h]	8_2_019260E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189C0F0 mov eax, dword ptr fs:[00000030h]	8_2_0189C0F0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E20F0 mov ecx, dword ptr fs:[00000030h]	8_2_018E20F0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01924000 mov ecx, dword ptr fs:[00000030h]	8_2_01924000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01942000 mov eax, dword ptr fs:[00000030h]	8_2_01942000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01942000 mov eax, dword ptr fs:[00000030h]	8_2_01942000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01942000 mov eax, dword ptr fs:[00000030h]	8_2_01942000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01942000 mov eax, dword ptr fs:[00000030h]	8_2_01942000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01942000 mov eax, dword ptr fs:[00000030h]	8_2_01942000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01942000 mov eax, dword ptr fs:[00000030h]	8_2_01942000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01942000 mov eax, dword ptr fs:[00000030h]	8_2_01942000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01942000 mov eax, dword ptr fs:[00000030h]	8_2_01942000
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BE016 mov eax, dword ptr fs:[00000030h]	8_2_018BE016
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BE016 mov eax, dword ptr fs:[00000030h]	8_2_018BE016
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BE016 mov eax, dword ptr fs:[00000030h]	8_2_018BE016
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BE016 mov eax, dword ptr fs:[00000030h]	8_2_018BE016
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01936030 mov eax, dword ptr fs:[00000030h]	8_2_01936030
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189A020 mov eax, dword ptr fs:[00000030h]	8_2_0189A020
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189C020 mov eax, dword ptr fs:[00000030h]	8_2_0189C020
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01926050 mov eax, dword ptr fs:[00000030h]	8_2_01926050
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A2050 mov eax, dword ptr fs:[00000030h]	8_2_018A2050
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CC073 mov eax, dword ptr fs:[00000030h]	8_2_018CC073
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189E388 mov eax, dword ptr fs:[00000030h]	8_2_0189E388
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189E388 mov eax, dword ptr fs:[00000030h]	8_2_0189E388
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189E388 mov eax, dword ptr fs:[00000030h]	8_2_0189E388
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C438F mov eax, dword ptr fs:[00000030h]	8_2_018C438F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C438F mov eax, dword ptr fs:[00000030h]	8_2_018C438F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01898397 mov eax, dword ptr fs:[00000030h]	8_2_01898397
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01898397 mov eax, dword ptr fs:[00000030h]	8_2_01898397
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01898397 mov eax, dword ptr fs:[00000030h]	8_2_01898397
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019443D4 mov eax, dword ptr fs:[00000030h]	8_2_019443D4
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019443D4 mov eax, dword ptr fs:[00000030h]	8_2_019443D4
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA3C0 mov eax, dword ptr fs:[00000030h]	8_2_018AA3C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA3C0 mov eax, dword ptr fs:[00000030h]	8_2_018AA3C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA3C0 mov eax, dword ptr fs:[00000030h]	8_2_018AA3C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA3C0 mov eax, dword ptr fs:[00000030h]	8_2_018AA3C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA3C0 mov eax, dword ptr fs:[00000030h]	8_2_018AA3C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA3C0 mov eax, dword ptr fs:[00000030h]	8_2_018AA3C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A83C0 mov eax, dword ptr fs:[00000030h]	8_2_018A83C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A83C0 mov eax, dword ptr fs:[00000030h]	8_2_018A83C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A83C0 mov eax, dword ptr fs:[00000030h]	8_2_018A83C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A83C0 mov eax, dword ptr fs:[00000030h]	8_2_018A83C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E3DB mov eax, dword ptr fs:[00000030h]	8_2_0194E3DB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E3DB mov eax, dword ptr fs:[00000030h]	8_2_0194E3DB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E3DB mov ecx, dword ptr fs:[00000030h]	8_2_0194E3DB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194E3DB mov eax, dword ptr fs:[00000030h]	8_2_0194E3DB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019263C0 mov eax, dword ptr fs:[00000030h]	8_2_019263C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195C3CD mov eax, dword ptr fs:[00000030h]	8_2_0195C3CD
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B03E9 mov eax, dword ptr fs:[00000030h]	8_2_018B03E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B03E9 mov eax, dword ptr fs:[00000030h]	8_2_018B03E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B03E9 mov eax, dword ptr fs:[00000030h]	8_2_018B03E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B03E9 mov eax, dword ptr fs:[00000030h]	8_2_018B03E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B03E9 mov eax, dword ptr fs:[00000030h]	8_2_018B03E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B03E9 mov eax, dword ptr fs:[00000030h]	8_2_018B03E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B03E9 mov eax, dword ptr fs:[00000030h]	8_2_018B03E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B03E9 mov eax, dword ptr fs:[00000030h]	8_2_018B03E9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D63FF mov eax, dword ptr fs:[00000030h]	8_2_018D63FF
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BE3F0 mov eax, dword ptr fs:[00000030h]	8_2_018BE3F0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BE3F0 mov eax, dword ptr fs:[00000030h]	8_2_018BE3F0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BE3F0 mov eax, dword ptr fs:[00000030h]	8_2_018BE3F0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA30B mov eax, dword ptr fs:[00000030h]	8_2_018DA30B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA30B mov eax, dword ptr fs:[00000030h]	8_2_018DA30B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA30B mov eax, dword ptr fs:[00000030h]	8_2_018DA30B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189C310 mov ecx, dword ptr fs:[00000030h]	8_2_0189C310
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C0310 mov ecx, dword ptr fs:[00000030h]	8_2_018C0310
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01978324 mov eax, dword ptr fs:[00000030h]	8_2_01978324
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01978324 mov ecx, dword ptr fs:[00000030h]	8_2_01978324
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01978324 mov eax, dword ptr fs:[00000030h]	8_2_01978324
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01978324 mov eax, dword ptr fs:[00000030h]	8_2_01978324
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196A352 mov eax, dword ptr fs:[00000030h]	8_2_0196A352
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01948350 mov ecx, dword ptr fs:[00000030h]	8_2_01948350
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192035C mov eax, dword ptr fs:[00000030h]	8_2_0192035C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192035C mov eax, dword ptr fs:[00000030h]	8_2_0192035C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192035C mov eax, dword ptr fs:[00000030h]	8_2_0192035C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192035C mov ecx, dword ptr fs:[00000030h]	8_2_0192035C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192035C mov eax, dword ptr fs:[00000030h]	8_2_0192035C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192035C mov eax, dword ptr fs:[00000030h]	8_2_0192035C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0197634F mov eax, dword ptr fs:[00000030h]	8_2_0197634F
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01922349 mov eax, dword ptr fs:[00000030h]	8_2_01922349
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194437C mov eax, dword ptr fs:[00000030h]	8_2_0194437C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE284 mov eax, dword ptr fs:[00000030h]	8_2_018DE284
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE284 mov eax, dword ptr fs:[00000030h]	8_2_018DE284
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01920283 mov eax, dword ptr fs:[00000030h]	8_2_01920283
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01920283 mov eax, dword ptr fs:[00000030h]	8_2_01920283
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01920283 mov eax, dword ptr fs:[00000030h]	8_2_01920283
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B02A0 mov eax, dword ptr fs:[00000030h]	8_2_018B02A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B02A0 mov eax, dword ptr fs:[00000030h]	8_2_018B02A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019362A0 mov eax, dword ptr fs:[00000030h]	8_2_019362A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019362A0 mov ecx, dword ptr fs:[00000030h]	8_2_019362A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019362A0 mov eax, dword ptr fs:[00000030h]	8_2_019362A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019362A0 mov eax, dword ptr fs:[00000030h]	8_2_019362A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019362A0 mov eax, dword ptr fs:[00000030h]	8_2_019362A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019362A0 mov eax, dword ptr fs:[00000030h]	8_2_019362A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019762D6 mov eax, dword ptr fs:[00000030h]	8_2_019762D6
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA2C3 mov eax, dword ptr fs:[00000030h]	8_2_018AA2C3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA2C3 mov eax, dword ptr fs:[00000030h]	8_2_018AA2C3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA2C3 mov eax, dword ptr fs:[00000030h]	8_2_018AA2C3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA2C3 mov eax, dword ptr fs:[00000030h]	8_2_018AA2C3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA2C3 mov eax, dword ptr fs:[00000030h]	8_2_018AA2C3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B02E1 mov eax, dword ptr fs:[00000030h]	8_2_018B02E1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B02E1 mov eax, dword ptr fs:[00000030h]	8_2_018B02E1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B02E1 mov eax, dword ptr fs:[00000030h]	8_2_018B02E1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189823B mov eax, dword ptr fs:[00000030h]	8_2_0189823B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195A250 mov eax, dword ptr fs:[00000030h]	8_2_0195A250
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195A250 mov eax, dword ptr fs:[00000030h]	8_2_0195A250
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0197625D mov eax, dword ptr fs:[00000030h]	8_2_0197625D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01928243 mov eax, dword ptr fs:[00000030h]	8_2_01928243
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01928243 mov ecx, dword ptr fs:[00000030h]	8_2_01928243
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A6259 mov eax, dword ptr fs:[00000030h]	8_2_018A6259
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189A250 mov eax, dword ptr fs:[00000030h]	8_2_0189A250
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01950274 mov eax, dword ptr fs:[00000030h]	8_2_01950274
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189826B mov eax, dword ptr fs:[00000030h]	8_2_0189826B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A4260 mov eax, dword ptr fs:[00000030h]	8_2_018A4260
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A4260 mov eax, dword ptr fs:[00000030h]	8_2_018A4260
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A4260 mov eax, dword ptr fs:[00000030h]	8_2_018A4260
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D4588 mov eax, dword ptr fs:[00000030h]	8_2_018D4588
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A2582 mov eax, dword ptr fs:[00000030h]	8_2_018A2582
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A2582 mov ecx, dword ptr fs:[00000030h]	8_2_018A2582
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE59C mov eax, dword ptr fs:[00000030h]	8_2_018DE59C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019205A7 mov eax, dword ptr fs:[00000030h]	8_2_019205A7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019205A7 mov eax, dword ptr fs:[00000030h]	8_2_019205A7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019205A7 mov eax, dword ptr fs:[00000030h]	8_2_019205A7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C45B1 mov eax, dword ptr fs:[00000030h]	8_2_018C45B1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C45B1 mov eax, dword ptr fs:[00000030h]	8_2_018C45B1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE5CF mov eax, dword ptr fs:[00000030h]	8_2_018DE5CF
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE5CF mov eax, dword ptr fs:[00000030h]	8_2_018DE5CF
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A65D0 mov eax, dword ptr fs:[00000030h]	8_2_018A65D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA5D0 mov eax, dword ptr fs:[00000030h]	8_2_018DA5D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA5D0 mov eax, dword ptr fs:[00000030h]	8_2_018DA5D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DC5ED mov eax, dword ptr fs:[00000030h]	8_2_018DC5ED
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DC5ED mov eax, dword ptr fs:[00000030h]	8_2_018DC5ED
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A25E0 mov eax, dword ptr fs:[00000030h]	8_2_018A25E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE5E7 mov eax, dword ptr fs:[00000030h]	8_2_018CE5E7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE5E7 mov eax, dword ptr fs:[00000030h]	8_2_018CE5E7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE5E7 mov eax, dword ptr fs:[00000030h]	8_2_018CE5E7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE5E7 mov eax, dword ptr fs:[00000030h]	8_2_018CE5E7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE5E7 mov eax, dword ptr fs:[00000030h]	8_2_018CE5E7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE5E7 mov eax, dword ptr fs:[00000030h]	8_2_018CE5E7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE5E7 mov eax, dword ptr fs:[00000030h]	8_2_018CE5E7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE5E7 mov eax, dword ptr fs:[00000030h]	8_2_018CE5E7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01936500 mov eax, dword ptr fs:[00000030h]	8_2_01936500
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974500 mov eax, dword ptr fs:[00000030h]	8_2_01974500
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974500 mov eax, dword ptr fs:[00000030h]	8_2_01974500
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974500 mov eax, dword ptr fs:[00000030h]	8_2_01974500
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974500 mov eax, dword ptr fs:[00000030h]	8_2_01974500
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974500 mov eax, dword ptr fs:[00000030h]	8_2_01974500
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974500 mov eax, dword ptr fs:[00000030h]	8_2_01974500
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974500 mov eax, dword ptr fs:[00000030h]	8_2_01974500
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE53E mov eax, dword ptr fs:[00000030h]	8_2_018CE53E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE53E mov eax, dword ptr fs:[00000030h]	8_2_018CE53E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE53E mov eax, dword ptr fs:[00000030h]	8_2_018CE53E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE53E mov eax, dword ptr fs:[00000030h]	8_2_018CE53E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE53E mov eax, dword ptr fs:[00000030h]	8_2_018CE53E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0535 mov eax, dword ptr fs:[00000030h]	8_2_018B0535
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0535 mov eax, dword ptr fs:[00000030h]	8_2_018B0535
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0535 mov eax, dword ptr fs:[00000030h]	8_2_018B0535
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0535 mov eax, dword ptr fs:[00000030h]	8_2_018B0535
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0535 mov eax, dword ptr fs:[00000030h]	8_2_018B0535
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0535 mov eax, dword ptr fs:[00000030h]	8_2_018B0535
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A8550 mov eax, dword ptr fs:[00000030h]	8_2_018A8550
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A8550 mov eax, dword ptr fs:[00000030h]	8_2_018A8550
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D656A mov eax, dword ptr fs:[00000030h]	8_2_018D656A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D656A mov eax, dword ptr fs:[00000030h]	8_2_018D656A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D656A mov eax, dword ptr fs:[00000030h]	8_2_018D656A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195A49A mov eax, dword ptr fs:[00000030h]	8_2_0195A49A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A64AB mov eax, dword ptr fs:[00000030h]	8_2_018A64AB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192A4B0 mov eax, dword ptr fs:[00000030h]	8_2_0192A4B0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D44B0 mov ecx, dword ptr fs:[00000030h]	8_2_018D44B0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A04E5 mov ecx, dword ptr fs:[00000030h]	8_2_018A04E5
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D8402 mov eax, dword ptr fs:[00000030h]	8_2_018D8402
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D8402 mov eax, dword ptr fs:[00000030h]	8_2_018D8402
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D8402 mov eax, dword ptr fs:[00000030h]	8_2_018D8402
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189E420 mov eax, dword ptr fs:[00000030h]	8_2_0189E420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189E420 mov eax, dword ptr fs:[00000030h]	8_2_0189E420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189E420 mov eax, dword ptr fs:[00000030h]	8_2_0189E420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189C427 mov eax, dword ptr fs:[00000030h]	8_2_0189C427
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01926420 mov eax, dword ptr fs:[00000030h]	8_2_01926420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01926420 mov eax, dword ptr fs:[00000030h]	8_2_01926420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01926420 mov eax, dword ptr fs:[00000030h]	8_2_01926420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01926420 mov eax, dword ptr fs:[00000030h]	8_2_01926420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01926420 mov eax, dword ptr fs:[00000030h]	8_2_01926420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01926420 mov eax, dword ptr fs:[00000030h]	8_2_01926420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01926420 mov eax, dword ptr fs:[00000030h]	8_2_01926420
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA430 mov eax, dword ptr fs:[00000030h]	8_2_018DA430
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0195A456 mov eax, dword ptr fs:[00000030h]	8_2_0195A456
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE443 mov eax, dword ptr fs:[00000030h]	8_2_018DE443
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE443 mov eax, dword ptr fs:[00000030h]	8_2_018DE443
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE443 mov eax, dword ptr fs:[00000030h]	8_2_018DE443
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE443 mov eax, dword ptr fs:[00000030h]	8_2_018DE443
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE443 mov eax, dword ptr fs:[00000030h]	8_2_018DE443
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE443 mov eax, dword ptr fs:[00000030h]	8_2_018DE443
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE443 mov eax, dword ptr fs:[00000030h]	8_2_018DE443
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DE443 mov eax, dword ptr fs:[00000030h]	8_2_018DE443
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189645D mov eax, dword ptr fs:[00000030h]	8_2_0189645D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C245A mov eax, dword ptr fs:[00000030h]	8_2_018C245A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192C460 mov ecx, dword ptr fs:[00000030h]	8_2_0192C460
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CA470 mov eax, dword ptr fs:[00000030h]	8_2_018CA470
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CA470 mov eax, dword ptr fs:[00000030h]	8_2_018CA470
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CA470 mov eax, dword ptr fs:[00000030h]	8_2_018CA470
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194678E mov eax, dword ptr fs:[00000030h]	8_2_0194678E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A07AF mov eax, dword ptr fs:[00000030h]	8_2_018A07AF
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019547A0 mov eax, dword ptr fs:[00000030h]	8_2_019547A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AC7C0 mov eax, dword ptr fs:[00000030h]	8_2_018AC7C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019207C3 mov eax, dword ptr fs:[00000030h]	8_2_019207C3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C27ED mov eax, dword ptr fs:[00000030h]	8_2_018C27ED
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C27ED mov eax, dword ptr fs:[00000030h]	8_2_018C27ED
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C27ED mov eax, dword ptr fs:[00000030h]	8_2_018C27ED
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A47FB mov eax, dword ptr fs:[00000030h]	8_2_018A47FB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A47FB mov eax, dword ptr fs:[00000030h]	8_2_018A47FB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192E7E1 mov eax, dword ptr fs:[00000030h]	8_2_0192E7E1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DC700 mov eax, dword ptr fs:[00000030h]	8_2_018DC700
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A0710 mov eax, dword ptr fs:[00000030h]	8_2_018A0710
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D0710 mov eax, dword ptr fs:[00000030h]	8_2_018D0710
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191C730 mov eax, dword ptr fs:[00000030h]	8_2_0191C730
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DC720 mov eax, dword ptr fs:[00000030h]	8_2_018DC720
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DC720 mov eax, dword ptr fs:[00000030h]	8_2_018DC720
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D273C mov eax, dword ptr fs:[00000030h]	8_2_018D273C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D273C mov ecx, dword ptr fs:[00000030h]	8_2_018D273C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D273C mov eax, dword ptr fs:[00000030h]	8_2_018D273C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D674D mov esi, dword ptr fs:[00000030h]	8_2_018D674D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D674D mov eax, dword ptr fs:[00000030h]	8_2_018D674D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D674D mov eax, dword ptr fs:[00000030h]	8_2_018D674D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01924755 mov eax, dword ptr fs:[00000030h]	8_2_01924755
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192E75D mov eax, dword ptr fs:[00000030h]	8_2_0192E75D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A0750 mov eax, dword ptr fs:[00000030h]	8_2_018A0750
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2750 mov eax, dword ptr fs:[00000030h]	8_2_018E2750
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2750 mov eax, dword ptr fs:[00000030h]	8_2_018E2750
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A8770 mov eax, dword ptr fs:[00000030h]	8_2_018A8770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0770 mov eax, dword ptr fs:[00000030h]	8_2_018B0770
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A4690 mov eax, dword ptr fs:[00000030h]	8_2_018A4690
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A4690 mov eax, dword ptr fs:[00000030h]	8_2_018A4690
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DC6A6 mov eax, dword ptr fs:[00000030h]	8_2_018DC6A6
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D66B0 mov eax, dword ptr fs:[00000030h]	8_2_018D66B0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA6C7 mov ebx, dword ptr fs:[00000030h]	8_2_018DA6C7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA6C7 mov eax, dword ptr fs:[00000030h]	8_2_018DA6C7
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0191E6F2
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0191E6F2
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0191E6F2
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0191E6F2
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019206F1 mov eax, dword ptr fs:[00000030h]	8_2_019206F1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019206F1 mov eax, dword ptr fs:[00000030h]	8_2_019206F1
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B260B mov eax, dword ptr fs:[00000030h]	8_2_018B260B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B260B mov eax, dword ptr fs:[00000030h]	8_2_018B260B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B260B mov eax, dword ptr fs:[00000030h]	8_2_018B260B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B260B mov eax, dword ptr fs:[00000030h]	8_2_018B260B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B260B mov eax, dword ptr fs:[00000030h]	8_2_018B260B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B260B mov eax, dword ptr fs:[00000030h]	8_2_018B260B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B260B mov eax, dword ptr fs:[00000030h]	8_2_018B260B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E2619 mov eax, dword ptr fs:[00000030h]	8_2_018E2619
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E609 mov eax, dword ptr fs:[00000030h]	8_2_0191E609
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A262C mov eax, dword ptr fs:[00000030h]	8_2_018A262C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BE627 mov eax, dword ptr fs:[00000030h]	8_2_018BE627
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D6620 mov eax, dword ptr fs:[00000030h]	8_2_018D6620
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D8620 mov eax, dword ptr fs:[00000030h]	8_2_018D8620
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018BC640 mov eax, dword ptr fs:[00000030h]	8_2_018BC640
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA660 mov eax, dword ptr fs:[00000030h]	8_2_018DA660
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA660 mov eax, dword ptr fs:[00000030h]	8_2_018DA660
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196866E mov eax, dword ptr fs:[00000030h]	8_2_0196866E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196866E mov eax, dword ptr fs:[00000030h]	8_2_0196866E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D2674 mov eax, dword ptr fs:[00000030h]	8_2_018D2674
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019289B3 mov esi, dword ptr fs:[00000030h]	8_2_019289B3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019289B3 mov eax, dword ptr fs:[00000030h]	8_2_019289B3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019289B3 mov eax, dword ptr fs:[00000030h]	8_2_019289B3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A09AD mov eax, dword ptr fs:[00000030h]	8_2_018A09AD
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A09AD mov eax, dword ptr fs:[00000030h]	8_2_018A09AD
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B29A0 mov eax, dword ptr fs:[00000030h]	8_2_018B29A0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196A9D3 mov eax, dword ptr fs:[00000030h]	8_2_0196A9D3
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019369C0 mov eax, dword ptr fs:[00000030h]	8_2_019369C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA9D0 mov eax, dword ptr fs:[00000030h]	8_2_018AA9D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA9D0 mov eax, dword ptr fs:[00000030h]	8_2_018AA9D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA9D0 mov eax, dword ptr fs:[00000030h]	8_2_018AA9D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA9D0 mov eax, dword ptr fs:[00000030h]	8_2_018AA9D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA9D0 mov eax, dword ptr fs:[00000030h]	8_2_018AA9D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AA9D0 mov eax, dword ptr fs:[00000030h]	8_2_018AA9D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D49D0 mov eax, dword ptr fs:[00000030h]	8_2_018D49D0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192E9E0 mov eax, dword ptr fs:[00000030h]	8_2_0192E9E0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D29F9 mov eax, dword ptr fs:[00000030h]	8_2_018D29F9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D29F9 mov eax, dword ptr fs:[00000030h]	8_2_018D29F9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192C912 mov eax, dword ptr fs:[00000030h]	8_2_0192C912
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01898918 mov eax, dword ptr fs:[00000030h]	8_2_01898918
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01898918 mov eax, dword ptr fs:[00000030h]	8_2_01898918
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E908 mov eax, dword ptr fs:[00000030h]	8_2_0191E908
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191E908 mov eax, dword ptr fs:[00000030h]	8_2_0191E908
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192892A mov eax, dword ptr fs:[00000030h]	8_2_0192892A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0193892B mov eax, dword ptr fs:[00000030h]	8_2_0193892B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01920946 mov eax, dword ptr fs:[00000030h]	8_2_01920946
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974940 mov eax, dword ptr fs:[00000030h]	8_2_01974940
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E096E mov eax, dword ptr fs:[00000030h]	8_2_018E096E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E096E mov edx, dword ptr fs:[00000030h]	8_2_018E096E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018E096E mov eax, dword ptr fs:[00000030h]	8_2_018E096E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01944978 mov eax, dword ptr fs:[00000030h]	8_2_01944978
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01944978 mov eax, dword ptr fs:[00000030h]	8_2_01944978
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C6962 mov eax, dword ptr fs:[00000030h]	8_2_018C6962
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C6962 mov eax, dword ptr fs:[00000030h]	8_2_018C6962
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C6962 mov eax, dword ptr fs:[00000030h]	8_2_018C6962
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192C97C mov eax, dword ptr fs:[00000030h]	8_2_0192C97C
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A0887 mov eax, dword ptr fs:[00000030h]	8_2_018A0887
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192C89D mov eax, dword ptr fs:[00000030h]	8_2_0192C89D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CE8C0 mov eax, dword ptr fs:[00000030h]	8_2_018CE8C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_019708C0 mov eax, dword ptr fs:[00000030h]	8_2_019708C0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196A8E4 mov eax, dword ptr fs:[00000030h]	8_2_0196A8E4
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DC8F9 mov eax, dword ptr fs:[00000030h]	8_2_018DC8F9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DC8F9 mov eax, dword ptr fs:[00000030h]	8_2_018DC8F9
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192C810 mov eax, dword ptr fs:[00000030h]	8_2_0192C810
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194483A mov eax, dword ptr fs:[00000030h]	8_2_0194483A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194483A mov eax, dword ptr fs:[00000030h]	8_2_0194483A
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C2835 mov eax, dword ptr fs:[00000030h]	8_2_018C2835
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C2835 mov eax, dword ptr fs:[00000030h]	8_2_018C2835
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C2835 mov eax, dword ptr fs:[00000030h]	8_2_018C2835
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C2835 mov ecx, dword ptr fs:[00000030h]	8_2_018C2835
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C2835 mov eax, dword ptr fs:[00000030h]	8_2_018C2835
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C2835 mov eax, dword ptr fs:[00000030h]	8_2_018C2835
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DA830 mov eax, dword ptr fs:[00000030h]	8_2_018DA830
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B2840 mov ecx, dword ptr fs:[00000030h]	8_2_018B2840
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A4859 mov eax, dword ptr fs:[00000030h]	8_2_018A4859
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A4859 mov eax, dword ptr fs:[00000030h]	8_2_018A4859
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D0854 mov eax, dword ptr fs:[00000030h]	8_2_018D0854
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192E872 mov eax, dword ptr fs:[00000030h]	8_2_0192E872
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192E872 mov eax, dword ptr fs:[00000030h]	8_2_0192E872
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01936870 mov eax, dword ptr fs:[00000030h]	8_2_01936870
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01936870 mov eax, dword ptr fs:[00000030h]	8_2_01936870
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01954BB0 mov eax, dword ptr fs:[00000030h]	8_2_01954BB0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01954BB0 mov eax, dword ptr fs:[00000030h]	8_2_01954BB0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0BBE mov eax, dword ptr fs:[00000030h]	8_2_018B0BBE
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0BBE mov eax, dword ptr fs:[00000030h]	8_2_018B0BBE
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194EBD0 mov eax, dword ptr fs:[00000030h]	8_2_0194EBD0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C0BCB mov eax, dword ptr fs:[00000030h]	8_2_018C0BCB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C0BCB mov eax, dword ptr fs:[00000030h]	8_2_018C0BCB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C0BCB mov eax, dword ptr fs:[00000030h]	8_2_018C0BCB
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A0BCD mov eax, dword ptr fs:[00000030h]	8_2_018A0BCD
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A0BCD mov eax, dword ptr fs:[00000030h]	8_2_018A0BCD
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A0BCD mov eax, dword ptr fs:[00000030h]	8_2_018A0BCD
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192CBF0 mov eax, dword ptr fs:[00000030h]	8_2_0192CBF0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CEBFC mov eax, dword ptr fs:[00000030h]	8_2_018CEBFC
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A8BF0 mov eax, dword ptr fs:[00000030h]	8_2_018A8BF0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A8BF0 mov eax, dword ptr fs:[00000030h]	8_2_018A8BF0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A8BF0 mov eax, dword ptr fs:[00000030h]	8_2_018A8BF0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191EB1D mov eax, dword ptr fs:[00000030h]	8_2_0191EB1D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191EB1D mov eax, dword ptr fs:[00000030h]	8_2_0191EB1D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191EB1D mov eax, dword ptr fs:[00000030h]	8_2_0191EB1D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191EB1D mov eax, dword ptr fs:[00000030h]	8_2_0191EB1D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191EB1D mov eax, dword ptr fs:[00000030h]	8_2_0191EB1D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191EB1D mov eax, dword ptr fs:[00000030h]	8_2_0191EB1D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191EB1D mov eax, dword ptr fs:[00000030h]	8_2_0191EB1D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191EB1D mov eax, dword ptr fs:[00000030h]	8_2_0191EB1D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0191EB1D mov eax, dword ptr fs:[00000030h]	8_2_0191EB1D
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974B00 mov eax, dword ptr fs:[00000030h]	8_2_01974B00
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CEB20 mov eax, dword ptr fs:[00000030h]	8_2_018CEB20
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CEB20 mov eax, dword ptr fs:[00000030h]	8_2_018CEB20
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01968B28 mov eax, dword ptr fs:[00000030h]	8_2_01968B28
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01968B28 mov eax, dword ptr fs:[00000030h]	8_2_01968B28
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01972B57 mov eax, dword ptr fs:[00000030h]	8_2_01972B57
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01972B57 mov eax, dword ptr fs:[00000030h]	8_2_01972B57
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01972B57 mov eax, dword ptr fs:[00000030h]	8_2_01972B57
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01972B57 mov eax, dword ptr fs:[00000030h]	8_2_01972B57
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0194EB50 mov eax, dword ptr fs:[00000030h]	8_2_0194EB50
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01936B40 mov eax, dword ptr fs:[00000030h]	8_2_01936B40
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01936B40 mov eax, dword ptr fs:[00000030h]	8_2_01936B40
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0196AB40 mov eax, dword ptr fs:[00000030h]	8_2_0196AB40
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01948B42 mov eax, dword ptr fs:[00000030h]	8_2_01948B42
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01898B50 mov eax, dword ptr fs:[00000030h]	8_2_01898B50
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01954B4B mov eax, dword ptr fs:[00000030h]	8_2_01954B4B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01954B4B mov eax, dword ptr fs:[00000030h]	8_2_01954B4B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0189CB7E mov eax, dword ptr fs:[00000030h]	8_2_0189CB7E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80 mov eax, dword ptr fs:[00000030h]	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80 mov eax, dword ptr fs:[00000030h]	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80 mov eax, dword ptr fs:[00000030h]	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80 mov eax, dword ptr fs:[00000030h]	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80 mov eax, dword ptr fs:[00000030h]	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80 mov eax, dword ptr fs:[00000030h]	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80 mov eax, dword ptr fs:[00000030h]	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80 mov eax, dword ptr fs:[00000030h]	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018AEA80 mov eax, dword ptr fs:[00000030h]	8_2_018AEA80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_01974A80 mov eax, dword ptr fs:[00000030h]	8_2_01974A80
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D8A90 mov edx, dword ptr fs:[00000030h]	8_2_018D8A90
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A8AA0 mov eax, dword ptr fs:[00000030h]	8_2_018A8AA0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A8AA0 mov eax, dword ptr fs:[00000030h]	8_2_018A8AA0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018F6AA4 mov eax, dword ptr fs:[00000030h]	8_2_018F6AA4
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018F6ACC mov eax, dword ptr fs:[00000030h]	8_2_018F6ACC
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018F6ACC mov eax, dword ptr fs:[00000030h]	8_2_018F6ACC
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018F6ACC mov eax, dword ptr fs:[00000030h]	8_2_018F6ACC
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A0AD0 mov eax, dword ptr fs:[00000030h]	8_2_018A0AD0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D4AD0 mov eax, dword ptr fs:[00000030h]	8_2_018D4AD0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018D4AD0 mov eax, dword ptr fs:[00000030h]	8_2_018D4AD0
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DAAEE mov eax, dword ptr fs:[00000030h]	8_2_018DAAEE
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DAAEE mov eax, dword ptr fs:[00000030h]	8_2_018DAAEE
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_0192CA11 mov eax, dword ptr fs:[00000030h]	8_2_0192CA11
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018CEA2E mov eax, dword ptr fs:[00000030h]	8_2_018CEA2E
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DCA24 mov eax, dword ptr fs:[00000030h]	8_2_018DCA24
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018DCA38 mov eax, dword ptr fs:[00000030h]	8_2_018DCA38
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C4A35 mov eax, dword ptr fs:[00000030h]	8_2_018C4A35
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018C4A35 mov eax, dword ptr fs:[00000030h]	8_2_018C4A35
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0A5B mov eax, dword ptr fs:[00000030h]	8_2_018B0A5B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018B0A5B mov eax, dword ptr fs:[00000030h]	8_2_018B0A5B
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A6A50 mov eax, dword ptr fs:[00000030h]	8_2_018A6A50
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Code function: 8_2_018A6A50 mov eax, dword ptr fs:[00000030h]	8_2_018A6A50

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe"
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Memory written: C:\Users\user\Desktop\ThBJg59JRC.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Process created: C:\Users\user\Desktop\ThBJg59JRC.exe "C:\Users\user\Desktop\ThBJg59JRC.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Queries volume information: C:\Users\user\Desktop\ThBJg59JRC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ThBJg59JRC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ThBJg59JRC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.2.ThBJg59JRC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ThBJg59JRC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2034296368.00000000014F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.2.ThBJg59JRC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ThBJg59JRC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2034296368.00000000014F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ThBJg59JRC.exe	74%	Virustotal		Browse
ThBJg59JRC.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
ThBJg59JRC.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
15.164.165.52.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.libertyreserve.com/beta/xml/transfer.aspx	ThBJg59JRC.exe	false	high
https://api.libertyreserve.com/beta/xml/history.aspxS	ThBJg59JRC.exe, 00000000.00000002.1515197073.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	false	high
https://sci.libertyreserve.com/	ThBJg59JRC.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ThBJg59JRC.exe, 00000000.00000002.1515197073.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.libertyreserve.com/beta/xml/accountname.aspx	ThBJg59JRC.exe	false	high
https://api.libertyreserve.com/beta/xml/balance.aspx	ThBJg59JRC.exe	false	high
https://api.libertyreserve.com/beta/xml/history.aspx	ThBJg59JRC.exe	false	high
https://api.libertyreserve.com/beta/xml/	ThBJg59JRC.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587884
Start date and time:	2025-01-10 19:08:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ThBJg59JRC.exe renamed because original name is a hash value
Original Sample Name:	7dcf4b6a9f116bacedf79a6551a385cda77c8167f49d8ba32831677566a556f3.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@11/6@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 68 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 52.149.20.212, 52.165.164.15, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	293816234142143228.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	Voicemail_+Transcription+_ATT006151.docx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modal	Get hash	malicious	Unknown	Browse	13.107.246.45
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Encrypted_Archive_2025_LHC1W64SMW.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	GcA5z6ZWRK.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Unconfirmed 287374.eml	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	13.107.246.45
	17048156412338914445.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\ThBJg59JRC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.374906625335753
Encrypted:	false
SSDEEP:	48:MWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:MLHxvCsIfA2KRHmOugw1s
MD5:	1153FE9D65B1DE5DAADBAAD06F8375A0
SHA1:	90E7BFF54FF5DE6E3B7491260A733CCD7EDEDA03
SHA-256:	B4843632A9CB79EAB875E3F4A3057D2ABD50F1804870DB8E0248DBE009DB2F8C
SHA-512:	A5A43D897D76773400E096ABA2510CFB631E9AD987B490D8103CAB4E9B89DB3F768708ECAAE108D4D1D59BA0E7718A6A7ED6E19B85CC4E11D0479BAD0887BB62
Malicious:	false
Reputation:	low
Preview:	@...e.................................0.F.......................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01b0obsr.j1u.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ebetdeg.uiz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vudqcmip.uqb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yupdqurk.fi3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.682668842942692
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ThBJg59JRC.exe
File size:	995'328 bytes
MD5:	66a2ae67ac3e5a8f0df4e0d304eee97f
SHA1:	1b8566d943b92bd4bbb74ff73e5d8d413c5e88a7
SHA256:	7dcf4b6a9f116bacedf79a6551a385cda77c8167f49d8ba32831677566a556f3
SHA512:	1d4cc61b52ad80614d23711f680507f2bef54998a7cafb1079689d23feebeca9cf9ae209f5ee71a3437fae4379099f852db6763a29e5cfd4b72d5291681cca2d
SSDEEP:	24576:CbCu2uO0cA4a7yhDJyAlAt8H1iww5SXjiwYTu2:CbguCAOdJyqAa5ny
TLSH:	F125D0C03B26770EDD7CA934C526ED78A2642E787101B9E3ADDE2B97768C1129D0CF91
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ybg..............0......2........... ... ....@.. ....................................@................................

File Icon


Icon Hash:	674d797961216d59

Static PE Info

General

Entrypoint:	0x4f1b2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6762799A [Wed Dec 18 07:28:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf1ae0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf2000	0x2f48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xefb34	0xefc00	ab5e055717c2a37f42bc8dcd881bcadb	False	0.8725591029066736	data	7.682768227873829	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf2000	0x2f48	0x3000	4214cb030d2b5c1c85117d23b6c8b61c	False	0.94482421875	data	7.7414899465283264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf6000	0xc	0x200	4a0249d4e3a43c2bf3a9b8da4b583648	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xf20e8	0x2bf4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9942232492001422
RT_GROUP_ICON	0xf4cdc	0x14	data	1.05
RT_VERSION	0xf4cf0	0x258	data	0.48833333333333334

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:09:40.583575964 CET	60409	53	192.168.2.9	162.159.36.2
Jan 10, 2025 19:09:40.588455915 CET	53	60409	162.159.36.2	192.168.2.9
Jan 10, 2025 19:09:40.588577986 CET	60409	53	192.168.2.9	162.159.36.2
Jan 10, 2025 19:09:40.593853951 CET	53	60409	162.159.36.2	192.168.2.9
Jan 10, 2025 19:09:41.036890030 CET	60409	53	192.168.2.9	162.159.36.2
Jan 10, 2025 19:09:41.041961908 CET	53	60409	162.159.36.2	192.168.2.9
Jan 10, 2025 19:09:41.042026043 CET	60409	53	192.168.2.9	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:09:40.582387924 CET	53	61203	162.159.36.2	192.168.2.9
Jan 10, 2025 19:09:41.068293095 CET	56277	53	192.168.2.9	1.1.1.1
Jan 10, 2025 19:09:41.076719046 CET	53	56277	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 19:09:41.068293095 CET	192.168.2.9	1.1.1.1	0xa20	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 19:09:00.133342981 CET	1.1.1.1	192.168.2.9	0x7d57	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:09:00.133342981 CET	1.1.1.1	192.168.2.9	0x7d57	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:41.076719046 CET	1.1.1.1	192.168.2.9	0xa20	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	13:09:02
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ThBJg59JRC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ThBJg59JRC.exe"
Imagebase:	0x670000
File size:	995'328 bytes
MD5 hash:	66A2AE67AC3E5A8F0DF4E0D304EEE97F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:09:18
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ThBJg59JRC.exe"
Imagebase:	0x830000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:09:18
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:09:18
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ThBJg59JRC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ThBJg59JRC.exe"
Imagebase:	0x240000
File size:	995'328 bytes
MD5 hash:	66A2AE67AC3E5A8F0DF4E0D304EEE97F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:09:18
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ThBJg59JRC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ThBJg59JRC.exe"
Imagebase:	0xa0000
File size:	995'328 bytes
MD5 hash:	66A2AE67AC3E5A8F0DF4E0D304EEE97F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:09:18
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ThBJg59JRC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ThBJg59JRC.exe"
Imagebase:	0xd70000
File size:	995'328 bytes
MD5 hash:	66A2AE67AC3E5A8F0DF4E0D304EEE97F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2034296368.00000000014F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:09:22
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.7%
Total number of Nodes:	179
Total number of Limit Nodes:	13

Executed Functions

Function 09502CF8 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 09502FE2
ry, xrefs: 09502FCB
ry, xrefs: 09502FC4

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 18dc41f6d7f62923489ed524a4a97513f8d5f0feb16eb2c6e5dbdc0a359f617b
Instruction ID: 5b475546e410de39f92bff97aca946a761e5a609ea2305b0eb6190a4cf5213a7
Opcode Fuzzy Hash: 18dc41f6d7f62923489ed524a4a97513f8d5f0feb16eb2c6e5dbdc0a359f617b
Instruction Fuzzy Hash: E5C13570D0520ADFCB14CFA6D4998AEFBB2FF88340F119559D422AB258C734AA42CF95

Function 09509590 Relevance: 2.7, Strings: 2, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UC;", xrefs: 09509786
TuA, xrefs: 09509708

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: a3d937a0d33d35abaebd18c0c28ee4944a8af76f5a82ff5def240c30f8799dfe
Instruction ID: de18feb069b72e4ccfcc3be9cacee1ac514333e9c700663580082f865c0be912
Opcode Fuzzy Hash: a3d937a0d33d35abaebd18c0c28ee4944a8af76f5a82ff5def240c30f8799dfe
Instruction Fuzzy Hash: 28910871D05209EFCF08CFAAE5A55AEFBB2FF89350F10942AE415A72A9D7309542CF50

Function 0924A91C Relevance: 1.9, Strings: 1, Instructions: 625
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0e , xrefs: 0924BFA7

Memory Dump Source

Source File: 00000000.00000002.1541491366.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9240000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: 0e
API String ID: 0-1932243568
Opcode ID: 4b408b07aeacbcd76b827150db27471f3e4ee2db65632df8ff181bb74ce25fd6
Instruction ID: 0dbfab139e3d50a335bfe391d1d8f8a0e3e5a656406980db939c43de70154cf9
Opcode Fuzzy Hash: 4b408b07aeacbcd76b827150db27471f3e4ee2db65632df8ff181bb74ce25fd6
Instruction Fuzzy Hash: DE326E30E112148FDB68DFB9C8507AEBBF2AF84300F14C56AD44AAB395DA749D45CFA1

Function 09242106 Relevance: 1.8, Strings: 1, Instructions: 561
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 0924210B

Memory Dump Source

Source File: 00000000.00000002.1541491366.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9240000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 226ebff731889325d0cfe73509cf4a0e25750f101baaa4ce4efa8695f2b7fabb
Instruction ID: 3ca3da97feffe94112be7b008c489f106913bda6cbd43bb8072167edd1d381f4
Opcode Fuzzy Hash: 226ebff731889325d0cfe73509cf4a0e25750f101baaa4ce4efa8695f2b7fabb
Instruction Fuzzy Hash: BB52C674A01219DFDB64DF64C898B99B7B2FF88300F1081E9D50AA7365CB35AE81CF91

Function 010E1F57 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

3%b, xrefs: 010E1F84

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: 3%b
API String ID: 0-2451788360
Opcode ID: 2bfbf97cd0d646f4b10753f09fc242f7739f64972727335ee3a387fb42d02e7d
Instruction ID: 379390d7c580b2ee294c5b3c12207b5e9a74a7b3ce817f9843ba82186c75ee61
Opcode Fuzzy Hash: 2bfbf97cd0d646f4b10753f09fc242f7739f64972727335ee3a387fb42d02e7d
Instruction Fuzzy Hash: 83C1BF31604305DFD759EF26CA898A9BBF5FF8131071685AAE492DB262C338DE91CF41

Function 0924BD78 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

0e , xrefs: 0924BFA7

Memory Dump Source

Source File: 00000000.00000002.1541491366.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9240000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: 0e
API String ID: 0-1932243568
Opcode ID: adb563c86b9611f852db334790038a70f31c83e6fdffcaa69f5528dc1bb3d1f3
Instruction ID: 2e9259fd8a500d3c3f7eddbc587d3ae025616e03c345015bc3854e9043fd771d
Opcode Fuzzy Hash: adb563c86b9611f852db334790038a70f31c83e6fdffcaa69f5528dc1bb3d1f3
Instruction Fuzzy Hash: 82C16A31E112558FDF19CFA9C98079DBBF2AF88310F14C1AAE489AB255EB70D985CF50

Function 09500B90 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

z^I, xrefs: 09500D51

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 5becb24a50d6327e9e6fdb799b4c8432f0027dee6788b2db53625fcc1189d59d
Instruction ID: f36149ab2563831b6709d2d2e5cb765e5eda8408ce80fd53982b906d4ee5677d
Opcode Fuzzy Hash: 5becb24a50d6327e9e6fdb799b4c8432f0027dee6788b2db53625fcc1189d59d
Instruction Fuzzy Hash: 5F91D374E012598FDB08CFAAC5946EEFBB2FF89300F24942AD415BB294D7349945CF64

Function 09500B8B Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

z^I, xrefs: 09500D51

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 3418993b522bee6497f405ca33f982c4cebf5529167e5a4f497e8f5252289d53
Instruction ID: c375e6b76a3e520ac7d351d165569d174f250901c44a99d6a8f7fe273d1e6d95
Opcode Fuzzy Hash: 3418993b522bee6497f405ca33f982c4cebf5529167e5a4f497e8f5252289d53
Instruction Fuzzy Hash: 2491C274E012598FDB08CFAAC594ADEFBB2FF89300F24942AD415BB298D7349945CF64

Function 010E0E06 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

rnG|, xrefs: 010E0E15

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: rnG|
API String ID: 0-1152431604
Opcode ID: fc5ce2ea4249916e3616b6e191e8d9fd3d0648e0847b8bee1fcd8abdadbaadb3
Instruction ID: 3bc9a126a65d6b8b4cccb704a72c890284949b60a204f0c995719717de165bf7
Opcode Fuzzy Hash: fc5ce2ea4249916e3616b6e191e8d9fd3d0648e0847b8bee1fcd8abdadbaadb3
Instruction Fuzzy Hash: 3B712330B043458FCB54DF69C9956AEBBF1FF85320B24846EE4C5EB256C6788E01CBA1

Function 09507F6C Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

5=6, xrefs: 0950809E

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: c49cb02c6526870be18fe2bee306ee12aecdbf333c4088771ecd54c3c6cb13e0
Instruction ID: 2ae046c7cde57adf62763eefba8e6846e55591474a4f6aa81505e960aa5e06c3
Opcode Fuzzy Hash: c49cb02c6526870be18fe2bee306ee12aecdbf333c4088771ecd54c3c6cb13e0
Instruction Fuzzy Hash: 0D712674E0521A9FCB48CFA6D8545AEFBF2BFC9340F10A82A9416F7254D734AA01CF65

Function 09501441 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

-2m, xrefs: 09501563

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: 2185d84a682ff334c67cc463ca44f7c14389b6f7c13b3ced554075392de0fe73
Instruction ID: 1932b61816bcf547b5b3c48522dcafe0e41d129ab5c3de100521a7d701c4fa03
Opcode Fuzzy Hash: 2185d84a682ff334c67cc463ca44f7c14389b6f7c13b3ced554075392de0fe73
Instruction Fuzzy Hash: 435148B0E046198FDB08CFAAC5506AEFBF2FFC9341F24906AD419AB294D7349940CF65

Function 010E1AB9 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133543634afa7e3cbd0605ecd2091d38ba8941f0911f6c00c142faff7f4c30c8
Instruction ID: 3afc25f928fa3e275927183568b9a00fc45b2209923211ad4666ef185fd379fd
Opcode Fuzzy Hash: 133543634afa7e3cbd0605ecd2091d38ba8941f0911f6c00c142faff7f4c30c8
Instruction Fuzzy Hash: C2C1C031604305DFD359DF26C9898A9BBF5FF8132071685AAE492DB262C338EE91CF41

Function 010E1BDE Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005c60e0239e0032232c9c6ed14b45e01844fa5fa519b78f786332da71b3abeb
Instruction ID: 76fa9554eff4461b5f6e2c7e07a98fdcb372a6503e4c80a13228504c98f56697
Opcode Fuzzy Hash: 005c60e0239e0032232c9c6ed14b45e01844fa5fa519b78f786332da71b3abeb
Instruction Fuzzy Hash: 73C1AD31604305DFD759DF26C9898AABBF5FB8131071685AAE492DB262C338DE91CF41

Function 010E20B1 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8127c01f61f57a15a245e8c92e8d762692e95bd76d13434a29d32a9ab6da2771
Instruction ID: 66527ab643cf1d8d5fbde6127821d632f58263c631c3b34afd768dc1171f9ac5
Opcode Fuzzy Hash: 8127c01f61f57a15a245e8c92e8d762692e95bd76d13434a29d32a9ab6da2771
Instruction Fuzzy Hash: A6C1BF31604305DFD759DF26C9898AABBF5FB8131071685AAE4D2DB262C338DE91CF41

Function 010E1F02 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6d306ea53246889b9be88526261deec795e9b27d4105802b3e74c6b1024e11
Instruction ID: 86975655f32c89cc47c73b80b95b60df9dbaa5c714ab0bb2ec825a0a04117c08
Opcode Fuzzy Hash: 6e6d306ea53246889b9be88526261deec795e9b27d4105802b3e74c6b1024e11
Instruction Fuzzy Hash: C9C1AE31604305DFD359DF26C9898AABBF5FB8131071685AAE4D2DB262C338DE91CF41

Function 010E1D15 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c607de674367e3151f6371a67cef1f75db821c6115361250c78f8012b8bc4a31
Instruction ID: 8a3d5056c4b8cbd8e4f687927b30b3c2849210ba62210d56c24b658a4d9f7daf
Opcode Fuzzy Hash: c607de674367e3151f6371a67cef1f75db821c6115361250c78f8012b8bc4a31
Instruction Fuzzy Hash: EAC1BF31604305DFD359EF25CA998AABBF5FB8131071685AAE4D2DB262C338DE91CF41

Function 010E2118 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b27a1d5f14a096defb96bca4fb016ff72d0c562ac7b13c1f8be9d3b67ed04a
Instruction ID: 4134044493784b0911cc0dca4dc6ca9daf0ae60312ba0898c0c8f2257716cb67
Opcode Fuzzy Hash: d6b27a1d5f14a096defb96bca4fb016ff72d0c562ac7b13c1f8be9d3b67ed04a
Instruction Fuzzy Hash: E7C1AE31604305DFD359EF26C9898AABBF5FB8131071685AAE4D2DB262C338DE91CF41

Function 010E1E09 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5d9aa0b0005335d596cef29fbf4c291f64ed93c2c5c65f28589839931fb6d1
Instruction ID: b3ddf01450fa9571f491794ea81b8396b9903682badccb949cbeff60d4e0b3f0
Opcode Fuzzy Hash: ef5d9aa0b0005335d596cef29fbf4c291f64ed93c2c5c65f28589839931fb6d1
Instruction Fuzzy Hash: 57C1AE31604305DFD359EF26C9898AABBF5FB8131171685AAE4D2DB262C338DE91CF41

Function 010E207C Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c6cc814589c9fcb4df3f8d2796d618b53cb9d19f8c81b81fa499273ff57d29
Instruction ID: 34526c35245092dba340f0bb2da4e786d6f169249eff735d04ec4b09bf21414c
Opcode Fuzzy Hash: 40c6cc814589c9fcb4df3f8d2796d618b53cb9d19f8c81b81fa499273ff57d29
Instruction Fuzzy Hash: CEC1BF31604305DFD759EF25C9898AABBF5FB8131071685AAE4D2DB262C338DE91CF41

Function 010E2328 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906e2353eda7a10bdc061095c51894f63faf0611ec72926c77541316b3f5c8f0
Instruction ID: d5eea5356d6f7d97766104e86b84c5e216f596544ed7562516db5983c55aaf15
Opcode Fuzzy Hash: 906e2353eda7a10bdc061095c51894f63faf0611ec72926c77541316b3f5c8f0
Instruction Fuzzy Hash: 5BB13672604205CFD348DF2ACA8949A77FAFB85310706C5A7E896DB261C734EE41CF91

Function 010E0860 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483b7c79197862ef878694eccb50237e162f025b143de8ff3e74173a10298433
Instruction ID: 0c1a419571bf6eeb9eb443f47d1749ec88afacb05c7bff021e12505e1a8a7bbb
Opcode Fuzzy Hash: 483b7c79197862ef878694eccb50237e162f025b143de8ff3e74173a10298433
Instruction Fuzzy Hash: 76911131B043058FCB54DF69C9956AEBBF2FF84310F14842EE486EB255D6B88E51CB91

Function 09508D11 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911810a2d89d24aab014aee1c5c4086fb2d488dc4234908c5da995e88b0408d9
Instruction ID: 7bb7f84a7fe03681506cf7addfe8ef798e7058f043e7f57e574b8a241a3bf4e1
Opcode Fuzzy Hash: 911810a2d89d24aab014aee1c5c4086fb2d488dc4234908c5da995e88b0408d9
Instruction Fuzzy Hash: F5A14C74E042598FDB14CF69C590AAEFBB2FF89301F2481A9D418A7256D7319E41CF61

Function 010E0E58 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09091dfdb22acdfe03d237dac3ccf75eb079adcac9d536a84ed5131c5615b7af
Instruction ID: d1c067d5f99d7957274510d081e16001dd9cb8be00ab532f235dab1aface137c
Opcode Fuzzy Hash: 09091dfdb22acdfe03d237dac3ccf75eb079adcac9d536a84ed5131c5615b7af
Instruction Fuzzy Hash: B8512370B042158FCB54DF69C8956AEBBF1FF84320B20842EE485EB255D6788E11CB91

Function 010E0EE8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe433c378be9440cf70c91d6f2ecf74d114f30bb1c44edf7d918e3048f48162d
Instruction ID: 927be1411dbf15e20ba28d5941c76d4b4433ebb106e376f3155fa8330b3109e4
Opcode Fuzzy Hash: fe433c378be9440cf70c91d6f2ecf74d114f30bb1c44edf7d918e3048f48162d
Instruction Fuzzy Hash: D9419371B101198FDB44CFAAC8956BEBBF6FBC8610F10801AF546EB354CAB49D05CBA1

Function 010EA41A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa6f62ea84193bdffc6e9f26f8e860cc6623a655318874b30fcc5f3a7e6f60b
Instruction ID: 2ec3b7fcf1cecc23ff4e22a8c35e4f4d3678cbafad5d5992f9f8ca51a8d16fa9
Opcode Fuzzy Hash: 4fa6f62ea84193bdffc6e9f26f8e860cc6623a655318874b30fcc5f3a7e6f60b
Instruction Fuzzy Hash: D821F7B17042158FDB589BB9585936F6BDB9BC9250B04C43F9047CB795CF78CD0143A1

Function 010E76A8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cdebbd6e390635097c934cfda8f54489dfa7eedc343f3fb35b49770568db1e
Instruction ID: 06b5df121e9eeee394f1a4b8f4b7b98f271f4f2a2a9898321159281793ac4b5f
Opcode Fuzzy Hash: e3cdebbd6e390635097c934cfda8f54489dfa7eedc343f3fb35b49770568db1e
Instruction Fuzzy Hash: EE21F2B17042198BDB58ABBA585937F6ACB9BC8640B00C83EA047CB795CF79CC0243A1

Function 09501E78 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb1392ed21c441451b585ee2779ac4395159bf7f7ed7746240dd7af7c8683f0
Instruction ID: 8e2f05c373d956c40aa5b6d398a2f254bb07d4b3a0db6c6fed2198958cbcc2a0
Opcode Fuzzy Hash: 9cb1392ed21c441451b585ee2779ac4395159bf7f7ed7746240dd7af7c8683f0
Instruction Fuzzy Hash: ED314571E006588FDB18CFA7D8442DEBBB2BFC9300F14C0AAD409AA268DB341945CF51

Function 09DA5636 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f1a3f05c3ebc30532220b9180a27c1ec9fc05d45a8b156e3e89859f27c3e48
Instruction ID: d0cebbd38a6cda3a6b69939369799af028ad425e24a45ed7798b6d601f32fe4e
Opcode Fuzzy Hash: 53f1a3f05c3ebc30532220b9180a27c1ec9fc05d45a8b156e3e89859f27c3e48
Instruction Fuzzy Hash: 9921CC71E456688BEB28CF67980479EFAF3AFCA300F18C1A9D44C66265DB710985CF41

Function 0950E5E8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03c52766469a58e823c4e3b85c896b7ca5805d8f5edf3e15b4abc908f611b99
Instruction ID: 57643c64445d3693e9e5adc115f695a24d69f5dae3556c1d4811c94cb27d763c
Opcode Fuzzy Hash: d03c52766469a58e823c4e3b85c896b7ca5805d8f5edf3e15b4abc908f611b99
Instruction Fuzzy Hash: AC21F7B1D046188BEB18CFA7D8597EEFAF6BFC9340F14C46AD409A6294DB740949CF90

Function 09DA4034 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09DA4276

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 38729d051fb993e6d9f2ca2354f43ce26e62d9cff1687c4ea67066abeb733106
Instruction ID: 2cb1f333cbb93622e9ee14b035c71410e4a5e589ae8b94a3f53ca8a0be978a7d
Opcode Fuzzy Hash: 38729d051fb993e6d9f2ca2354f43ce26e62d9cff1687c4ea67066abeb733106
Instruction Fuzzy Hash: 09A16971D00319CFEB14CFA9C841BAEBBF2BF58310F148169E858A7290DBB49995CF91

Function 09DA4040 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09DA4276

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 45f97034c7af80b4b49fdd59c22bd11333b7fad379db7897316a07b23605837e
Instruction ID: 56f15681f11df3fe042b455776cf1134bcc9f939fc6c98b5e775521a74904e8d
Opcode Fuzzy Hash: 45f97034c7af80b4b49fdd59c22bd11333b7fad379db7897316a07b23605837e
Instruction Fuzzy Hash: 79915971D00319CFEB14CFA8C840BEEBBF2BB48310F148169E818A7290DBB49995CF91

Function 010E8D95 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010E8E51

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: aaba84c15bd3e9042c2072439eddfa4ad9fa1040e8e19bf706e9a72d1664ae36
Instruction ID: 843b326531fd98c0e20dcf0cb84e602b8eba8fee83244798d94cf5abd4923980
Opcode Fuzzy Hash: aaba84c15bd3e9042c2072439eddfa4ad9fa1040e8e19bf706e9a72d1664ae36
Instruction Fuzzy Hash: 5C510FB1C00618CFEB24CFAAC8487DEBBF5BF49314F20806AD458AB251D7756986CF91

Function 010E78F8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010E8E51

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 338551c5d5187471a0f76c1d92abe7b64a5b29e51d5b8657d8310e998232ef4e
Instruction ID: 158e2cea56e227b70b0a82698a57fed41bde1e4280f04afd7f8efe8e66134380
Opcode Fuzzy Hash: 338551c5d5187471a0f76c1d92abe7b64a5b29e51d5b8657d8310e998232ef4e
Instruction Fuzzy Hash: D741B0B0D04718CFEB24DFAAC848B9EBBF5BF49304F20806AD458AB251D7756945CF91

Function 0924C6B0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1541491366.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9240000_ThBJg59JRC.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 90aa7f5e89eea00572f79efd38530601c0a35ec51ab2f621be694bd3532a0ec0
Instruction ID: 3cc1fbe171c6d618f70bbe0012a0cdf77380d86d8e555dc0297330c76380303d
Opcode Fuzzy Hash: 90aa7f5e89eea00572f79efd38530601c0a35ec51ab2f621be694bd3532a0ec0
Instruction Fuzzy Hash: 5F317C729053499FCB11CFA9C844AEABFF8EF49310F14806AE594A7261C3359955CFA1

Function 0924B9B1 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0924BA4F

Memory Dump Source

Source File: 00000000.00000002.1541491366.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9240000_ThBJg59JRC.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 679609ce163dfecf660caed8c88a6de9e2b8352419ae9ad8b51440f90a980589
Instruction ID: d3fa9a5a044475ed545d687db78748630de886c77b31bc97efbae3c29a2b6057
Opcode Fuzzy Hash: 679609ce163dfecf660caed8c88a6de9e2b8352419ae9ad8b51440f90a980589
Instruction Fuzzy Hash: 9631DFB5D002099FDB14CF9AD884AEEBBF4FB48310F24842AE859A7210D375A945CFA0

Function 0924B9B8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0924BA4F

Memory Dump Source

Source File: 00000000.00000002.1541491366.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9240000_ThBJg59JRC.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b7a51228b7fa540c12ba747d89c4b20e0ccdef1d8258668f328d9667ba5b9282
Instruction ID: d3620132a352d119b75f1ae77720dc8e831e5445009f13acc61fd9cb2e606758
Opcode Fuzzy Hash: b7a51228b7fa540c12ba747d89c4b20e0ccdef1d8258668f328d9667ba5b9282
Instruction Fuzzy Hash: 9C21CEB5D002099FDB14CF9AD884AAEFBF5FB48320F14842AE819A7310D775A945CFA0

Function 09DA3DB8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09DA3E48

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 96800da9bfa40518921b717a4ed4814aaf301c0e59c831193135d38e23078e5d
Instruction ID: c2c4c9a3f8c26059ec65bafd7d968b1f4764becdc17ed45a7a1c198f856ff732
Opcode Fuzzy Hash: 96800da9bfa40518921b717a4ed4814aaf301c0e59c831193135d38e23078e5d
Instruction Fuzzy Hash: 2A2125B59003099FDF10CFAAC885BEEBBF5FF48310F10852AE958A7241C7799955CBA4

Function 09DA3EA0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09DA3F28

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6414e17a625589c2254afd55b9db74ead8d8c2b7371c2a08603814f44d63203d
Instruction ID: e1b971b44516683dcec64e665dae52ace7721814f9f45cede6e9f4a687d4947e
Opcode Fuzzy Hash: 6414e17a625589c2254afd55b9db74ead8d8c2b7371c2a08603814f44d63203d
Instruction Fuzzy Hash: 9B2125B19003499FDF14CFAAD885BEEBBF1FF88310F10882AE558A7250C7789551CBA0

Function 09DA3C18 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09DA3C9E

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3cb3e591ea62629f9064f8483d0bf61cd55b202b9eec3f5abf13bd8214d99734
Instruction ID: f945a58d29958ceec1addafbd2f77acf92c00fd1716695fa71c0a858cdad6b88
Opcode Fuzzy Hash: 3cb3e591ea62629f9064f8483d0bf61cd55b202b9eec3f5abf13bd8214d99734
Instruction Fuzzy Hash: 7E2125B19003098FDB14DFAAC4857EEFBF1EF48314F14842AD459A7241C7789985CBA4

Function 09DA3C20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09DA3C9E

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c855667565daa58e09797bab5848880c97330ffa8a949a09a0e91311f22c721a
Instruction ID: 016daf34248f1fa7464dbf855269da1ccb8a2582ca5ab28c4a369634b60ceff5
Opcode Fuzzy Hash: c855667565daa58e09797bab5848880c97330ffa8a949a09a0e91311f22c721a
Instruction Fuzzy Hash: 042135B19003089FDB10CFAAC8857EEFBF5EF48314F54842AD859A7241CB789945CFA4

Function 09DA3EA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09DA3F28

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e76e73f61ef2ab970e45d27a4b2b9e5bb537f4448defe9a3f12ce37cbfee3274
Instruction ID: b35541db8180095b6c0745304cb985e34603fad81aade287d54958b04ea273c4
Opcode Fuzzy Hash: e76e73f61ef2ab970e45d27a4b2b9e5bb537f4448defe9a3f12ce37cbfee3274
Instruction Fuzzy Hash: 6A2100B18003499FDF10CFAAC884BEEBBF5FF48310F50842AE958A7240C7799955CBA4

Function 09DA3CF0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09DA3D66

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9a195038d2d157fd168a96090bdb9a0568508feddf1bed4b5063f812359da2a5
Instruction ID: c1fc6e9dad73eb9d70bd46d8eb038522f5b4c9910351be62f9cbafb015f80172
Opcode Fuzzy Hash: 9a195038d2d157fd168a96090bdb9a0568508feddf1bed4b5063f812359da2a5
Instruction Fuzzy Hash: EB2144718002489FDF10DFA9C844BEEBBF5EF48310F14882AE555A7250C7759550CBA0

Function 0924A964 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0924C6CA,?,?,?,?,?), ref: 0924C76F

Memory Dump Source

Source File: 00000000.00000002.1541491366.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9240000_ThBJg59JRC.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 522fd0cfb0ae5a8697768c64373062b09064bc3ca925eb62a3b11db5201d4e5d
Instruction ID: c2f147a5116a859d03f195b73e3730c2f216f7a373e5b35f3563476409b84e60
Opcode Fuzzy Hash: 522fd0cfb0ae5a8697768c64373062b09064bc3ca925eb62a3b11db5201d4e5d
Instruction Fuzzy Hash: B81137B580034D9FDB10CFAAC844BEEBFF8EB48320F14841AE958A7251D375A954CFA4

Function 09507B88 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 09507C03

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ab3ba4de52c6736ba079d7d18dd5f1df9ba2e47781afd5ba8570053c2c5bb608
Instruction ID: 96593973c9e2a71b1d1ff3dff351ad996ce0930167b191552fdc1be4ba5999d5
Opcode Fuzzy Hash: ab3ba4de52c6736ba079d7d18dd5f1df9ba2e47781afd5ba8570053c2c5bb608
Instruction Fuzzy Hash: 6E2106B59002499FDB10CF9AD884BEEBBF4FB49310F14842AE858A7251D375A545CFA1

Function 09507B90 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 09507C03

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 82d87dcc25d80545e00cb8ca9e2711e581d775525ece8761d4c42d2580d516d4
Instruction ID: b741022b17557163bf1bb2ed20b4b6b94852c304969bc91457719b197208865a
Opcode Fuzzy Hash: 82d87dcc25d80545e00cb8ca9e2711e581d775525ece8761d4c42d2580d516d4
Instruction Fuzzy Hash: 6B21E4B59007499FDB10CF9AD884BDEFBF4FB48320F108429E958A7251D379A544CFA5

Function 09DA3B68 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09DA3BD2

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7a4e738fda72c5af61a1f943696709e28c33e81d08c97195b6b487a8a60af28f
Instruction ID: 6c022fd7a7b967384d93ee893f236a5e4b3faeeea24669f9af2a0806373435c3
Opcode Fuzzy Hash: 7a4e738fda72c5af61a1f943696709e28c33e81d08c97195b6b487a8a60af28f
Instruction Fuzzy Hash: 271176B1D043488FDB10DFAAC4447EEFBF5EF49324F248869D459A7240CB79A940CBA0

Function 09DA3CF8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09DA3D66

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 74182c22100ae1f3a24b4e17b773e89d8d6822b6c0d442ba3b9476e479780109
Instruction ID: fd17a47423c824a614e9fd8d9b24cbbae67ff4ba818331c375d7e14d02d4d9df
Opcode Fuzzy Hash: 74182c22100ae1f3a24b4e17b773e89d8d6822b6c0d442ba3b9476e479780109
Instruction Fuzzy Hash: 021123758003489FDF10DFAAC844BEEBBF5EF48320F14882AE959A7250C775A955CBA0

Function 09DA3B70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09DA3BD2

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f677b33b31ef087e2774bbb773f24a33ad7ff36ba231ff7809636f2fce454373
Instruction ID: fe6181a6db67cad31b73ed02b412bd08ae298aa744d6ca0c21d5b8829728481b
Opcode Fuzzy Hash: f677b33b31ef087e2774bbb773f24a33ad7ff36ba231ff7809636f2fce454373
Instruction Fuzzy Hash: A81136B19043488FDB10DFAAC4457EEFBF5EB88324F24842AD559A7240CB79A945CBA4

Function 09DA09B8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09DA6ACD

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8a20033d318ee7d8aac163b1d37cc72006f19e16772c47068311c37fc7bff4ae
Instruction ID: 55a6794039416a0aff9eec89133e4f896c9c1579650768cec5fe7505c337d344
Opcode Fuzzy Hash: 8a20033d318ee7d8aac163b1d37cc72006f19e16772c47068311c37fc7bff4ae
Instruction Fuzzy Hash: 3B11F2B5800348DFDB10DF9AD484BEEBBF8EB48314F14841AE958A7600C375A954CFA5

Function 09DA6A6A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09DA6ACD

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f3a31e130274568d67c03d631d31c401888bcfb077315d389402a2f19a9ee30a
Instruction ID: a28e7a346e3ce4b69af22a97d9510184c5bbd3b704a485e61e0a77d83f241887
Opcode Fuzzy Hash: f3a31e130274568d67c03d631d31c401888bcfb077315d389402a2f19a9ee30a
Instruction Fuzzy Hash: 0211F2B5800348DFDB10CF9AC884BEEBBF8EB48324F248459E958A7210C375A944CFA1

Function 010EE580 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010EE5E6

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d19737b0601a72d4953a95623a09384b5d49563d18067e66d2063932054cc656
Instruction ID: 4c31bb928f7c63c807a3e12e001ce14bf5b661a09c2ea2822d1a8578af85782c
Opcode Fuzzy Hash: d19737b0601a72d4953a95623a09384b5d49563d18067e66d2063932054cc656
Instruction Fuzzy Hash: 8E110FB6C006498FDB10CF9AC448BDEFBF4AB88210F10842AD858A7210D375A545CFA1

Function 00D4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514108997.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfae9ffef876fbefe153f46e05a84b73e65854dfa51e391e9480521a5c01c246
Instruction ID: ec44700e75c0c1824ea729122d179dfb94cdfe41dfbfac1f6f3a0e1e24887e4e
Opcode Fuzzy Hash: bfae9ffef876fbefe153f46e05a84b73e65854dfa51e391e9480521a5c01c246
Instruction Fuzzy Hash: 952122B2604240DFDB05DF10D9C0B2ABF66FB88318F24C569E8490B256C736D856CBB2

Function 0105D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514545871.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66aaf1c20275016a4d29374f54c340e238c548739eea80e8126723257333d8a9
Instruction ID: 174203bb1513d14ce1e148687b1b1b185ab0c5e60a0690855321ba096cebf3e0
Opcode Fuzzy Hash: 66aaf1c20275016a4d29374f54c340e238c548739eea80e8126723257333d8a9
Instruction Fuzzy Hash: 08210471504300EFDB85DF94D9C0B2ABBA5FB98324F20C5AEEC894B252C776D456CB62

Function 0105D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514545871.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0babb0c5d6a2bdba03f413aec472cecd9ef142f76dd596c7eca0079efc0fa08c
Instruction ID: 022153f7c2852534ce2f65356b0f9ad71a43b6490fc0416661282a8a16b6e52d
Opcode Fuzzy Hash: 0babb0c5d6a2bdba03f413aec472cecd9ef142f76dd596c7eca0079efc0fa08c
Instruction Fuzzy Hash: 0E210371504300DFDB95DF94D480B1BBBA5EB84314F20C5AEEC894B252C336D457CB62

Function 0105D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514545871.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86adaaf8a0f1cda84f0be6a630afa94b270455544599f5dad108e773d0ac7d82
Instruction ID: 18d497ec8dd53e4f2e2fb340c2791e78f81f3c15351457b3fd0f16eaa8dfd68a
Opcode Fuzzy Hash: 86adaaf8a0f1cda84f0be6a630afa94b270455544599f5dad108e773d0ac7d82
Instruction Fuzzy Hash: 9B21C2755083808FCB42CF24C990715BFB1EB45214F28C5EBD8898B2A3C33AD40ACB62

Function 00D4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514108997.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: b3f7dd750fe66230dbbc9048b98570b85e3d7755b925b99834f8ab5cb2151edf
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: 9011E676504280CFCF15CF10D5C4B16BF72FB94318F28C6A9D8494B656C336D85ACBA1

Function 0105D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514545871.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction ID: ad264ded40702905aefba721023953b58bf638dc99f2cb052e8af0ace1280b40
Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction Fuzzy Hash: 1111BB75504280DFCB82CF54C5C4B16BBA1FB84324F24C6AEDC894B696C33AD44ACB61

Function 00D4D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514108997.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b023d345a57cac1e3c1793c8b93b8be338d60b5e2922c8cfae6268b4e4bb07b
Instruction ID: b9043b916a2d7b4fe2ea8dfb0227d92992e44240194514777d46c5e3214bba86
Opcode Fuzzy Hash: 6b023d345a57cac1e3c1793c8b93b8be338d60b5e2922c8cfae6268b4e4bb07b
Instruction Fuzzy Hash: 0901D6711083409BEB249F65CD88B66FB99DF41324F18C56AED4A0A282D679DC40CAB2

Function 00D4D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514108997.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8d12b07776fc635922ae280577d7f0e8b346c0ffd6c7d2079386fdc5515018
Instruction ID: 9bc2944a2934ed902c25cc9cb1768b0ac75139d967eed6cf71029f535f42516a
Opcode Fuzzy Hash: 8b8d12b07776fc635922ae280577d7f0e8b346c0ffd6c7d2079386fdc5515018
Instruction Fuzzy Hash: 71F06D72408344AFEB148E16D888B66FB98EB91734F18C55AED494A286C2799C44CAB1

Non-executed Functions

Function 095018E3 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

98R, xrefs: 09501A43
be!, xrefs: 095019C1

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: 98R$be!
API String ID: 0-3768323770
Opcode ID: 2afa3158429ad097d5ab86efa5f4b17079e18596acefa131f6a3b5bd90b97d45
Instruction ID: 0b2cef93803fbce472db4c889c6bf6dc6a720732fd24740bafa0efd50a91360a
Opcode Fuzzy Hash: 2afa3158429ad097d5ab86efa5f4b17079e18596acefa131f6a3b5bd90b97d45
Instruction Fuzzy Hash: 467125B4E0460ADFCB08CF9AD4919AEFBB1FB89350F14892AD415EB354D3349A42CF95

Function 0950A440 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

{#L, xrefs: 0950A620

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: c65259fa09d5da94c06a290d65e6aa7b59e121ba8eaa65c6f9528042399e688b
Instruction ID: e564c8c48e4935935ebf4b7bb16a28bee63a131d391a78816f320a6c6271946f
Opcode Fuzzy Hash: c65259fa09d5da94c06a290d65e6aa7b59e121ba8eaa65c6f9528042399e688b
Instruction Fuzzy Hash: 51D11274E05659CFCB18CFAAD98459EFBF2BF88350F14D52AD419EB268DB3099028F11

Function 09DA20A8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

$Z", xrefs: 09DA2273

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: $Z"
API String ID: 0-2974921367
Opcode ID: 99b859a269e4abb2128f691641fbf4dff00149940d57017f1405801ec5cb7edb
Instruction ID: 3c06f87c6542998c811a9f9dc00e657dde8a082a888763d4f806cf6a01baacf6
Opcode Fuzzy Hash: 99b859a269e4abb2128f691641fbf4dff00149940d57017f1405801ec5cb7edb
Instruction Fuzzy Hash: 0EE1E774E402198FDB14CFA9C580AAEBBF2FF89305F248269D554AB356D730AD41CFA0

Function 09DA1C70 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

`X", xrefs: 09DA1E3E

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: `X"
API String ID: 0-2795743635
Opcode ID: 5072df7d7976588b05ba2932a7647f0f1918131eb4d7251bda7c1373445ec0ee
Instruction ID: a03c589cf7ed1c7b6b597a103a16f30495fd08f5b25390eec59376b76fe0446c
Opcode Fuzzy Hash: 5072df7d7976588b05ba2932a7647f0f1918131eb4d7251bda7c1373445ec0ee
Instruction Fuzzy Hash: E8E1F574E042198FDB14CFA9C580AAEBBF2FF89305F248269D454AB356D731AD41CFA0

Function 010E33B8 Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

J@,u, xrefs: 010E34A3

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: J@,u
API String ID: 0-3156804760
Opcode ID: a9bf582d155d2c68bbb6eb0ebcac022fff67f829751b3e4cf4d63e6a2a740fc4
Instruction ID: 46fc720eca8d52817e63161792676d06c2ab91333969a6f1a9edfe2b056f2392
Opcode Fuzzy Hash: a9bf582d155d2c68bbb6eb0ebcac022fff67f829751b3e4cf4d63e6a2a740fc4
Instruction Fuzzy Hash: 54515A727083559FCB028F6AD9445AFBFF5BB82310B1985A7E085EF252C638EE118791

Function 09508568 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 0950867E

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 84982b436a0807b7a41b2c5925941c3fa7de0493351c4b4d1d11a0bcfae5d1a9
Instruction ID: 9363fb72c76bd488f4a1427bf0dfc41f8ffd0ac3555a821232e8df9849ebb1e5
Opcode Fuzzy Hash: 84982b436a0807b7a41b2c5925941c3fa7de0493351c4b4d1d11a0bcfae5d1a9
Instruction Fuzzy Hash: CA5102B4E052199FCB18CFAAD944AEEFBF2BB98340F10942AE505F7254E7349941CF54

Function 09508960 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 09508A95

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 92cc5f4a18a174d6f99600cba8803c34e999ef20804907dc3ec735b8778eb10c
Instruction ID: 036560e08e67e4bd94a12c8052c4be03aaeffcd44db293414640ea765d4e807f
Opcode Fuzzy Hash: 92cc5f4a18a174d6f99600cba8803c34e999ef20804907dc3ec735b8778eb10c
Instruction Fuzzy Hash: 0D4127B0D05619DFCF04CFAAC940AEEFBB1BB89341F18982AC615B7294D3394642CF59

Function 09508950 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

w7e^, xrefs: 09508A95

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 6f7fdb8a672faa2d2b1d0c79aad78d0e8c7d102ff550c982022db14ba65fa059
Instruction ID: e143d201b048590bdb5d92c0cffd6ba57428a53049981b47f42ba7cb17882302
Opcode Fuzzy Hash: 6f7fdb8a672faa2d2b1d0c79aad78d0e8c7d102ff550c982022db14ba65fa059
Instruction Fuzzy Hash: 8F411670D05619DFCF04CFAAC940AEEFBB2BB89341F18982AC615B7294D3394642CF59

Function 09505458 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0ni, xrefs: 095055C3

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: bec1e819bd7547ef4e0bfb9ebc3ec3b05c35f9daba12c798186a4d1f6fe05878
Instruction ID: 0fc7840986a1937640649e7b4c720d5677b1e41449ad5a45ee01a2a7ebe8c533
Opcode Fuzzy Hash: bec1e819bd7547ef4e0bfb9ebc3ec3b05c35f9daba12c798186a4d1f6fe05878
Instruction Fuzzy Hash: 5E515871E016188BEB68DF6B8D4479AFBF7BFC9301F14C1BA950CA6254EB301A858F51

Function 09505454 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

0ni, xrefs: 095055C3

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: db028e35fc3a9a82ca58bf30a261dbc693079974f6ac65deed3212436b3a8abd
Instruction ID: bbbf25760b5d488c8d06546b570365816ecbf3ced05535d8470eba18526c40d7
Opcode Fuzzy Hash: db028e35fc3a9a82ca58bf30a261dbc693079974f6ac65deed3212436b3a8abd
Instruction Fuzzy Hash: 4F412A71E016588BEB58DF6B8D4479AFBF3BFC9300F14C1BA950CA6264EB301A858F51

Function 09DA86C0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2046efe51e084ab85aa9be9a71ccf0705a44b75dc2212f1f2847f578f069147
Instruction ID: 49be7c032b14caa873415aaa77bba1a7eba1af8ad0bab4c042f7695ad149e5c7
Opcode Fuzzy Hash: e2046efe51e084ab85aa9be9a71ccf0705a44b75dc2212f1f2847f578f069147
Instruction Fuzzy Hash: 26D1BA70B412018FDB19DFB6C460BAEB7F6AF89700F148469D58ADBA90DF35D801DBA1

Function 09DA1838 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbbf8c41565bf04380132d9ecc4095282d63afc2415ac3a749cf9db97f867a4
Instruction ID: bd099ebe35dc394ec704270d861be3218764e8af0bd4bc8d7f5b239004e9c232
Opcode Fuzzy Hash: bcbbf8c41565bf04380132d9ecc4095282d63afc2415ac3a749cf9db97f867a4
Instruction Fuzzy Hash: F3E1D374E442198FDB14CFA9C584AAEFBF2FB89305F248269D454AB356D730AD41CFA0

Function 09509E88 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d978ad8939274d5049435326d6171ccf5c6e984f4de8d0b7a4197514ba1835
Instruction ID: 483860edf0b390708d7cb6adaeebdfc12a54154c74b8b660f08e3e36d2705b01
Opcode Fuzzy Hash: b2d978ad8939274d5049435326d6171ccf5c6e984f4de8d0b7a4197514ba1835
Instruction Fuzzy Hash: 63C11671D05609DFDB18CFA6D59069EFBB2BF89300F20D42AE419EB259D7349A06CF10

Function 09242FC0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1541491366.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9240000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d27c69b11b7eab8e8ae3ad5c5b6d0e012598247b09bdbd17fe306b77094ab60
Instruction ID: 62e2dc79176900d0a15b36c0a8a13310e99ff2b3f64bfe2acae69a22e93c04f3
Opcode Fuzzy Hash: 9d27c69b11b7eab8e8ae3ad5c5b6d0e012598247b09bdbd17fe306b77094ab60
Instruction Fuzzy Hash: 8981F931A10212DFDB1DCF69C780AABBBB2BF85300B16C569D8599B755C732EC41C7A1

Function 010E3610 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3920c84ba7f7a9bffc3a2139e8346028e18b6c19a76b12aef86e079d28ecce45
Instruction ID: fd729c497165ba07b5cc3488e2ffc8063c794c68a5b731813835aff86093f3c7
Opcode Fuzzy Hash: 3920c84ba7f7a9bffc3a2139e8346028e18b6c19a76b12aef86e079d28ecce45
Instruction Fuzzy Hash: F471C375F0421ACFCB44DFAAC9855AEBFF2BB89310B158527D455EB362C274CA018B91

Function 09503BD8 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46963262a52aed3a07683ed0a49364b7632e68ba6e9f623632d02f012ac592ca
Instruction ID: f519f2d2fc63a7e99357201a88342cc430e56fc76aaea789d6609d442e5733b5
Opcode Fuzzy Hash: 46963262a52aed3a07683ed0a49364b7632e68ba6e9f623632d02f012ac592ca
Instruction Fuzzy Hash: 0991F174A1521ACFCB04CFAAD58489EFBF2FF88350F259969D415EB260D330AA42CF51

Function 010E16B8 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60caf68c19436da1aec8c29ebdc19d1a4f2bd91cb84a63a4135c7f1b289749dd
Instruction ID: 5994785a5bacf889efbce06e9b4fd3eafa49edfbb65a869471d980eb81d0be7e
Opcode Fuzzy Hash: 60caf68c19436da1aec8c29ebdc19d1a4f2bd91cb84a63a4135c7f1b289749dd
Instruction Fuzzy Hash: F0514579B043058FC3149F69D98599ABBF2FB84320B18857AE186CB751D734EE45CB90

Function 09504FE8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4389ef9cd9cf59e439e739a1cd96e16ae7ba2d0a446b71b51ef59d2cd0cf0a3c
Instruction ID: dc85f3e6072d7697c241e4ab8e909ba5e8ced068dbcf928ff59ffa2d0f9fb18c
Opcode Fuzzy Hash: 4389ef9cd9cf59e439e739a1cd96e16ae7ba2d0a446b71b51ef59d2cd0cf0a3c
Instruction Fuzzy Hash: 6771D474E156098FCB04CFAAC5905DEFBF2BF89350F24942AE415FB254E3349A528F64

Function 010E2BC9 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db38c7dcd3d66c7a7aee04168f2e5b1e9418dc69b84cdbb30d635ea86f089d3
Instruction ID: d5a56c93f2a870e3d6839cff6799a195b9c8f2de9b3cf656ef5a1f658aacf81e
Opcode Fuzzy Hash: 3db38c7dcd3d66c7a7aee04168f2e5b1e9418dc69b84cdbb30d635ea86f089d3
Instruction Fuzzy Hash: 3C410B71714609CFC714CB6AC889A9AB7F6FF85310B15C46AD0DADBA60C334E951CF42

Function 010E2BD8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64593c00891d4758145d41b2089be8a4808607c94e9ed77fc6af82df9fd75cf
Instruction ID: b57cbeab44c650acfccdf06e4b4c6eb4ec6b0bc00c235845a4a6d2c5c267b225
Opcode Fuzzy Hash: b64593c00891d4758145d41b2089be8a4808607c94e9ed77fc6af82df9fd75cf
Instruction Fuzzy Hash: 7B41C872714609CFC714CB6EC989A5BB7FAFF84310B14C42AD1AACB660D234E951CF52

Function 09508218 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9c78b8d157451e17905275a581a120abae3aaafc5df773b5746357dddd916b
Instruction ID: f4ec1258487acbc9c9b47768b6bd3b3a380a7665c274811a2953eaa5199d8001
Opcode Fuzzy Hash: 8b9c78b8d157451e17905275a581a120abae3aaafc5df773b5746357dddd916b
Instruction Fuzzy Hash: F7412B70D0A61ADFCB44CFA6C5416AEFBB1BBC9300F20986AC105F7264E37586018B95

Function 09505278 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a766841857f0d53cdc19c05c63aeecae21294697972a72a268c8aee56bc945
Instruction ID: 10c73c4574982a30686e0b6235b86aa97aeb47a1e66f76c8d085881b7e212e8d
Opcode Fuzzy Hash: 62a766841857f0d53cdc19c05c63aeecae21294697972a72a268c8aee56bc945
Instruction Fuzzy Hash: CD41F7B0E0560ADBCB44CFAAC5815AEFBF2BF88300F24D569D419F7254E7349A428F94

Function 09508228 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe38014804c6c08eedbb740cca5fa14d2fa0a89a6bdf36724633d82ac1429dd
Instruction ID: bd325f4ed484a5a1dfd072c423580228d9d0f43e1e1f0be61c0c782d7b11598b
Opcode Fuzzy Hash: 7fe38014804c6c08eedbb740cca5fa14d2fa0a89a6bdf36724633d82ac1429dd
Instruction Fuzzy Hash: AE413A70E0661ADFCB44CFA6C5416AEFBF1BBC9340F20986AC119F7264E37496018B94

Function 09504DE0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd244c2fcb87de0174fda86a8f770cd0d913a2fd506203047eab43a80e11d42
Instruction ID: 6d09b1bf1a0bd6af3b13e82f71f858fe0f967d788c67b82ac1c10f7b0aa12017
Opcode Fuzzy Hash: 3cd244c2fcb87de0174fda86a8f770cd0d913a2fd506203047eab43a80e11d42
Instruction Fuzzy Hash: 7741D3B0E0560ADFCB48CFAAC5915AEFBF2BF88300F14C42AD515E7254E3349A418F95

Function 010E3601 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1514845304.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1c404ad7abcb5099f44fd8669c03a030d75f3579e6c31b83cf17e9e442ff50
Instruction ID: 80a8159378214b54235a0a08aef054528814d01305ec53183d0736571c232c73
Opcode Fuzzy Hash: 2e1c404ad7abcb5099f44fd8669c03a030d75f3579e6c31b83cf17e9e442ff50
Instruction Fuzzy Hash: 7221E232E0420A8FC704CFAACD855AEBFF6FBD9710B158527C456EB361D2749E418A91

Function 09500040 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1542746822.0000000009500000.00000040.00000800.00020000.00000000.sdmp, Offset: 09500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9500000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b888ccaede3f81ad970c80a52ea0d4c945adc1b81a93d32787e933416c8358
Instruction ID: 18f8dfde39a7d7f4d1fd609b2ca718da4ae5a868d96f35bc43157bfad28d025b
Opcode Fuzzy Hash: e5b888ccaede3f81ad970c80a52ea0d4c945adc1b81a93d32787e933416c8358
Instruction Fuzzy Hash: 5F11C971E006189BEB58CFABD81069EFAF3BFC8200F04C07AC918A6264EB700656CF55

Function 09DA5DE7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1543889619.0000000009DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9da0000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9594c1cc3eb9c54cc86b0a3a5695fe256d2fa1a3d2edc0040f19f8380e9ef76
Instruction ID: cd124f04466a4b8e67465fc16dad19829ddf5ca2e7b36504e145960574da50e3
Opcode Fuzzy Hash: e9594c1cc3eb9c54cc86b0a3a5695fe256d2fa1a3d2edc0040f19f8380e9ef76
Instruction Fuzzy Hash: C9C04C36DCE104D685104D98B4084FCBB3C96DB2E2F443062D18EB38875A20D1344545

Analysis Process: ThBJg59JRC.exePID: 7952, Parent PID: 7488COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	5.8%
Signature Coverage:	9.7%
Total number of Nodes:	103
Total number of Limit Nodes:	9

Executed Functions

Function 004180A3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00418115

Memory Dump Source

Source File: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_ThBJg59JRC.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction ID: 82db2e993d1e07e1d7644de47204ba0bce80a130be887ef06817bc54f773b708
Opcode Fuzzy Hash: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction Fuzzy Hash: 720175B1E0010DB7DF10DBE1DC42FDEB7789B14304F0082AAE90897241FA35EB598755

Function 0042CF83 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CFBA

Memory Dump Source

Source File: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_ThBJg59JRC.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction ID: 6d2509923731cc3402650cfd5fc60feb34918fdb874d2f8a5cff3782f44a3a58
Opcode Fuzzy Hash: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction Fuzzy Hash: C3E04F762002147BC110BA5ADC41F9B77ACDFC5714F004459FA08A7141C671B91187F5

Function 018E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 018E2DFA

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85c1b7a7985e97736a0bda968a11c2e5b919248ddc83898fb2fa53fa38d0ba34
Instruction ID: bb7907eaa22fb6f2295811ee3f39f1b820d3c0cdbee36de34bc5c263746ad59f
Opcode Fuzzy Hash: 85c1b7a7985e97736a0bda968a11c2e5b919248ddc83898fb2fa53fa38d0ba34
Instruction Fuzzy Hash: 1F90023120140417D611715845047070009D7D2341F95C416A242C558DD756CB6AA222

Function 018E2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 018E2C7A

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b12c1618569abd2d2734cc0cfbc19f1d2f2b33453eb2166e77c3f5c56339881f
Instruction ID: 06929106df72ffc00045b8c06b942e422ab1033ee27a07defb8cd5258655930e
Opcode Fuzzy Hash: b12c1618569abd2d2734cc0cfbc19f1d2f2b33453eb2166e77c3f5c56339881f
Instruction Fuzzy Hash: B190023120148806D6107158840474A0005D7D2301F59C415A642C658DC795CAA97222

Function 018E35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 018E35CA

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c2a4077b708a110f7856d492cbf7528d1ff16c17705fafc1e5f14799b260789
Instruction ID: 3a0f1ae34f5bf9daeda63350940c730a42cb9109f64e8e98303b49f71b373174
Opcode Fuzzy Hash: 9c2a4077b708a110f7856d492cbf7528d1ff16c17705fafc1e5f14799b260789
Instruction Fuzzy Hash: 2190023160550406D600715845147061005D7D2301F65C415A242C568DC795CB6966A3

Function 0042D2F3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,20F845C7,00000007,00000000,00000004,00000000,00417925,000000F4), ref: 0042D332

Memory Dump Source

Source File: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_ThBJg59JRC.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction ID: fc4ede9bb63be3662ecc74f3f49d82a7fe2a18f936bc3bf2dd7dd97dc60d5dfe
Opcode Fuzzy Hash: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction Fuzzy Hash: ABE06DB12002147BD614EF5ADC41FAB33ACEFC5710F404419FE08A7245C671B9118AB9

Function 0042D2A3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EE6B,?,?,00000000,?,0041EE6B,?,?,?), ref: 0042D2E2

Memory Dump Source

Source File: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_ThBJg59JRC.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction ID: f0c058ad6ff32a825be29561732266307be72f8bb1a7a8645308030742660ac0
Opcode Fuzzy Hash: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction Fuzzy Hash: ACE092B22002147BD614EF5ADC41FAF37ACEFC9710F004419FE08A7282C670B9108BB9

Function 0042D343 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042D377

Memory Dump Source

Source File: 00000008.00000002.2033792269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_ThBJg59JRC.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6fe5a5a72d94321802cffe50a5f7811dbcce8a98ad70430984f235a63fa9eae5
Instruction ID: 18cf45479af2ecb15cb27987815ceb981d2a19fdd6fe511a06b4b29b7cf97ed1
Opcode Fuzzy Hash: 6fe5a5a72d94321802cffe50a5f7811dbcce8a98ad70430984f235a63fa9eae5
Instruction Fuzzy Hash: 9AE086716002147BD210FA5AEC41FDB775CDFC5714F00841AFB08A7281C674B91187F5

Function 018E2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 018E2C24

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 027338e10cab734102bb599729d8fc95ecb8f316688d690991ce5fddb3eaa78c
Instruction ID: bb474d082fac1af3b01111541aa8a44a2111d560bf077d08218a15e28203e4da
Opcode Fuzzy Hash: 027338e10cab734102bb599729d8fc95ecb8f316688d690991ce5fddb3eaa78c
Instruction Fuzzy Hash: 7BB09B719015C5C9DF11E764460C7177955B7D2701F15C065D3038641F4738C2E5E276

Non-executed Functions

Function 01922349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

ShutdownFlags, xrefs: 019224A1
GlobalFlag, xrefs: 01922F3F, 01923059
MaxDeadActivationContexts, xrefs: 01922D82
RaiseExceptionOnPossibleDeadlock, xrefs: 01922579
UnloadEventTraceDepth, xrefs: 019224C0
UseImpersonatedDeviceMap, xrefs: 0192251C
FrontEndHeapDebugOptions, xrefs: 01922489
minkernel\ntdll\ldrinit.c, xrefs: 01923187
@, xrefs: 01922B74
ExecuteOptions, xrefs: 019225A0
TracingFlags, xrefs: 01922549
MinimumStackCommitInBytes, xrefs: 01922BB0
DisableExceptionChainValidation, xrefs: 0192275F
CFGOptions, xrefs: 01922967
LdrpInitializeExecutionOptions, xrefs: 0192317D
GlobalFlag2, xrefs: 01922FC0
MaxLoaderThreads, xrefs: 019224EC
DisableHeapLookaside, xrefs: 0192246D
@, xrefs: 01922942
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01923176

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 94450cbefd09f24d87ba151cecbaa32b273601cdff81b120e94572a5ec76b62f
Instruction ID: 7fecbcaa5c0afcc5eebf04bcdd180f7b8981febc4467ac0902c7768c748e0536
Opcode Fuzzy Hash: 94450cbefd09f24d87ba151cecbaa32b273601cdff81b120e94572a5ec76b62f
Instruction Fuzzy Hash: 9D92BF71608352AFE721DF28C880F6BB7E8BB88710F14492DFA98D7255D774E944CB92

Function 018D8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

double initialized or corrupted critical section, xrefs: 01915508
Critical section address, xrefs: 01915425, 019154BC, 01915534
undeleted critical section in freed memory, xrefs: 0191542B
Critical section address., xrefs: 01915502
corrupted critical section, xrefs: 019154C2
Address of the debug info found in the active list., xrefs: 019154AE, 019154FA
Invalid debug info address of this critical section, xrefs: 019154B6
Thread identifier, xrefs: 0191553A
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019154E2
8, xrefs: 019152E3
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0191540A, 01915496, 01915519
Critical section debug info address, xrefs: 0191541F, 0191552E
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019154CE
Thread is in a state in which it cannot own a critical section, xrefs: 01915543

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 409368d26c1aa5ae2138881f4100fbe272bd41f3600025cfd2824199f2544209
Instruction ID: fe6c1c8eb1570718f82f52b9a65d91d4a34a896c97b2e17d7818a3b762b22575
Opcode Fuzzy Hash: 409368d26c1aa5ae2138881f4100fbe272bd41f3600025cfd2824199f2544209
Instruction Fuzzy Hash: 498190B1A40358EFEB20CF99C885FAEBBB9BB4A714F554119F508F7280D375AA41CB50

Function 018D29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01912602
RtlpResolveAssemblyStorageMapEntry, xrefs: 0191261F
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01912498
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01912409
@, xrefs: 0191259B
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01912506
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019125EB
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01912412
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01912624
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019122E4
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019124C0

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: fe4abbf65c642b5f53c510dc3b310a20ce30a06f6033cfd1780d2b5259ac7067
Instruction ID: 8304913867f0bf197c732446b5f55fbcb34802456f6c8d0877834f5fb0b5574a
Opcode Fuzzy Hash: fe4abbf65c642b5f53c510dc3b310a20ce30a06f6033cfd1780d2b5259ac7067
Instruction Fuzzy Hash: D8024EB1D0022D9BDB21DB58CC80B9AB7B9AB55704F5041DAE60DE7241EB70AFC4CF69

Function 01948B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

smss.exe, xrefs: 01948B8B
svchost.exe, xrefs: 01948B68
csrss.exe, xrefs: 01948B80
SegmentHeap, xrefs: 01948BE9
DefaultBrowser_NOPUBLISHERID, xrefs: 01948D00
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01948BD0
lsass.exe, xrefs: 01948BA1
heapType, xrefs: 01948BCB
runtimebroker.exe, xrefs: 01948B73
services.exe, xrefs: 01948B96

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 2ec48af82144b6e889d34af328c3b13f0a31ba64e012e28348c3ddd90b7bd67a
Instruction ID: 345c34963315b745e004ea96dc4481592af8c074042a09dba75832c037ba447f
Opcode Fuzzy Hash: 2ec48af82144b6e889d34af328c3b13f0a31ba64e012e28348c3ddd90b7bd67a
Instruction Fuzzy Hash: 98519A719053069BD729DF588888FABBBECEF94341F14492DEA9DC3241E770D608CB96

Function 01950274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019503A6, 019504B5, 019505DD, 01950682, 019506D9
HEAP[%wZ]: , xrefs: 01950399, 019504A8, 019505D0, 01950675, 019506CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 019504D3
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 019506EA
Just reallocated block at %p to %Ix bytes, xrefs: 019505F1
RtlReAllocateHeap, xrefs: 019502BF, 01950362
About to reallocate block at %p to %Ix bytes, xrefs: 019503BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0195069F

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: da544709f65f4f0472dda93a46eb06e8b8623d84f0e15bf69439e82aacfbc0e7
Instruction ID: 248d717c4e74c8ecfab94fc86dcc2cf069843389f47ae75db110395642ea054b
Opcode Fuzzy Hash: da544709f65f4f0472dda93a46eb06e8b8623d84f0e15bf69439e82aacfbc0e7
Instruction Fuzzy Hash: 09D1CC31614686DFDB62DF6CC480AADBBF5FF49B05F0C8059F849AB252D7349A82CB11

Function 019289B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierFlags, xrefs: 01928C50
VerifierDlls, xrefs: 01928CBD
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01928A3D
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01928A67
AVRF: -*- final list of providers -*- , xrefs: 01928B8F
HandleTraces, xrefs: 01928C8F
VerifierDebug, xrefs: 01928CA5

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: a311c5e23b1f5362a2a933bf8f7a044b2ae7b586bddd08692e7b46281c441a2a
Instruction ID: a024cf90bfa79b71c6063b3a38b9a1beb71428b08191dfa824384a30621cdbc0
Opcode Fuzzy Hash: a311c5e23b1f5362a2a933bf8f7a044b2ae7b586bddd08692e7b46281c441a2a
Instruction Fuzzy Hash: 42912871A05322AFE722EF2CC880F2B77E8AB94B14F05085DFA49AB259D730DD04C795

Function 018AEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Exit, xrefs: 018AEB6C
, xrefs: 018AF299
T, xrefs: 018AEB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 018AEB58
{, xrefs: 01904643
R, xrefs: 018AEB62

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 6c6f8929e92bf661148dcb9599a23259d7287d38c2024853c56670c9f73b52ae
Instruction ID: 2dfcff5fd90352c152c7049c344be5ff26021b66a1e927b1bbdb48d5330f7d87
Opcode Fuzzy Hash: 6c6f8929e92bf661148dcb9599a23259d7287d38c2024853c56670c9f73b52ae
Instruction Fuzzy Hash: FDA25B70A0562A8FEB65DF18CD887ADBBB5AF45704F5442E9DA0DE7290DB309E81CF40

Function 018D63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 01914258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 019140D8
_LdrpInitialize, xrefs: 019140DF, 01914141, 01914205, 0191425F
Process initialization failed with status 0x%08lx, xrefs: 0191413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 019141FE
minkernel\ntdll\ldrinit.c, xrefs: 019140E9, 0191414B, 0191420F, 01914269

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: b1ff584273e8afb11fe134ed4b6cf60c0ccf9bd2fc0387fdca6715f651669332
Instruction ID: c9b18a10b2c8703f5a93d2c0186837506bd3c3e9a3641905466f8495eb0efe08
Opcode Fuzzy Hash: b1ff584273e8afb11fe134ed4b6cf60c0ccf9bd2fc0387fdca6715f651669332
Instruction Fuzzy Hash: 2F916C70B0031D9BEB35DF2CD884BAE7BA6BB54B24F140119E508EB389E7748A81C7D1

Function 0189645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 018F99ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 018F9A01
apphelp.dll, xrefs: 01896496
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 018F9A2A
LdrpInitShimEngine, xrefs: 018F99F4, 018F9A07, 018F9A30
minkernel\ntdll\ldrinit.c, xrefs: 018F9A11, 018F9A3A

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 56060e7cfb04c842eb44dc97be2740460e83a28b9acb149629b3e64b7de7cb7c
Instruction ID: 32fb09066d2b5b6d9e945259405d33bf4ea07809310f62bfa7bae00f30ed33e5
Opcode Fuzzy Hash: 56060e7cfb04c842eb44dc97be2740460e83a28b9acb149629b3e64b7de7cb7c
Instruction Fuzzy Hash: 685180716083059FEB25DF28D881BAB77E5FB84748F14091DF685D7261E630EB48CB92

Function 018DC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 01918170
LdrpInitializeProcess, xrefs: 018DC6C4
Unable to build import redirection Table, Status = 0x%x, xrefs: 019181E5
minkernel\ntdll\ldrredirect.c, xrefs: 01918181, 019181F5
LdrpInitializeImportRedirection, xrefs: 01918177, 019181EB
minkernel\ntdll\ldrinit.c, xrefs: 018DC6C3

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: ef2916bba861288f67db93dc331a1e3c4b206d2e806eb60b0bbd32d0135d9abc
Instruction ID: d355c5e42c1002409b860f57da14eacf7e259cbec8c1f03e5dc65435b59b171b
Opcode Fuzzy Hash: ef2916bba861288f67db93dc331a1e3c4b206d2e806eb60b0bbd32d0135d9abc
Instruction Fuzzy Hash: C431C2726483469BD220EF2CD986E1A77D5FF94B24F04055CF949EB395E620EE04C7A2

Function 018D2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01912180
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0191219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 019121BF
SXS: %s() passed the empty activation context, xrefs: 01912165
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01912178
RtlGetAssemblyStorageRoot, xrefs: 01912160, 0191219A, 019121BA

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 02ce811721106e4cce13a90392c3b5bbcfd471c45e1556bb0d9ab9199f3eee3d
Instruction ID: 7e7ddfe57e62d05c26a6ef4c19b316093c5e247dea342ec17abcaf0292a31dba
Opcode Fuzzy Hash: 02ce811721106e4cce13a90392c3b5bbcfd471c45e1556bb0d9ab9199f3eee3d
Instruction Fuzzy Hash: 0531E436A403297BE721EB9A8C81F5A7B79EFA5B50F254059FA08E7244D2709F40C6A1

Function 018E096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 018E2DF0: LdrInitializeThunk.NTDLL ref: 018E2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018E0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018E0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018E0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018E0D74

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 908632eb89808ad2461a8472c3fa2a29ade458885675f92468606503dd20d7dc
Instruction ID: 84c4382794dd982d494ea318fabd29df22a68c201df2552a688ea0c5c19ca39e
Opcode Fuzzy Hash: 908632eb89808ad2461a8472c3fa2a29ade458885675f92468606503dd20d7dc
Instruction Fuzzy Hash: 4B427C71A00719DFDB21CF28C894BAAB7F9FF05304F1445A9E989DB245E770AA84CF61

Function 018AA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 018AA3E7
LdrResFallbackLangList Enter, xrefs: 018AA3EF
6, xrefs: 018AA3F7
LdrResFallbackLangList Exit, xrefs: 018AA3FF

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: a1e4aee68d906eee3fa52e3219ab67bb8f663c181d51ce571bf6060ddbbc0977
Instruction ID: f3670fb8697bbede811423b5c715f9b8751151fcc89fb9758736a9e54d73987c
Opcode Fuzzy Hash: a1e4aee68d906eee3fa52e3219ab67bb8f663c181d51ce571bf6060ddbbc0977
Instruction Fuzzy Hash: C9C1AF74508386CFE729CF58C084B6AB7E4FF84708F444869F995CBA91E734CA49CB56

Function 018D8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 018D855E
LdrpInitializeProcess, xrefs: 018D8422
@, xrefs: 018D8591
minkernel\ntdll\ldrinit.c, xrefs: 018D8421

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: f35ce1d2f6138e0b67194ab326da28bb20f4063bec9854279ad37294886b3c4c
Instruction ID: dc01b8c38e1bdb43818637b8a805b71822d9e64063544113117f1c5ad87be464
Opcode Fuzzy Hash: f35ce1d2f6138e0b67194ab326da28bb20f4063bec9854279ad37294886b3c4c
Instruction Fuzzy Hash: 39918E71508349AFE722DF69CC84EABBBECBB85744F40092EF684D2151E774DA44CB62

Function 018D273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 019121D9, 019122B1
SXS: %s() passed the empty activation context, xrefs: 019121DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 019122B6
.Local, xrefs: 018D28D8

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 8c05de59116a67994b7087bb07b506909f7ca9900040d3e146ef4e2e2c0c9490
Instruction ID: dade093586082829c0b8264e570a2db65bb82620248411cddf18ac76ca1fccd9
Opcode Fuzzy Hash: 8c05de59116a67994b7087bb07b506909f7ca9900040d3e146ef4e2e2c0c9490
Instruction Fuzzy Hash: 15A19B3190132DABDB25DF68C888BA9B7B6BF58314F2545E9D908E7255D7309F80CF90

Function 018D4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01913437
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0191342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01913456
RtlDeactivateActivationContext, xrefs: 01913425, 01913432, 01913451

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 147bb74a2c27329abd4609e03236ac2d2450bd1089f41e1cd1bd88753b3fc33c
Instruction ID: a37d39cfff54565e9a9e5729cb0dcb7e37cb6eb67e9141bd12f5af02914797f8
Opcode Fuzzy Hash: 147bb74a2c27329abd4609e03236ac2d2450bd1089f41e1cd1bd88753b3fc33c
Instruction Fuzzy Hash: 716124326807169BD722CF1DC881B2AB7F5FF90B20F14852DE959DB684DB34EA41CB91

Function 018A64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019010AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0190106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01901028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01900FE5

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 73b9deb04d428ce508d1ebfb4f3f97b9de838f6b1692022704bf6419c88cf70a
Instruction ID: 6765986e60502fdfd35d898ebf8dc02cb1469dde3d40ea456684bcfd1427d82b
Opcode Fuzzy Hash: 73b9deb04d428ce508d1ebfb4f3f97b9de838f6b1692022704bf6419c88cf70a
Instruction Fuzzy Hash: 4C71E4B19043059FDB21DF18C884B977FA8EF95754F580468F988CB28AE374D688CBD2

Function 018C245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0190A992
apphelp.dll, xrefs: 018C2462
LdrpDynamicShimModule, xrefs: 0190A998
minkernel\ntdll\ldrinit.c, xrefs: 0190A9A2

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 7a7be5ba7d598aec93510ea7408a45669673113ba56170de583eb9a4b33e29df
Instruction ID: fea34aded3dc054304dc9d67ba5ddfb0a3cb2a299ce246aba42641e8b53bc19e
Opcode Fuzzy Hash: 7a7be5ba7d598aec93510ea7408a45669673113ba56170de583eb9a4b33e29df
Instruction Fuzzy Hash: D1311671600301AFDB329F6E9985AAAB7BAFB84B04F15001DE915AB295D7709A82C7C1

Function 018B29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 018B3264
HEAP[%wZ]: , xrefs: 018B3255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 018B327D

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: c182d90503ddb526965b4192b14cf6be2c31b07de05fedbb004c4cbc1eccb6c2
Instruction ID: 2dfcd1b6aa9884f62059e0911041606a790f74ffcd958683cda4e60590c18718
Opcode Fuzzy Hash: c182d90503ddb526965b4192b14cf6be2c31b07de05fedbb004c4cbc1eccb6c2
Instruction Fuzzy Hash: AD92AB71A046499FDB25CF68C484BEEBBF2FF49304F188069E859EB352D734AA45CB50

Function 018B0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019050AE
HEAP: , xrefs: 019050BD
(UCRBlock->Size >= *Size), xrefs: 019050CA

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: b93bbfaa91de3bd1843d033862363ea4c74ec2e3b199da52763456bf63995c9c
Instruction ID: 78586f90bb78ff0ad94d4c79a3e418eed1514cf371bd00f725f9bff4a5894c75
Opcode Fuzzy Hash: b93bbfaa91de3bd1843d033862363ea4c74ec2e3b199da52763456bf63995c9c
Instruction Fuzzy Hash: CEF19C70600606DFEB26CF68C894BAABBB5FF44704F148168E51ADB391D734EA81CF91

Function 018C6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0190CA51
@, xrefs: 018C6C24

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 8a02b5c790d61554cbfa23512efd50b0c202bc9792b2d8d8a4ea34e6a0e9e600
Instruction ID: 66ad1636d0972d21b81ce5bd7115af4dd0c1dd7f06dd537218068f184b7f5aac
Opcode Fuzzy Hash: 8a02b5c790d61554cbfa23512efd50b0c202bc9792b2d8d8a4ea34e6a0e9e600
Instruction Fuzzy Hash: D5C27F716083459FE726CF28C881BABBBE5AF88B14F04896DF989C7241D734DA45CF52

Function 0189A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 018FC1E4
UseFilter, xrefs: 0189A1C1
FilterFullPath, xrefs: 018FC2E6

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: a0e1e78c0bec3613669d2eba18e3c1aa09ee3922c43c6c1b379540237180822d
Instruction ID: acf31714e33dafd151f89c5de2e6433cde615344ce46f822c8d6cf3fb11479e5
Opcode Fuzzy Hash: a0e1e78c0bec3613669d2eba18e3c1aa09ee3922c43c6c1b379540237180822d
Instruction Fuzzy Hash: 5AA157719116299BDF319B68CC88BAAB7B8EF44704F1001EAEA09E7251E7359F84CF51

Function 018C0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 0190A117
Failed to allocated memory for shimmed module list, xrefs: 0190A10F
minkernel\ntdll\ldrinit.c, xrefs: 0190A121

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: f7f40234f7d3820b061031d2457cf17cd031b177d89813fd531a18433c359f9a
Instruction ID: e24cf2c78e83c0766bf8e9dc308ca7b3c27694ff39a9a97410ac6da757954902
Opcode Fuzzy Hash: f7f40234f7d3820b061031d2457cf17cd031b177d89813fd531a18433c359f9a
Instruction Fuzzy Hash: 0571BD75A00309DFDB26DF6CC981AAEB7F4FB48B44F14406DE906EB251E634EA41CB91

Function 018B0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01905342
HEAP[%wZ]: , xrefs: 01905335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0190534D

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: fe2d8e738aaa067b96fe2f017126e274d5a5d05d1011d62615a6983df5c716f5
Instruction ID: 60f5e6b557297fffbbe42a48abfa8d0240d33eb5ff16091eabfd494672fb1f19
Opcode Fuzzy Hash: fe2d8e738aaa067b96fe2f017126e274d5a5d05d1011d62615a6983df5c716f5
Instruction Fuzzy Hash: A7617971600305DFEB29CF28C480BAABBB5FF45704F158559E499CB396D770E981CB91

Function 018DC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 019182D7
LdrpInitializePerUserWindowsDirectory, xrefs: 019182DE
minkernel\ntdll\ldrinit.c, xrefs: 019182E8

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: c0f9bb4282ec95b0ee44812124b9cafcecf5cb12996388f0718f7da586e87683
Instruction ID: 5eab72d5a2f4bbad266acc6993d142524cbbb6cd1766842e105554a602dfb793
Opcode Fuzzy Hash: c0f9bb4282ec95b0ee44812124b9cafcecf5cb12996388f0718f7da586e87683
Instruction Fuzzy Hash: 3E410471505305ABDB21EB6DD884B5B77E8AF48750F01482EF948D3254E774DA00CB92

Function 0195C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0195C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0195C1C5
@, xrefs: 0195C1F1

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: cdd81b202773c0541de7707ab102484f07a3558c3b05de93a62251d0fa12ef48
Instruction ID: c71678d878d4f97ecd0e93d32c26c4ee801c1dec55e5fab745418069fde68e05
Opcode Fuzzy Hash: cdd81b202773c0541de7707ab102484f07a3558c3b05de93a62251d0fa12ef48
Instruction Fuzzy Hash: 43417171E00309EBDF51DAD8C891FEEBBBCAB14745F04416AEA09F7240D774DA448B91

Function 01934144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01934225
LdrpResValidateFilePath Exit, xrefs: 01934172
LdrpResValidateFilePath Enter, xrefs: 01934160

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: ddd8321d192891a50beea8390fac47403806f015fdefe6feebdeebd6f5b5a5cc
Instruction ID: 18d88def2e0b98f458229ab2ac4cee553ab347ae4b3b5eb101da34bc9309c01a
Opcode Fuzzy Hash: ddd8321d192891a50beea8390fac47403806f015fdefe6feebdeebd6f5b5a5cc
Instruction Fuzzy Hash: 1341F331A00659CBEB25DBD8C884BADBBB9FFA5340F16045AD909FB791D7348A01CB51

Function 01924755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 0192488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01924888
minkernel\ntdll\ldrredirect.c, xrefs: 01924899

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 50e5a8eee7bea1b7755dc7807e223f2fae2ed6d21620e52ee22183e7061959a0
Instruction ID: 2d2f0bd2d6bd5020ec69d7e3cb7e75151c280b58baf071f1a74d3ec25495a35e
Opcode Fuzzy Hash: 50e5a8eee7bea1b7755dc7807e223f2fae2ed6d21620e52ee22183e7061959a0
Instruction Fuzzy Hash: 65419E32A147719BCB21DE6CD840A26BBE8BF89B51B060569ED5DDB319D770E800CB92

Function 018B0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0190543E
HEAP[%wZ]: , xrefs: 01905431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01905449

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 02ef6d193a498ae02e742002a98336194426fc7cc70b4ff0b4feca240c11c314
Instruction ID: 1fc09cc20bed0bb60f673f3dee25a6d390efe069fd6c9854e62a922eca2d498c
Opcode Fuzzy Hash: 02ef6d193a498ae02e742002a98336194426fc7cc70b4ff0b4feca240c11c314
Instruction Fuzzy Hash: 1911DF313241069FEB2ACB18C4C4FBAB3A9EF40B1AF1A8159F40ACB391DB34D941CB51

Function 019220DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 019220F3
LdrpInitializationFailure, xrefs: 019220FA
minkernel\ntdll\ldrinit.c, xrefs: 01922104

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: d361e852e0f7d0f92592e8e6dd7684bbcde25024c5e523cc18186fd9cfefe9ec
Instruction ID: 75030175b4acc8d158330a2d7623fce747cc098f894bae742c645c20dad02150
Opcode Fuzzy Hash: d361e852e0f7d0f92592e8e6dd7684bbcde25024c5e523cc18186fd9cfefe9ec
Instruction Fuzzy Hash: 0EF0C8756403186BEB24EB5CCC46F99376DFB41B54F200059F604A738AD6B4AA40C651

Function 018B03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01904D8A

Strings

#%u, xrefs: 01904D82

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: e9d21ff851c3e1790eaed20998b7c005fe371aa0f735f3691f29157a0368cd28
Instruction ID: c1dbdd94cb578ce48c7ce999e893dad8bd2f292fc3ff0f776d62b1074e7ef8a1
Opcode Fuzzy Hash: e9d21ff851c3e1790eaed20998b7c005fe371aa0f735f3691f29157a0368cd28
Instruction Fuzzy Hash: 50712C71A0014A9FDB01DF98C994BEEBBF8BF58704F144065EA05E7251EA38EE41CB61

Function 018AA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 018AAA25
LdrResSearchResource Enter, xrefs: 018AAA13

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: d6900e152cb461edcb52084dba8c32a12203448d356e4232b9609fe016279ff6
Instruction ID: cad4be1b109bcf758d9f7ec2bdb7f1d8ad104a220efdbbcd44edac12f6903884
Opcode Fuzzy Hash: d6900e152cb461edcb52084dba8c32a12203448d356e4232b9609fe016279ff6
Instruction Fuzzy Hash: A3E1A371E002199FFB26CF9DC994BAEBBB9BF48314F50042AEA05E7681D734DA41CB50

Function 0196A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0196A44B
`, xrefs: 0196A551

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: ec857345355833c38e8cd5c36becc522115eaebf1930a80384a9506792d36e2f
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 1DC1E3312043429BE725CF28C841B6BBBE9BFD4719F084A2DF69ADB290D774D905CB61

Function 0191E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 0191E75A
UEFI, xrefs: 0191E751

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 3e3a562e4bebe28e9abf7357dd44bc909dca2e80e9b0ffd4ea98967298c6e82b
Instruction ID: 5ac198057960ca4e24e9e37d6a885b77beec8882df7bd379a3f1f9d0089185d0
Opcode Fuzzy Hash: 3e3a562e4bebe28e9abf7357dd44bc909dca2e80e9b0ffd4ea98967298c6e82b
Instruction Fuzzy Hash: B5616D71E0020D9FEB16DFA8C940BADBBF9FB48700F14446DEA59EB255DB31A980CB51

Function 019443D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01944437
MUI, xrefs: 01944525

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 0f75198ea0ad2ecb202f15b8f8abbd4c34af47f9cf4b990ad8aaed4d48cf3d12
Instruction ID: ea8b69e15eb37dc26c0b461085806809d56feeb1e128ea67bca6d67485d3f924
Opcode Fuzzy Hash: 0f75198ea0ad2ecb202f15b8f8abbd4c34af47f9cf4b990ad8aaed4d48cf3d12
Instruction Fuzzy Hash: 6E510871E0021DAFDF11DFA9CC94FEEBBBDAB44754F100529E615E7290D6709A05CBA0

Function 018A04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 018A063D
kLsE, xrefs: 018A0540

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 09685ce6024e0a72fd4d761000a95b5e80e1c7e595a2d95a8b89c9d34aade36c
Instruction ID: 6d5e0e63b87f4d924dda64b849ed904185153c90bca6e08c7e04d0add4ea627c
Opcode Fuzzy Hash: 09685ce6024e0a72fd4d761000a95b5e80e1c7e595a2d95a8b89c9d34aade36c
Instruction Fuzzy Hash: 8851D0715047468FE724EF68C4806A7BBE4AF85308F50483EFAEAC7241E770E645CB92

Function 018AA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 018AA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 018AA309

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 27250b2a8a86207b339ccc28f2ad38b3c056458f832becfa7f980f51a9a2857b
Instruction ID: 68e6f9671378c838e10c7353699b2643585670a36856734bfaa7afcb3e938dc3
Opcode Fuzzy Hash: 27250b2a8a86207b339ccc28f2ad38b3c056458f832becfa7f980f51a9a2857b
Instruction Fuzzy Hash: 8C41B030A04659DFEB16CF5DC844BAEBBB8FF85704F1440A5E904DB691E3B5DA40CB51

Function 018DA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 018DA5E9
Cleanup Group, xrefs: 018DA5E4

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 20437901ad72aeb27b8cb57cd33ea17612770bd19920b6bd58c96199c9a7e62d
Instruction ID: 2a54fe044d5f2c94b13386fd18e0e7d4d255ed298c1a67c371ca88f784d725fe
Opcode Fuzzy Hash: 20437901ad72aeb27b8cb57cd33ea17612770bd19920b6bd58c96199c9a7e62d
Instruction Fuzzy Hash: A101F4B2248704EFE311DF18DD45F2677E8E785B15F048939B658C7190E374DA04CB46

Function 018AC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 018AC8C3, 018ACA40

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: e2367041d0942bc63d9eb2d40d904b69ca56f368c72ee5f01df6ba340422852e
Instruction ID: 2cf36c933095f45d6cccce63616e3fd43342738f01500bf2b9582484f0526b0c
Opcode Fuzzy Hash: e2367041d0942bc63d9eb2d40d904b69ca56f368c72ee5f01df6ba340422852e
Instruction Fuzzy Hash: CA827A75E002188FFB25CFA9C880BEDBBB1BF48314F548169E959EB751D770AA81CB50

Function 01926420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 019265C1

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5b844324ab738b98e0ae4d80eeed74c883a6dcabddd56f2d9c979d442adde9bb
Instruction ID: 132c124001a839b67e83ed514f8387ba7f8ca8727fe5c674930ea9d2c39f940e
Opcode Fuzzy Hash: 5b844324ab738b98e0ae4d80eeed74c883a6dcabddd56f2d9c979d442adde9bb
Instruction Fuzzy Hash: CF917271940229AFEB21DB99CC85FAE7BB8EF15B50F104069FA04EB594D674EE00CB61

Function 0194E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0194E1FA

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fc62ad4761f29f27b9681089ac2c47f0639256e855b82fa4dbb7a65fb89b7877
Instruction ID: 63d7758830466ebf3cb80a2f507199470e0703a4afa00cebb3c24c024dff4ab7
Opcode Fuzzy Hash: fc62ad4761f29f27b9681089ac2c47f0639256e855b82fa4dbb7a65fb89b7877
Instruction Fuzzy Hash: E0915E32901609ABDB26EBA9D894FAFBBB9FF45740F140029F509A7250E7789A01CB51

Function 018DA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 019167C9

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 813d9c237a83491804bef7d1bc4504b3a52de9ed2f34b44d6fa60e3c04201c93
Instruction ID: 2e136c06c65f56e8cbc58c467870db671b9e1770826a7e1fdf2e17bd4b0cee34
Opcode Fuzzy Hash: 813d9c237a83491804bef7d1bc4504b3a52de9ed2f34b44d6fa60e3c04201c93
Instruction Fuzzy Hash: 21718175E0030ACFDF28CF9CD590AADBBB5BF88711F14856EE909A7244E7719981CB50

Function 01944978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01944A7F

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 2bcc119aa6024350d5b474b425caf87dc6e3f054c89df11bc474b5de2412e20b
Instruction ID: e89d4b90f0802d7eca0cae0089a32e9c309d8c4a4839ed8b89dc67a167339f24
Opcode Fuzzy Hash: 2bcc119aa6024350d5b474b425caf87dc6e3f054c89df11bc474b5de2412e20b
Instruction Fuzzy Hash: 90517072D0022A9BDF15DF99D840FAEBBB8AF14B54F05412AEA19FB340D7349901CBA4

Function 018BE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 018BE6A4

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 19d6bbb89d761ae5b5626cb5bed6ebca18140486a4132258c7396c07c0520a5c
Instruction ID: bdaee318ad7b16198913b9a8ede4df2ecce3af52bc7194e7f8526553e3406e42
Opcode Fuzzy Hash: 19d6bbb89d761ae5b5626cb5bed6ebca18140486a4132258c7396c07c0520a5c
Instruction Fuzzy Hash: F9415F72509346AFD721DA69C8C4BEBBBE8AF88718F44092DB684D7240E674DB048797

Function 0191C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0191C77F

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 6c05ef7b0ebd41ec647dc432d9152df1be8841c3c78038e77cc8c88c76ac336a
Instruction ID: b8c49c12a7cf4812f1db6183bed82a397bc0e7135407878965e8782aedbce2e7
Opcode Fuzzy Hash: 6c05ef7b0ebd41ec647dc432d9152df1be8841c3c78038e77cc8c88c76ac336a
Instruction Fuzzy Hash: 5A4141B2D4022DAADB21DA54CC84FDEB77CAB45714F0045E5EB08AB144DB709F898FA5

Function 01936B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01936B91

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4e3ff091c6a95f3662850559e156656d41e86d54e9c109acbfab75e9f6c30121
Instruction ID: 480eaf8ac5bf2638c6af1eb617acbe1a23e0d27a3306edfd28e92e75a5fd9aaf
Opcode Fuzzy Hash: 4e3ff091c6a95f3662850559e156656d41e86d54e9c109acbfab75e9f6c30121
Instruction Fuzzy Hash: F431F631E00719ABEB22DB6DC854BEE7BBCDF85704F144068EA49AB282D775DA05CB50

Function 0192892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0192895E

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 3882f7fcb9a130b2fbd89224957bf17ddb28bc25d2f98cdeeb822978e063d306
Instruction ID: d5ccf2191640c33008bdab0c92f1b8988624e98435aac4c7ce15d984636f0a64
Opcode Fuzzy Hash: 3882f7fcb9a130b2fbd89224957bf17ddb28bc25d2f98cdeeb822978e063d306
Instruction Fuzzy Hash: 2C012F3A300231ABFB256A5E8884A2A7BA8BF85794B04042DE24902519CB20A881C792

Function 01942000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02db0fbde45e6c9060fd172a46e08dfe3c679580300dd70289ce8bc6ca51d23
Instruction ID: acf6922a9140f3bd0be4d4ae74c9404166f62b2a74bede5d9b4cc9475258098d
Opcode Fuzzy Hash: f02db0fbde45e6c9060fd172a46e08dfe3c679580300dd70289ce8bc6ca51d23
Instruction Fuzzy Hash: 9742D2356083418BE725CF68D890E6FBBE9BF88704F08092DFA8AD7250D771E945CB52

Function 01938158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fe3eee3890692eef350aff7c1d48dbec7c4d79c9a531a609dd7bd76935f9eb
Instruction ID: 1e27697a9d014a0c0ced8e9cf4bf65416ad09ecaac7e1af6fa296ea92d0d07d7
Opcode Fuzzy Hash: f3fe3eee3890692eef350aff7c1d48dbec7c4d79c9a531a609dd7bd76935f9eb
Instruction Fuzzy Hash: 3A426C75E002198FEB25CF69C881BADBBF6BF88301F148199E94DEB242D7349985CF51

Function 018B2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86fefecda89ec4ee31c644fcff425060363b17a0d6369253aa365a71e41ad30
Instruction ID: 7c83657ecfea29866042ab6912f4dd02552ab2aff2d0dbd0d05c61edccc76c87
Opcode Fuzzy Hash: e86fefecda89ec4ee31c644fcff425060363b17a0d6369253aa365a71e41ad30
Instruction Fuzzy Hash: 6432FF70A007198FDB26CF69C844BBEBBF6BF84704F24451DD98A9B384D735A922CB50

Function 0194A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469dbe2ee35025a299b84add010a4d0f7cdd78aeef4c5752c8c428c537eadd8d
Instruction ID: 41aea8b7679e366a9b761aaf38f5621f73fe6dd4c977b1f06a9616615f3ff8db
Opcode Fuzzy Hash: 469dbe2ee35025a299b84add010a4d0f7cdd78aeef4c5752c8c428c537eadd8d
Instruction Fuzzy Hash: DA22DF746846618BEB25CF2DC090F76BBF5AF44305F088859E99F8F286E335E452DB60

Function 018A6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e378d41a3c3591c423ce8de096a4fe28181a629a9bec5bcf5dda8962973251
Instruction ID: fa13abad21d6ab8b6aa4bfcefd5df65c2e7b45b06fe9dacf39807a79944e525d
Opcode Fuzzy Hash: 47e378d41a3c3591c423ce8de096a4fe28181a629a9bec5bcf5dda8962973251
Instruction Fuzzy Hash: 6732A071A00205CFEB25CF68C480BAAB7F5FF48304F684569E959EB395E734E941CB90

Function 018C4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: c39b6b9886b63838665b5d12c210c4c57c01a4e57eebf57cf0cb3f78c9fb9419
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: D2F17E74E0020A9FDB15DF99D590BAEBBF9AF48B14F04812DE905EB351E734EA81CB50

Function 0193892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9e3dba1b4073dd9f9ff403931261a34077b7f4648fe2cdf4ce96b1ace2d305
Instruction ID: 821a0af36332a7c615c37d9bf55f4874411f9314a566948c161b8db75ba9238d
Opcode Fuzzy Hash: ee9e3dba1b4073dd9f9ff403931261a34077b7f4648fe2cdf4ce96b1ace2d305
Instruction Fuzzy Hash: 31D10271E0060A9BDF09CF68C841AFEB7F5AFC8304F188669E959E7241D735E902CB60

Function 018A65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237bacf92666d7308e9616e6093c22569f97facd37999df0f9155994902b72e5
Instruction ID: ae720e6668720ff9948d3223467cbefae2c21a691e1e5a6d51522cfbf118afc9
Opcode Fuzzy Hash: 237bacf92666d7308e9616e6093c22569f97facd37999df0f9155994902b72e5
Instruction Fuzzy Hash: F7E19F71508341CFD715CF28C090A6ABBE1FF89308F598A6DE999C7355EB31EA05CB92

Function 01898397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6e22e713617d3a2038ef4ab3ee063e1efb924013f2129eab997486bc5e2d33
Instruction ID: 420f3926f2f33f787d8dc6cee7e4b7a4d286a2f691bbcd3a591a0b70021ea76b
Opcode Fuzzy Hash: 6c6e22e713617d3a2038ef4ab3ee063e1efb924013f2129eab997486bc5e2d33
Instruction Fuzzy Hash: E7D1D271A0020F9BDF14DF68C880ABE77A5BF56708F08462DEA16DB281E734DB54CB61

Function 01928243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: fde43010f9062a2efa57e2a5e48264c58cd153cba5f0a335e1a597826969b8cc
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: DBB1AF74A00619AFDB24DF98C940EABBBF9BF85344F10446DEA06D7799DA34E905CB10

Function 018B0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 8ae34ffdd80b176eac75bf802148d6cb022872ac926adf01c12c97437028eed1
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 82B10A3160464A9FDB26DBA8C890BBFBBFAAF84304F140559E656E7381D730EE41CB50

Function 018A83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b953874add56ca609f5919a8792c9be50e479617aafd184610897d7504f20819
Instruction ID: 313f42a0d62afe8b9c0f7b38ee2efa6e54cb002da215dbb4bae51b0c36cc027d
Opcode Fuzzy Hash: b953874add56ca609f5919a8792c9be50e479617aafd184610897d7504f20819
Instruction Fuzzy Hash: 47C147745083418FE764DF19C484BABB7E9BF88304F44496DE989C7291E774EA08CFA2

Function 0189C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582e30090189ebba1073dd9cc19079320cfb9671728f7456ba528c2242e417c3
Instruction ID: 6a9de094410f681abedc245609187f4be5d59c9fa68a0903415d4bb2c01693c0
Opcode Fuzzy Hash: 582e30090189ebba1073dd9cc19079320cfb9671728f7456ba528c2242e417c3
Instruction Fuzzy Hash: EBB17170A0026A8BDB65CF58C890BA9B7F5FF44714F0485E9E50AE7281EB71DEC5CB21

Function 018CE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95953513897a08f6782591412069b5ecb6edace236f57ce3a0fc3b8972d15377
Instruction ID: 72d52bd4fc2daef736955d3614223b2e7aef2611a74428dfed9a1751e69252e6
Opcode Fuzzy Hash: 95953513897a08f6782591412069b5ecb6edace236f57ce3a0fc3b8972d15377
Instruction Fuzzy Hash: 4DA1B231E006699FEB32DA5CC848FAEBFA9BB01B54F050119EA15EB2D1D7749E40CB91

Function 018E0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15b992f84664c1ea29ad6a080b1e40958ea461c41861bbe0a0fd45a203b1d4d
Instruction ID: b8a87144e501de6fb01acf21ab78fea106a51b777c75054cad980145c7152f7e
Opcode Fuzzy Hash: a15b992f84664c1ea29ad6a080b1e40958ea461c41861bbe0a0fd45a203b1d4d
Instruction Fuzzy Hash: DBA10471B0061A9FDB25CF69C994BAAB7F5FF5530DF004829EA05E7281DB74EA01CB50

Function 01974500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc00d90e7f59e8ba9dab4d69b02f1b170ac876ab47e27b847602a6be9313c083
Instruction ID: 37fd679485623999fe14729bf539d5b88517565ef63e936cc5b4bedbbfd332c3
Opcode Fuzzy Hash: bc00d90e7f59e8ba9dab4d69b02f1b170ac876ab47e27b847602a6be9313c083
Instruction Fuzzy Hash: 05A1AE72A14612DFD712DF18C980BAABBE9FF48704F450928F589DB652D334ED41CB92

Function 01972B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 801074f73a7a19a7d10b8a69f65a94366f83db7c71e8c1d38440e065d2336661
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 6BB13B71E1065ADFDF15CFADC880AADBBB9FF48310F148569E918AB354D730A941CB90

Function 019260E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f393123b90a8e8d2c5593dbd6cc6a20abc3ffa6770888b36ad9608c7a437513
Instruction ID: 8b11ca912ed5d66677eeac3b0b71ba51a8039c879e9dcebcfa5d4b33cb37dd29
Opcode Fuzzy Hash: 8f393123b90a8e8d2c5593dbd6cc6a20abc3ffa6770888b36ad9608c7a437513
Instruction Fuzzy Hash: 5691A571D0022AAFDB15CF68D884BAEBFB9EF49710F154159EA14EB745D734EE008BA0

Function 018BE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c801fb50db7cd56d9afd8d4f93cbbbca4adf3c1119a38c77d1939be34761e9
Instruction ID: c2533a12fcc17072b9a240534998f5406e851efd9aac5ecaeee2fd69dbf354d3
Opcode Fuzzy Hash: a8c801fb50db7cd56d9afd8d4f93cbbbca4adf3c1119a38c77d1939be34761e9
Instruction Fuzzy Hash: D391E332A00616DFDB25DB5CC8C4BFABBA5EF94718F054065E909DB381E638DA41C792

Function 018F6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5042bf082bd40dab6fc280cb9bdf11b017eb7fad38d99cebdcd78b1b488295
Instruction ID: ad9c40383cda7ac70f324da77074f233ae6a737f9c2f58a94a89f1d0f81306b7
Opcode Fuzzy Hash: 2a5042bf082bd40dab6fc280cb9bdf11b017eb7fad38d99cebdcd78b1b488295
Instruction Fuzzy Hash: 7E819471E0061AABDB14CF69C980ABEBBF9FB48700F14852EE545E7640F334DA40CBA4

Function 0196AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 717cb225ca816e4ecff41d5fa3a6859907f11252b3897f07a2c86a7ed1e2cd37
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 71818471A002069FDF19DF59C490AAEBBFAFF94311F14856DD919AB344D734EA01CB60

Function 018DE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be23b57389749065d6205d16c4cd57ccc336d670244955118752493eb3eb4c88
Instruction ID: f573d466255adb4e57bc3d4bdcfbaf299e1dbe81b80a7ee81b3d5a3aa6bbdd90
Opcode Fuzzy Hash: be23b57389749065d6205d16c4cd57ccc336d670244955118752493eb3eb4c88
Instruction Fuzzy Hash: FE813E71A00709AFDB25CFA9C880AEEBBFAFF48354F144429E559E7250DB70AD45CB60

Function 018BC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3115089dc7909fc842de73431998c7767d1e7ded5de1b3d8d4076a58f1a86228
Instruction ID: 2afed1db687a9957183a4bf0e584ab567eb08dede2b61adb7844de3c9c47ea30
Opcode Fuzzy Hash: 3115089dc7909fc842de73431998c7767d1e7ded5de1b3d8d4076a58f1a86228
Instruction Fuzzy Hash: 4071AA75D046299FCB268F59C890BFEBBB5FF59710F14421AE846AB390D370A901CBA4

Function 019547A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d684c973044ff4a5e9e6237d1a092e8ec09768862a82a179248e0afe8ecc0fb
Instruction ID: 94b4e3d7e7b46cbd31044aa11bc6c0a34a6d05d28734885fde6006c9d4f550e0
Opcode Fuzzy Hash: 3d684c973044ff4a5e9e6237d1a092e8ec09768862a82a179248e0afe8ecc0fb
Instruction Fuzzy Hash: A271A270A05205EFEBE0CF6DD944E9ABBF9FF80701F04415AEA18BB258E7318980CB54

Function 018B260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa051c4e418bbb7b1db1f1a906e083245c6d34d76ab6e874a24067323b597ed
Instruction ID: 96ab671b52c78e72dfc29ae5d4161bd657fe301f153ead4d50a0750c34fe70fd
Opcode Fuzzy Hash: 6aa051c4e418bbb7b1db1f1a906e083245c6d34d76ab6e874a24067323b597ed
Instruction Fuzzy Hash: C971E6316046428FD312DF2CC480BAAB7E6FF85314F0485A9E859CB351EB34EE46CB96

Function 0192035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: fc43da852939fa88da6ab28d1962a99f64ead44e254cb13266b88a9523c59464
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 75717171A00619EFDB10DFA9C984EDEBBB9FF88700F144569E909E7250DB34EA05CB90

Function 019362A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3d9001caf91ce2944880ddcae8f4c35784144c8bc4efcca4e8eb6fab1b30ca
Instruction ID: 1b29955fb6079952d5e2f3f744bdb910ccb233fa4440e43f64ff4fc1ad063a06
Opcode Fuzzy Hash: df3d9001caf91ce2944880ddcae8f4c35784144c8bc4efcca4e8eb6fab1b30ca
Instruction Fuzzy Hash: 3871D332600701BFEB32DF18C848F56BBFAEF84B21F154918E65A872A1D775EA44CB50

Function 018A8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aba5cf9d5a170e635d6680d05198a721f5e973125bfa3f55db5870fdaf09ea1
Instruction ID: 3afc7f5a22e08def732efedbc22d2ea3cb6022b0739aa181dfac39668d3896d4
Opcode Fuzzy Hash: 1aba5cf9d5a170e635d6680d05198a721f5e973125bfa3f55db5870fdaf09ea1
Instruction Fuzzy Hash: 3781D571A08306CFEB26CF9CC588B6D77B5BF48715F554129D904AB281C7349E42CFA0

Function 01978324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0f2b83e6971ff661f340008ea3404d6268ef53449bc72fd3b6ac8baa92dea7
Instruction ID: 699edd56d9ae8fd3d717a59b4a627200bca90cd6397c6a298383ff11a600afec
Opcode Fuzzy Hash: af0f2b83e6971ff661f340008ea3404d6268ef53449bc72fd3b6ac8baa92dea7
Instruction Fuzzy Hash: FD711A71E00209AFDF16DF98C885FEEBBB9FF04750F104169E624A7290E774AA05CB91

Function 0195A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6c45760e523dd9a55018e2b384c42b0dbe195d203b892c9f1814a603b8d2c1
Instruction ID: 4d45bb7cebe7050b2848d124ec3d29cd947d51b89fdd86d5c2586aab1347ca7f
Opcode Fuzzy Hash: ea6c45760e523dd9a55018e2b384c42b0dbe195d203b892c9f1814a603b8d2c1
Instruction Fuzzy Hash: C151C172504712AFD751DEA8C848E5BBBE8EFC5B50F000A29BE48EB150D670EE05C7A6

Function 01948350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669e89208a43e61d469eaea6d1843638cb914834813d23fb6f711854ba058a15
Instruction ID: 0a663c4c906f7389eaf88360e2590147fe084f3ca7cfb24b730eb1070f3f95ec
Opcode Fuzzy Hash: 669e89208a43e61d469eaea6d1843638cb914834813d23fb6f711854ba058a15
Instruction Fuzzy Hash: CE51B270900709DFD721DF9AC884E6BFBF9BF94710F104A1ED25A976A0D7B0A545CB90

Function 018DE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d344a7994ad1e6ee1771ad0a0d468f008b87ce4aaf7e3ca38d32b39c73f83d
Instruction ID: b685fdb81811ff378e6ec27e2427eb300c54e86487b244a1b6716c040cf597ec
Opcode Fuzzy Hash: a7d344a7994ad1e6ee1771ad0a0d468f008b87ce4aaf7e3ca38d32b39c73f83d
Instruction Fuzzy Hash: DE512A71200A09DFCB22EFA9C9D0EAAB7FDFB14784F400469E556D7660D734AA41CB51

Function 01944180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59b8f8c75929de3e0e340fdef787c2ea8eb2b2fd07ad7c68e3d68e2ebc91e70
Instruction ID: 403a3517056d46ad9275aca5aa410e1c03581f2694d54653b23ddbfafafe7f0a
Opcode Fuzzy Hash: b59b8f8c75929de3e0e340fdef787c2ea8eb2b2fd07ad7c68e3d68e2ebc91e70
Instruction Fuzzy Hash: 4C5155716083429FD754DF29C981E6BBBE9BFC8A08F44492DF599C7250EB30DA05CB92

Function 018C45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 5490b035714e7af16ed8c11a831751762423b66e00d00228cb39c219ad5e956c
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 3B518175E0021E9FDF16DF98C850BEEBBB9AF45B54F044069EA05EB240D734DA84CB91

Function 0192E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: de68b24f2add0cd12603ba5cb81c91045d95d309dca4668199a7ba35dabc9977
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: F651FA31D0022AEFEF21DF99C8D4FAEBB79AF00315F104615D51AA7294D7709E40CBA1

Function 01968B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977fbaeb14a617e648a8f2c4f8c062eb62dc7881f5766857cb4c92a1a1f4ca06
Instruction ID: 66908002017e449efacc281d2b6cb9ad29c344f07c91e52e7e2bae798d82deac
Opcode Fuzzy Hash: 977fbaeb14a617e648a8f2c4f8c062eb62dc7881f5766857cb4c92a1a1f4ca06
Instruction Fuzzy Hash: 8741D3B0B017019BD729DB2DC994F7BBB9EEFD0221F188619E95D97284DB34D801C6B1

Function 0192CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b07f4b29d01d324564bd000055d8b88393436cfb98a01effbf789fe3252e495
Instruction ID: 51ee77836c366ba3bfb57176fb2ef42b75a7bf95896f6ac4199b73890ed0bf50
Opcode Fuzzy Hash: 4b07f4b29d01d324564bd000055d8b88393436cfb98a01effbf789fe3252e495
Instruction Fuzzy Hash: 76516C72D0022ADFCB20DFADC9809AEBBB9FF48355B554919D549A7308D730AE41CBD1

Function 018DA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d3718e06cd797127a82c82e8d7a9c29692a05c6da4723fe1c18d5d58c0e1a1
Instruction ID: 4b98b0cb94e590c53168ed9b89e732347e5428e254331581ad709f75de209102
Opcode Fuzzy Hash: 65d3718e06cd797127a82c82e8d7a9c29692a05c6da4723fe1c18d5d58c0e1a1
Instruction Fuzzy Hash: CD413432A443069BCB29EFAC98C1F6E3775AB58718F00046CFD06DB209D7B2DA00C7A1

Function 0196A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: cc00be317a8cd26d2b7ed051ee5bf734f22ba133ed3387deeab8891c8ce13ad6
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: BE41D431A007169FD725CF28C984A6EB7AEFF90315B054A2EE91A97740EB30ED04C7A1

Function 018D01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2152378af2ed993b167ebda0819f722b53c56b89c9d23befbf758fad1547e9
Instruction ID: 290b86838941603ee8c618a26079747efe40e42898ad6e3e8da922efcc882281
Opcode Fuzzy Hash: 7d2152378af2ed993b167ebda0819f722b53c56b89c9d23befbf758fad1547e9
Instruction Fuzzy Hash: B741BA36E013199BDB15DF98C440AEEBBB4BF48714F14816AF819FB240EB359E41CBA5

Function 018CEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32fc83fd0ffea30a11720eb8670fe1fc8740fe48b5d19c9d89ebf810a246204
Instruction ID: 9c23340de426c30b16bf5246237cc6c3c1f619a67d4ccb27f26c2d859da76460
Opcode Fuzzy Hash: e32fc83fd0ffea30a11720eb8670fe1fc8740fe48b5d19c9d89ebf810a246204
Instruction Fuzzy Hash: CD41B1722143069FD725DF2CC884A5BBBE9FF88728F00482DE656C7751DB35EA448B51

Function 018E2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 0f024098307b18ba52097ba38335c49cac9c9f3db5c8cf21bca15c92312490d7
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 09516C75A01259CFCB15CF98C580AADF7B6FF84710F2481A9D919A7395D730AE82CB90

Function 018A6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b3b5e9a99c6fdc0fb76fb78c34065d93f45685ab26947e5c57280935afab44
Instruction ID: 046f4d3969ac90c48eb3fa56e6064534ba129b16efe185ecea48bd7476441ed0
Opcode Fuzzy Hash: e3b3b5e9a99c6fdc0fb76fb78c34065d93f45685ab26947e5c57280935afab44
Instruction Fuzzy Hash: 2B51E670900216DFEB26CB2CCC44BE8BBB5EF15314F1882A5E529D72C5E7346A81CF41

Function 018A0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbac657d296bba802e0c260ddadea879124ace5abc821c8cadaa31c170c270d
Instruction ID: b40302f605f1db94d45ae0120ccb26d9a45d65d71a0d74ec8546d388649897bb
Opcode Fuzzy Hash: 7dbac657d296bba802e0c260ddadea879124ace5abc821c8cadaa31c170c270d
Instruction Fuzzy Hash: 4A417271A002299FDB31EF6CC984BEA77B4AF45740F4100A9EA48EB291D774DF84CB91

Function 0196866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 228db2c62aa6663072218de3e326ec405f620e4c8441b18d143213c620b735b2
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 0A41A675B10305ABEF15DF99CC84AAFBBBEAF88650F144069E908A7341D674DD00C770

Function 018A0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c3d8874bf3c9024c0385063b3b19fd618c601daad8ff3643374ef4aaaf1489
Instruction ID: 5f1bf1509691575b22410c4748df7245a75582b296633db8976f690e27ef6ceb
Opcode Fuzzy Hash: 60c3d8874bf3c9024c0385063b3b19fd618c601daad8ff3643374ef4aaaf1489
Instruction Fuzzy Hash: C541B1B1600B059FF325CF28C880A26BBF9FF49314B584A6DE54AC7A51E730FA45CB90

Function 018CA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33a29917ca40575d33c5cc632ce4fbd20cbae780212c5ee7f715eaa47598f75
Instruction ID: 12db6690d931b72c6e2542b7f36bed0359df49248895210a507f626766cca249
Opcode Fuzzy Hash: d33a29917ca40575d33c5cc632ce4fbd20cbae780212c5ee7f715eaa47598f75
Instruction Fuzzy Hash: BF41D132944209CFDB2ACFACD5987ED7BB0FB18B14F044559E411EB281EB34DA01CBA0

Function 018A8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867812995b98e979757b51193b05a6eab72737628a1c0f8ecb1bc535dd67d751
Instruction ID: 504b50d542769c5d592b9d6b2275f2799657448b4e4228c50619fd6297c912d6
Opcode Fuzzy Hash: 867812995b98e979757b51193b05a6eab72737628a1c0f8ecb1bc535dd67d751
Instruction Fuzzy Hash: 74412332A04206CFE726DF4CC984A6ABBB5FF96704F54802ED901DB245C775DA02CFA0

Function 01898918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a220733d99e0dfb2980e682fc2ae671477e3e9659bd1372dc1f95e9bb3f36ad
Instruction ID: 9d03133326b24b97fa956786b6b70d85ff7d63b21ab39402d174960f15976a87
Opcode Fuzzy Hash: 7a220733d99e0dfb2980e682fc2ae671477e3e9659bd1372dc1f95e9bb3f36ad
Instruction Fuzzy Hash: 44413C3250830A9FD712DF69C841A6BB7E9AF86B54F44092EFA84D7250E730DF458B93

Function 0189A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 8683cfaf6b01f8d693c811e80d29d891e270ede5bae09265e6caa4aeb57b7459
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: F2410B31A04216DBDF19DE5DC8447BABB71EB50754F19C06EEA45DB240D6329F40CB91

Function 018A09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38502f0733b0bbe3db904f17b47154611c777ad5f8812c91da8ec727c1a40b87
Instruction ID: 1ca0b09cd7a81640f3ab88fd408b788ccf07a3ea9d7b133ae79a7b1730f11ff6
Opcode Fuzzy Hash: 38502f0733b0bbe3db904f17b47154611c777ad5f8812c91da8ec727c1a40b87
Instruction Fuzzy Hash: B3415871600601EFE721DF18C880B66BBF5FF58314F648A6AE549CB251E771EA42CB91

Function 018D0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: f6fb7111d380100b1ea750e08fdd96948b1c53226a50593ae412ec0f3081d5c0
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 54410571A00709EFDB24CF99C980AAABBF9EF18704F10496DE556DB691D330EA44CF90

Function 018A262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a2092eddd5ed954db20c84ed05e35f2a99fa1991e0e4f7ffbd2acba92f8dd3
Instruction ID: 1abbb85539b963a5d1bda9818dff3ba066324f2994e8bd9c2e573b7bdeaf5800
Opcode Fuzzy Hash: e9a2092eddd5ed954db20c84ed05e35f2a99fa1991e0e4f7ffbd2acba92f8dd3
Instruction Fuzzy Hash: 65419CB1902705CFEB31EF2DC940A69BBB2FF54314F5482A9C506DB6A1EB309B41CB52

Function 018DC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71321d1a68c2c42a63dade2a75e444db8614710e174c7d141919f86c734cd3b2
Instruction ID: 630abbbcc980fd53953a99b618f555d255c49e62db73e1f901044b05775ade63
Opcode Fuzzy Hash: 71321d1a68c2c42a63dade2a75e444db8614710e174c7d141919f86c734cd3b2
Instruction Fuzzy Hash: 1B315AB1A40345DFDB12CF58C440799BBF4FF49B14F2085AED119DB251D7369A42CB91

Function 019207C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f95b3cbea146cadbb66b129ffdb2e5efcde434a882f94e0d1f9ed6f00a4f602
Instruction ID: 5e9e3801fc7ac90f7b810112ca2caa537b56d19d081e9eacd40b0632aa2a9607
Opcode Fuzzy Hash: 9f95b3cbea146cadbb66b129ffdb2e5efcde434a882f94e0d1f9ed6f00a4f602
Instruction Fuzzy Hash: F5418C729083119FD720DF29C845B9BBBE8FF88714F004A2EF598D7250D7709904CB92

Function 018980A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f92232c39688723fba6546940ecf400dbe582cc9e5be08fb1886b68c684ac55
Instruction ID: 8cfc4de5be608417b994251ce1e54ab5a9b0d0b2b74f08db66a1c0869fdb8bd5
Opcode Fuzzy Hash: 9f92232c39688723fba6546940ecf400dbe582cc9e5be08fb1886b68c684ac55
Instruction Fuzzy Hash: 8E41E3B1A0491FDFDF01DF58C880AA8B7B1BF46764F18822AD815E7280D734EE418B90

Function 019205A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d615075f00a3a5dd0e913476e176c4a340d854a6eecc7aa810bac170c17dc7b3
Instruction ID: a8bf9b5ad02ca744039d0fa4ce632c443a1242c48357f93ea6cd13812a1228d6
Opcode Fuzzy Hash: d615075f00a3a5dd0e913476e176c4a340d854a6eecc7aa810bac170c17dc7b3
Instruction Fuzzy Hash: CE41C3726047529FD320DF6CD880A6AB7E9FFC8700F180A19F998D7684E734E904C7A6

Function 018A4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f886c39990fa0d0648246dfca4878712d69e30a7975247b9d75b09b28af3c211
Instruction ID: fd33aa61886b012b4a5f73093a986d7ee1e5fe959f84af11bb1f654ff4a1f4e5
Opcode Fuzzy Hash: f886c39990fa0d0648246dfca4878712d69e30a7975247b9d75b09b28af3c211
Instruction Fuzzy Hash: B241D5702043028BEB25DF1CD894B2ABBE9FF80354F5C442DE645C72A1D7B0DA61CB92

Function 01898B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ce5a5b8cceebfc1507153aed63b2a4556688461c524ca32f6ab0775080f20e
Instruction ID: aa779cf69849eee5df23d54f201b2b2dfeb0fcf982457aebe5ee13af287cb9ba
Opcode Fuzzy Hash: d3ce5a5b8cceebfc1507153aed63b2a4556688461c524ca32f6ab0775080f20e
Instruction Fuzzy Hash: E3418071A0164A9FCF14DF6DC98099DBBF1BF8A324B18862ED566E7250D734AA01CB40

Function 018B02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 04c8c44728d20bd8f0e34c96fdfff83d404650747c87dab680e8ee609584287b
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 4C312831A05244AFDB128B6CCC84BDFBFF9AF18354F0485A5F819D7392D6749A84CBA1

Function 0194E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ebf1af12129ba7e23ec4c7d85f1144c4916a7d3a75fc13b443d31e9d04a8d95
Instruction ID: 081d27206ae6b8c77c09229dc69336d4d611899a0f59b9305ae4c791860109fb
Opcode Fuzzy Hash: 1ebf1af12129ba7e23ec4c7d85f1144c4916a7d3a75fc13b443d31e9d04a8d95
Instruction Fuzzy Hash: C4317835740716ABD722DF998C91FAB77A9BB59F50F000028B604EB391DA78DD018791

Function 01954B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334afa3258fe6851ca04829d87a0eab4f6a21c5165e09243cae73db168923aef
Instruction ID: bc21801a21e385fbc35ae7d850636151b72fb36effcc0c43c4faa8e47e35030c
Opcode Fuzzy Hash: 334afa3258fe6851ca04829d87a0eab4f6a21c5165e09243cae73db168923aef
Instruction Fuzzy Hash: FC31C332A092018FC3A1DF1DD880E5AB7FAFBC0361F09446DE959AB251E731A880CB91

Function 018A4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d66bee02d3122c3522b8c7186d19b0755d844033fc9956fdf55cc1421b3a46
Instruction ID: 3746106bba060d94ebe33c8eecd2914e7208ecd1f72f2adf89fba501380df1a2
Opcode Fuzzy Hash: 11d66bee02d3122c3522b8c7186d19b0755d844033fc9956fdf55cc1421b3a46
Instruction Fuzzy Hash: 8F419C32200B45DFDB22CF2CC885F96BBE9AF59754F188429E659CB290C774E944CB90

Function 01954BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2aa39a403cd69400d00ab08e202e232de71ab6da87392911698621fbaf7b33
Instruction ID: aa5533b91d80fed4a59362153ae418d471861445ce2743bccd1bb2fbd8e8522d
Opcode Fuzzy Hash: ca2aa39a403cd69400d00ab08e202e232de71ab6da87392911698621fbaf7b33
Instruction Fuzzy Hash: EB316D71A042019FD7A0DF2CD880EAAB7E9FBC4710F09496DF959AB351E730E944CB92

Function 0191EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d381f5420a5d007bdc9b90e87da49094fe052a8547493ba9b818d4d895d1bde
Instruction ID: 733965a6224957f123a8be8145fab07a301cbc1e8edd588616b449e354147911
Opcode Fuzzy Hash: 8d381f5420a5d007bdc9b90e87da49094fe052a8547493ba9b818d4d895d1bde
Instruction Fuzzy Hash: 5631D77174168A9BF3235B5ECD48F657BDCBF40B45F1D04A0AF499B6D5DB28D880C221

Function 019661C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c7a64b23c44516e0b21220a0fa3ab98e813742d37a277a15b20eadf2b7a5c6
Instruction ID: f7238142de332a4626decb3b1ab5ef29bdc3e15d101ecb8faa58ce6dbc7393b4
Opcode Fuzzy Hash: e8c7a64b23c44516e0b21220a0fa3ab98e813742d37a277a15b20eadf2b7a5c6
Instruction Fuzzy Hash: 5E31C176A0025AABDB15DF98CC84FAEB7B9FB44B40F454168E904EB244D770ED00CBA4

Function 0194483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dcd98182635558d2ab18db23feacc36be7caa4bee9f59491193ce1dbd574e5
Instruction ID: 1dcf971ff667ebe7fd7eba5d839e7cd1b31bf80142a81dd54e3d71f59fa52d21
Opcode Fuzzy Hash: 49dcd98182635558d2ab18db23feacc36be7caa4bee9f59491193ce1dbd574e5
Instruction Fuzzy Hash: 95315376A4012DABCF21DF98DC84FDEBBF9AB98750F1000A5A50CE7250DA309E919F90

Function 018CEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c00bd1b812509dbd4293bb12329e2deca13e13654ec99522e65d877679707e
Instruction ID: d2a4d82bd15ab37311303b6843b0b25d126662d7de0413de15ee66ec01c640fa
Opcode Fuzzy Hash: 18c00bd1b812509dbd4293bb12329e2deca13e13654ec99522e65d877679707e
Instruction Fuzzy Hash: 89317072A01219AFDB31DEADC840AAEBBB9EF44B50F114469E916E7250D670DB009BA1

Function 019660B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b96b5071f05b527fe70963f6edc92b493f16126400d43ecdbb7adfff35ca95
Instruction ID: 3cced58d73c759fd92d4d6f743b6abce960052537b9f9a3ca92f705b59b62e81
Opcode Fuzzy Hash: 32b96b5071f05b527fe70963f6edc92b493f16126400d43ecdbb7adfff35ca95
Instruction Fuzzy Hash: 9431C571A00606EFDB12DFADC890B6BBBBDBF84754F014069E509DB341DA30EE018BA0

Function 018A07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b1a066bb6b9a5d3f499adbafedf51ef5b8210a23911adf0f8356a7786dbde4
Instruction ID: 3d75a9e6064e3db0ed4dab84392222b64f344efe8c78793aa3ee4540f7de2d9c
Opcode Fuzzy Hash: a7b1a066bb6b9a5d3f499adbafedf51ef5b8210a23911adf0f8356a7786dbde4
Instruction Fuzzy Hash: 8C310532A04706DBE712DE288C80A6BBBA5AF94750F41452DFD55D7311DA30EE0187E6

Function 018A8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4257710af81d58664aa002dfb0e04672e1e8eaa196c86607838e11c24dc5f430
Instruction ID: 596fa34655da04d8e2aa17e6bddb9e983dada0853d4d614178f3ee1933036e24
Opcode Fuzzy Hash: 4257710af81d58664aa002dfb0e04672e1e8eaa196c86607838e11c24dc5f430
Instruction Fuzzy Hash: 99316B716093018FE721CF19C844B2AFBE9AB98701F55496DF988D7291D770E944CBA1

Function 018DA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 8b1a67b3f41d00c624fd111b10c6dc8b6c92beec5a2ac60240656725be226aef
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 06312BB2B00B05AFD765CF6DCD40B57BBF8BB08B50F15496DA99AC3650E670EA00CB61

Function 0194EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6c35c0507fe3005c42c0f1fb23adde02e5a2769da6737730a7f0f64db4c371
Instruction ID: 8cf0f485e86a367057590f072bd6cc97fd51d4795c506ec24269c5a8e83efd62
Opcode Fuzzy Hash: 9c6c35c0507fe3005c42c0f1fb23adde02e5a2769da6737730a7f0f64db4c371
Instruction Fuzzy Hash: 4D3189B19093028FCB21DF1DC58085ABBF9FF89216F0449AEE48C9B351D334EA44CB96

Function 018C438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b45887c7a7bb8e7c31908003ee2f6b96d9d3c1ef64dbabf4098887223c7c225
Instruction ID: 1bde802ffd70275fe82671e3e7b414041bfbc9cc3ca328a8e8ae5f3f0fd1f4a5
Opcode Fuzzy Hash: 6b45887c7a7bb8e7c31908003ee2f6b96d9d3c1ef64dbabf4098887223c7c225
Instruction Fuzzy Hash: D631E231F012069FD720EFA9C8D0AAEBBF9AB90B04F10842DD106D7695D730EA81CB91

Function 0189CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 754c9c263c21a4b48067a7114fa6887b2ae52e9c979ae358ea9bb697670bee3e
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 78210936E0025AAADB10DBB98851BAFBBB5EF14750F0980399E59E7340E371DB008791

Function 0189C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd143ec63dc0ba2da1e40879fb2342f7047a0d0e76a11ccd06c4372512c0dfe
Instruction ID: 288c03815c0ab5cae049c866547cae7ac8c0a3c02928a01c7ac6520a5f44df2b
Opcode Fuzzy Hash: 6dd143ec63dc0ba2da1e40879fb2342f7047a0d0e76a11ccd06c4372512c0dfe
Instruction Fuzzy Hash: 9C310BB25002018BDB21AF5CCC85BA97BB4AF55314F58826DEF45DF346EA34DB86CB90

Function 0195C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: c0a9f62bf95dd8890fc9351f467f540642467e54201ba68f5f5aef65fa8e3725
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 5D212D3660075666CF15EF998C00EBABFBCEF80B14F40801AFE99D7651E634DA40C361

Function 0189E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a68382702472987014c4c17eb57e25a1f8b36cecf6c7e30b90715553905c8e
Instruction ID: 01b4d6fbf5daf389bed1bdfbae9a876978d7b0081b0eb0cbd3cff056b1f8e54b
Opcode Fuzzy Hash: 31a68382702472987014c4c17eb57e25a1f8b36cecf6c7e30b90715553905c8e
Instruction Fuzzy Hash: CC31A232A0152CABDF31DA18CC81FEA7BB9AB15740F0501A5E645E7290D674AF808F91

Function 018D4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 99bd22e94ffb990cc7adcbc5853a70a4a1523476acc6195e8f9e5fcf58cf7b13
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: BB217F72A00709EFDB15CF58D980A8EBBB5FF48724F108069FE16DB681D671EB058B90

Function 018D44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf352518afa14cfff2f5644c65b1365eb2c584159cf222e316fdcfbb2638aa57
Instruction ID: 280b0f6e5413e9f6ae0f102e64d2d7354dae6402743e2c13193c1aa1ad49f49f
Opcode Fuzzy Hash: cf352518afa14cfff2f5644c65b1365eb2c584159cf222e316fdcfbb2638aa57
Instruction Fuzzy Hash: 912191726047499BCB22DF5CC880B6B77F8FB88760F414529FD59DBA45D730EA018BA2

Function 0189E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 1a3a508020f9e266e878e66217eae55682a7202d386a5d014daf24087ea21add
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 1A316C31600605EFDB21CFA8C884F6ABBF9EF85354F1845A9E652DB291E770EA01CB51

Function 0191E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6274eb2c187dbd192b6a0548ece93e539eeeb524d400ccc8c55a5a36535a0571
Instruction ID: 550bd1bbd806705b9c7c35b7028208b7e436adaa845752c2242c617e53975ec6
Opcode Fuzzy Hash: 6274eb2c187dbd192b6a0548ece93e539eeeb524d400ccc8c55a5a36535a0571
Instruction Fuzzy Hash: 36318D75A0020ADFCB1ACF1CC9849AEB7B5FF88344B554859FC099B395E731EA80CB91

Function 019206F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a3489ce811eb0ab4b61153418f81f3895b2515357a7cd5e75f72ae9c363b95
Instruction ID: 19b057209fcdfe132040189b55b5307a09215b7623b1c9db30894b020f593eef
Opcode Fuzzy Hash: a4a3489ce811eb0ab4b61153418f81f3895b2515357a7cd5e75f72ae9c363b95
Instruction Fuzzy Hash: 4F219F71900229ABCF21DF59C881ABEB7F8FF48740F550069F945EB254D738AE42CBA1

Function 0192019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734288e71df1af84c5e3f0aff9e4b3a500a5c5550248c51182167cdefe1bc56f
Instruction ID: b3b590b14ac0e6a26ffe75e5aa4c78bf368edbb40f952a96e43a53060dbb59c3
Opcode Fuzzy Hash: 734288e71df1af84c5e3f0aff9e4b3a500a5c5550248c51182167cdefe1bc56f
Instruction Fuzzy Hash: 2121BC71600615AFD715DF6CC880F6ABBA8FF49740F18006AF908D77A1D638EE00CB64

Function 01920283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae69ab5e731fcd5554e4d99cf92f1b7d232dcc63fb25dcfd3542b8218751a19
Instruction ID: d55f46897ef088164e1a252f113257cec96d0d6c451d082c78d112d21ee0060a
Opcode Fuzzy Hash: eae69ab5e731fcd5554e4d99cf92f1b7d232dcc63fb25dcfd3542b8218751a19
Instruction Fuzzy Hash: 1521BD729042569BD711EF5DC884B9BBBECAF91740F0C085AFD88C7255D634CA48C6A2

Function 018C2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ee7af9520093486614746c9bf0d8db87dc373ec92458b322e6f5aa9390fef6
Instruction ID: 0a8eeb6e81ba0be2c7006679d7f509761f53fe78d2845f01a00e2bf5774000e0
Opcode Fuzzy Hash: 62ee7af9520093486614746c9bf0d8db87dc373ec92458b322e6f5aa9390fef6
Instruction Fuzzy Hash: 4D21C2316457859BF323576CCC44B693B99EB41F64F280364FA24EB6E2DB78C9018251

Function 018DA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0246fe71097513861dc00531553364c2e7c9a307bbe2abb35924b45740d43f6f
Instruction ID: 50507b88914518dfc9f1f14c2daf11f71c41f1ee8d95f13e0c865f22d09eb0a8
Opcode Fuzzy Hash: 0246fe71097513861dc00531553364c2e7c9a307bbe2abb35924b45740d43f6f
Instruction Fuzzy Hash: ED21BB35600B019FCB29DF29CD40B46B7F6FF48B08F248468A509CBB61E771E982CB94

Function 0195A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a591e6beb6b974eb9efa0a7efc685e51479ba2e2d07b889039afa80cda015b
Instruction ID: cc238aea9831144ebe32e19eb65c4c63ad646d8cf299c1aa29b7129639a5e9bd
Opcode Fuzzy Hash: 23a591e6beb6b974eb9efa0a7efc685e51479ba2e2d07b889039afa80cda015b
Instruction Fuzzy Hash: 61115032340A117FE362DA589C00F2B7A99DBD4B60F500125FF0CE7180DB70DD01879A

Function 01920946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2033affeda1627c7721cc41086cc80c0fef23aefb8f5153139feca8ca7df523c
Instruction ID: ef0f632a9643f48473fbb5cfa1e049d285817dbd22e525a0264cf21f6cbe0b1c
Opcode Fuzzy Hash: 2033affeda1627c7721cc41086cc80c0fef23aefb8f5153139feca8ca7df523c
Instruction Fuzzy Hash: 662107B1E40219ABDB10DFAED885AAEFBF8FF98700F10012EE409E7244D7709A41CB54

Function 019380A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: fa92f1a5b1fbd5a0a239e75ce8bdb5a2dc0a88ae134b144d1445ab94472c30bd
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 59218C72A0020AEFDF129F98CC40FAEBBB9FF88310F204819F908A7251D774DA508B50

Function 018D0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: c4e142415c4d04fb6cbb5011ad44ff2d70a0a72ebe172f9fe235c756e8137772
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 0611B272601B05AFDB229F58CC81F9ABBB8EB81754F144029F604DB190D671EF44CB69

Function 018A8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950d58f18b6d608da52eaf8d2a9174cc2ac7e9d32fd6841a371ddf88a9ad5e9e
Instruction ID: bc5cc521d79bac73dd9e4b8dbc113437ef91570a7188a944577359ebfc9c1819
Opcode Fuzzy Hash: 950d58f18b6d608da52eaf8d2a9174cc2ac7e9d32fd6841a371ddf88a9ad5e9e
Instruction Fuzzy Hash: DB11B2317016159BEB11CF5DC4C0A16BFE9EF8B711B98406DEE08DF204E6B2DA11C7A0

Function 018DAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 7dee15f9187d17cb1494fcf8535afaf6349bf9a60fde7edfe4475cf7ddd67ef4
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 59217972640745DFD72A8F49C540A66FBE6FB94B14F24883DE94ACB650C771EE02CB80

Function 018A80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36aad44d4199741214673b7d18523b116434019f204505de740cc5da9038b72b
Instruction ID: 86327113178689953c8fc0f184889aad31cdf6658fce95e60b4365673285a1c3
Opcode Fuzzy Hash: 36aad44d4199741214673b7d18523b116434019f204505de740cc5da9038b72b
Instruction Fuzzy Hash: B0219F71A00609DFDB14CF58C580AAEBBB5FB89318F60416DD105A7310C771BE06CBE0

Function 018D674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e39a7dc2b8bd775fa5cc6ef7ca54be42e7e4df5d564fbb38a1103e787629af5
Instruction ID: ae60839e340d5c9b1d11d8a8af13b59aa644dde2e0af9768b9c9f2f67e11f413
Opcode Fuzzy Hash: 1e39a7dc2b8bd775fa5cc6ef7ca54be42e7e4df5d564fbb38a1103e787629af5
Instruction Fuzzy Hash: DC218C71610B08EFD7218F69C881F66B7E8FF44354F10892DE59EC7250EA30AA40CBA1

Function 018CE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896ede19b44a75ec7ae3415ab3dd1122749f4515b390c47c891f059048f080e6
Instruction ID: e3badb722d0440b23f83ce3f2132e8cbb463c9a4960c9fca35fd3ae00361208a
Opcode Fuzzy Hash: 896ede19b44a75ec7ae3415ab3dd1122749f4515b390c47c891f059048f080e6
Instruction Fuzzy Hash: B5114C323002149FCF1ACB2DCC91A6F765AEBD5774B24452CD926CB380D930D902C290

Function 01936870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3b850e36b20aebbcbc6baf8c52d9c52c850f7121f0a60a5c0833d4462e1c46
Instruction ID: b64cd7baa2836e152954ceb0e9922c3496e7cd139256ed93eb540f81af8ae3ff
Opcode Fuzzy Hash: 4c3b850e36b20aebbcbc6baf8c52d9c52c850f7121f0a60a5c0833d4462e1c46
Instruction Fuzzy Hash: E611A372240514FFD722DB5DC980F9A77ACEFD9B51F114025F609DB261DA70EA01C7A1

Function 018D66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68cd3645b2ba9686389ae98604eddbaa56f7cb7dbf0355199c5c4d46186a8be
Instruction ID: c844f9a2979c7e9453ebcbf922c3024eb14c00fea23868c9d5b5b4d799f87d79
Opcode Fuzzy Hash: a68cd3645b2ba9686389ae98604eddbaa56f7cb7dbf0355199c5c4d46186a8be
Instruction Fuzzy Hash: 6811BC76A0130D9BCB25CF9DD580E5ABBF9AB98750B228179E905DB310F634DE00CBA0

Function 0196A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 435891a54141e5fe39f046e1cd8a4a8d7e7b1b0d829bd2a428900754e98b0faa
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 0E11E236A00905AFDB19CB58CC05A9DBBF9EF84210F158269EC49A7340E635AE41CB90

Function 018A0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: c7c6c735d0a505d40a872d5a56f834b1e69d74d265440d172ffcf54cc8adbbc3
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 8E2106B5A00B059FD3A0CF29C580B52BBF4FB48B10F50492EE98AC7B40E371E914CB90

Function 0192E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: acb4a42e83f52b2b4aacf9e88da6e6b97e438325d54e3c2b0e7923202a977dbf
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: BD110631600611EFE7219F48C880F567BF9EF41755F068428E98C9B164D7B0DD40C792

Function 018C27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1d9cc4382caa5aa427a46cf4c90a6679018f10d0ba9df87192448a615dba78
Instruction ID: 5a20cd53b8bb59a5f2fd723888809753c31029ec3d14733026a15a0185d77a17
Opcode Fuzzy Hash: de1d9cc4382caa5aa427a46cf4c90a6679018f10d0ba9df87192448a615dba78
Instruction Fuzzy Hash: 4A012631605749AFE317A66EDC84F6B7B8DEF80B55F090068F904CB2C0DA24DD00C2A2

Function 018A4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ece9429846dc086ae484af64776f47e3222196bd2318f4594b70d18f283b556
Instruction ID: 93e926ee94d9ae9c2ffabc7f18716aa127a5b4b30bafc246774143f97788077f
Opcode Fuzzy Hash: 8ece9429846dc086ae484af64776f47e3222196bd2318f4594b70d18f283b556
Instruction Fuzzy Hash: 8111A036200689AFEF26CF5DD884B567FA4EB95B64F484119F905CB661C3B4EA00CF60

Function 01974B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdc01ccde849afba0a298866de7f7e9e6f5e4f7500064939a099b2aad745d09
Instruction ID: 29eecd3002c258dc114b2af7d2e689617c4945f2ce86995bb30faa81b0c888e3
Opcode Fuzzy Hash: 6cdc01ccde849afba0a298866de7f7e9e6f5e4f7500064939a099b2aad745d09
Instruction Fuzzy Hash: E711C236200611DFD7229A6DD840F7AB7AAFFC4711F194929EA4AC7691DB30EC02CB91

Function 018D6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6924459bd22342a3953c2539bdb112207f61cc946ad37e7cb090f8f185a43beb
Instruction ID: e01664cfe0266983376eff4f8164e5e4183dc8bbacd156c85c2478a679eff250
Opcode Fuzzy Hash: 6924459bd22342a3953c2539bdb112207f61cc946ad37e7cb090f8f185a43beb
Instruction Fuzzy Hash: 7A11C272A00719ABEB21DF5DD9C0B5EFBB8EF84750F600455DA00E7200E730AE018B50

Function 018CEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c282a990b59c9a4bba5237b09e5dd2eb3d610fa89b65d5eb35affa967045abc
Instruction ID: 9df443302c62d8ac814d429c918ef28a2fbbddb4119b7111d0ea9b3aa6aa7ef5
Opcode Fuzzy Hash: 4c282a990b59c9a4bba5237b09e5dd2eb3d610fa89b65d5eb35affa967045abc
Instruction Fuzzy Hash: 300192715002059FE726DB1DE444F26BBF9EB95714F25816EE105CB660D770ED42CB90

Function 018CE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 5c07b1d383e45d002671fc7a85ad1514ab566b92b9b8692f70c6844df7b5d676
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 8C11E5722016C69FE7339B2CC984B653B98BB50B48F1904A4EE45DBB82F338CA42C251

Function 0192E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 41df428c0465b3dac42cbf876e8bc8b2f5b216a1ab3831daa7a5ae813f5e3cc0
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: B701B536A00125AFEB219F58CC80FAA7FADEF85B51F158425EA0D9B274E771DD40C790

Function 0189A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: eeaf5ce15f29ebc0c8349faad638827d1a6464312cbbe5b6a8a2feb60b5045ec
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 490104314047259BCF258F599C40A267BB4EB55B6070485ADF895CB281C331D600CB60

Function 01974940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a52f4ad56dd9d7bf6f9d2c9b9131faa3ca13310afeccdb3d7756bfcc4f0c0b
Instruction ID: 1fa79291cf819bf191abea5bede6d353b56db7e79c0390d819ba990caf6abb68
Opcode Fuzzy Hash: 44a52f4ad56dd9d7bf6f9d2c9b9131faa3ca13310afeccdb3d7756bfcc4f0c0b
Instruction Fuzzy Hash: 7C01C472541501ABC322DF1C9840E52B7ACEF95B71B164255E96C9B297E630E901C7D1

Function 0191E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37d32abd34f28d3dfb9d47f58079b367c2e761cbc480d0b739a20f527923931
Instruction ID: 0a3ae3817e320c465474fef0806f2513c9c05b78a534ad2c318fb91bbafd4843
Opcode Fuzzy Hash: e37d32abd34f28d3dfb9d47f58079b367c2e761cbc480d0b739a20f527923931
Instruction Fuzzy Hash: B911CB32241200EFDB16AF09C890F46BBB8FF58B84F200464EE09CB261C231EE00CA90

Function 018A6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0205db285c0bf2c8f87a6ddcba19a2b56fa71ecd587932c3611d394d9269154f
Instruction ID: f19d6b37a587865d7809b8a57c1bbcf2b630bcb4350a613f9303a0d624a86611
Opcode Fuzzy Hash: 0205db285c0bf2c8f87a6ddcba19a2b56fa71ecd587932c3611d394d9269154f
Instruction Fuzzy Hash: 1A115E71941219ABEF25AB68CC45FE973B9AB44710F5441D4A318E61E0E7709F81CF85

Function 018A208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: a44e8045619ca415f2f32d118ef7617966027d96df02d38706957200b9d69eb3
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 6F0124332001108BEF219E6DD880B92776BBFC4700F9945A9EE05CF246DA71CE81C3A0

Function 01926050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee008dab033ae174cfd4ad78f28771851358896998630ec402759f9d6706593
Instruction ID: 6e2df445e53a02716a4ce2c3833034fb9a2e43ca32247f80db8f72de4ce16826
Opcode Fuzzy Hash: aee008dab033ae174cfd4ad78f28771851358896998630ec402759f9d6706593
Instruction Fuzzy Hash: 25111772900119ABCB12DB99CC84DDFBBBCEF48354F044166E906E7211EA34EA15CBA1

Function 01936500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88e48d4600581034898f76bb2c640cdf928219f7e94e5c46add755999ce93e8
Instruction ID: 73ab9ae25278451d51bd910212d9aba2953a3ce89a530316be476270026b42bb
Opcode Fuzzy Hash: d88e48d4600581034898f76bb2c640cdf928219f7e94e5c46add755999ce93e8
Instruction Fuzzy Hash: 3211C472644146AFD711CF5CD840BA6BBB9FB9A314F088169E848CB355D732ED81CBA0

Function 0192C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc970ad0abd55a283b0f6ccf02ead895dce1024ca79fa3bf043c720e54d1a8cb
Instruction ID: e6af3c1c2ab83eb160cb2f5f1bbd148ad6e59ee765104ed798693801b8d6d86a
Opcode Fuzzy Hash: bc970ad0abd55a283b0f6ccf02ead895dce1024ca79fa3bf043c720e54d1a8cb
Instruction Fuzzy Hash: 03111CB1A002199BCB00DF9DD585A9EBBF8FF58350F10806AE905E7351D674EE018BA5

Function 018E20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0466ec843d853b1668371d19e8e6cc919225c590e230fb73a0df64a88eff80c
Instruction ID: c89b492bc325550fd83137e713dff1c3a28700b28257390d10686d13a0f39574
Opcode Fuzzy Hash: f0466ec843d853b1668371d19e8e6cc919225c590e230fb73a0df64a88eff80c
Instruction Fuzzy Hash: 0F116935A0124DEBCB05EFA8C855EAE7BBAFB45744F004059E906DB290EA35EE11CB91

Function 0189C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 5ebd69e0deec2f53913c6f1cc990e0900c7e16d33b75a0c0ffbeb3f45fc62cd3
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 6D01B5321007459FEF2296AAC844EAB77E9FFC9714F08491DAB46CB540DB75E602C751

Function 018DE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1966866fd9de9ed65b59907ed09cf5e8dd53d779f4be86f7f22d02c3c780685a
Instruction ID: fcf584bb9b3a57edc36c8e8091634c52a2b7f00ad00906ce080c39d4e1634dc2
Opcode Fuzzy Hash: 1966866fd9de9ed65b59907ed09cf5e8dd53d779f4be86f7f22d02c3c780685a
Instruction Fuzzy Hash: B301DF71200A06BBC311BF6ECDC4E93BBACFB957A4B000629B609C7A50DB34FD01C6A1

Function 019369C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e450d9f4fa4c3b3891bef7e6118e01198c19f0b52b1b184f3a8ba28938cf2ec1
Instruction ID: f2fa57ff74411e5dc4532c5436e1710bb64f7b4aca3696b4e6dff21d6c475024
Opcode Fuzzy Hash: e450d9f4fa4c3b3891bef7e6118e01198c19f0b52b1b184f3a8ba28938cf2ec1
Instruction Fuzzy Hash: E801FC32214202ABC320DF6DD888DA7BBECFF98760F114529E95DC7280E7309A12C7D1

Function 0192C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576315290773a21ec044a9b06193b65c6d91597e4e48c9bbbd58685fc121ddd8
Instruction ID: 7b6b9fc71fab133071842993e758bcf31fac30a4bd4b69409f40301d9cf5d5f2
Opcode Fuzzy Hash: 576315290773a21ec044a9b06193b65c6d91597e4e48c9bbbd58685fc121ddd8
Instruction Fuzzy Hash: BB116D75A0121DEBDF15EF68C844EAE7BB9FB48740F004059FD0597344DA34EA11CB90

Function 0192C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579a031e09c649fadfbe817fc66779ed57452ed2d390b68721d30d4ebaf4d313
Instruction ID: 147ad82ff7e12d3e8ecab8a054dedddc36794692af3d6967ff3d7df0cbfe26b8
Opcode Fuzzy Hash: 579a031e09c649fadfbe817fc66779ed57452ed2d390b68721d30d4ebaf4d313
Instruction Fuzzy Hash: C71179B16083089FC700DF6DD44299BBBE8EF99710F00495AF998D7390E630E900CB92

Function 01974A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 2720655a7f84240881f0385c4cf277a5b9e39fe20dbaf5582b993625600b725b
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 4C01FC32200601DFDB25EA5DD844F97B7EAFFC5710F044819E646CB651DA70F840C794

Function 0192CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f68dfa2822e1466ceca98c3beaf9ce53aa1df69113f0cbd0da87f5473c5b78a
Instruction ID: 3da1e8a078074ea056a3f4186798b1738024bbaf406e200f430629dfbd1f1bc7
Opcode Fuzzy Hash: 3f68dfa2822e1466ceca98c3beaf9ce53aa1df69113f0cbd0da87f5473c5b78a
Instruction Fuzzy Hash: 9D1157B16083089FC700DF6DD44194EBBE8BF99750F00895AF958D73A4E630E900CB92

Function 018BE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 42a60a07a11967161cd11c2d8fbab7336ef1ebd6af4d14da451435c7e7a19e96
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 2F018F326005859FE322871DC988FA67BE8FF84758F0D04A5FA05CBB91D638DE41C621

Function 0189826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04c6001abb7810c530f54234c1f9ad7c9f25e00c41fa720db4b5fd0c9123ebc
Instruction ID: 6b34792602fd169a895a5f6d6f8d63f016595a0e078b4b73205f6daf4c876d1a
Opcode Fuzzy Hash: f04c6001abb7810c530f54234c1f9ad7c9f25e00c41fa720db4b5fd0c9123ebc
Instruction Fuzzy Hash: 5D01D43260050E9FCB14EBADD8059AE77A9EF82310F5940A9DA05D7684DE20DE01C291

Function 0194EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4fd68aab990e4891e85b85ea822f31f00ae19dadf818c081bec23f5cdac1057b
Instruction ID: 7ba35ed6c64ed06de642563f8991cc591c32b430cbb8b8986791ebd90550dc8d
Opcode Fuzzy Hash: 4fd68aab990e4891e85b85ea822f31f00ae19dadf818c081bec23f5cdac1057b
Instruction Fuzzy Hash: EA01F271244705AFD3329F1ED880F46BAA9FF55B50F00082EB30ACF390C6B4A9408B64

Function 018A2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb9e08fef43e67c9d8edb5d41e9d0be2171fe4cacd665b5a25190e3ed245a27
Instruction ID: eaa8dfea11c31da3f60074caed2ea02dc9e902f307636d947a4d70d1b5e0b53a
Opcode Fuzzy Hash: 7eb9e08fef43e67c9d8edb5d41e9d0be2171fe4cacd665b5a25190e3ed245a27
Instruction Fuzzy Hash: F7F0A432641A11B7D732DB5ACD40F57BEAAEB84B90F154029BA06D7640DA30EE01DBA0

Function 018CC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 300d6a1922c0f4d1ad0110257bd7ff84313f1b5e5f5f31a2b20150a6b7bd7af9
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 11F0C2B2A00611ABD324CF4DDC40E57FBEADBD1B80F048128E509C7320EA31EE04CB90

Function 0189C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 440eabf1a808bbc58c3c080c04802b4141c282c89f685e84598c7f42a1655f25
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 96F0F673204A639BDF32169D8840B6BAA958FD5B68F1E0035E20DDB244CB628F02B6D1

Function 0197634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7fbd6711dfb00c0fc2853af2259c9debe62a04d40f88670502d8fd317ee45b
Instruction ID: e8445011997a97e81230b03a540ac3c1885bdee468bb1e4b01f7a409111c0892
Opcode Fuzzy Hash: ac7fbd6711dfb00c0fc2853af2259c9debe62a04d40f88670502d8fd317ee45b
Instruction Fuzzy Hash: 02017C71A10209ABDB00DFADE441AAEBBF8FF58300F10406AF904E7350D6349A00CBA1

Function 019762D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56b63f1d58173f65ecb9c1913d4f36636d5419dd55c6c815f3aa9249fdc4566
Instruction ID: da7ecfe5bbd2b00bb4cfb2400f13042921db50ad81c560e07a55788353338c6c
Opcode Fuzzy Hash: d56b63f1d58173f65ecb9c1913d4f36636d5419dd55c6c815f3aa9249fdc4566
Instruction Fuzzy Hash: 0E017C71A00209AFDB00DFADE445AAEBBF8EF58300F50406AE904E7390D6749E00CBA1

Function 0197625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457d62d605f44b1f9d6b792164a52093e1ceaebb9e929b6588a46d4238e7b3ca
Instruction ID: f35dea51bdf069965061715daa6d90e64c5a419b0b0d1a420db31c01b2a35eae
Opcode Fuzzy Hash: 457d62d605f44b1f9d6b792164a52093e1ceaebb9e929b6588a46d4238e7b3ca
Instruction Fuzzy Hash: D5017C71A0020AABDB04DFADD481AAEB7F8EF58300F10406AF904E7350D674AA008BA1

Function 019761E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a498592c11896422def1b43fc993a9038bc28a4775d5102ce5c3a73aadb32682
Instruction ID: b85a12ca2660f4030a2509095ba0df7bf7552f24223c0dc4fbf0be84d797ed7d
Opcode Fuzzy Hash: a498592c11896422def1b43fc993a9038bc28a4775d5102ce5c3a73aadb32682
Instruction Fuzzy Hash: E6018F71A00249ABDB00DFA9D845AEEBBF8BF58310F14005AE905E7380D734EA01CB95

Function 019263C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: a833b6daded8f1fae5f4af500eb10755debb7cbffaf5ed7de7cc3879a4b1f4c9
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 1CF06D7220001DBFEF019F94DD80DEF7B7EEB58798B104124FE0092120D231DE21ABA0

Function 0192A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f2837610ad6123819b9833c503d22352b5691b6004cbd494f18971f1aeb59f
Instruction ID: 4a9d33b42ecbbf6340aa722ae1074b0a11cd4034ecf3fe7801d5d64bc351afac
Opcode Fuzzy Hash: 28f2837610ad6123819b9833c503d22352b5691b6004cbd494f18971f1aeb59f
Instruction Fuzzy Hash: 77018536100219ABCF229E88D840EDE7F6AFB4C664F068205FE1866624C336D970EB81

Function 0189C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b972304efd421e8a31e744cb8d262d560e997a4e867e173dac1d63a8d5a8e6b8
Instruction ID: 5dd5345bb5a4ab2837918abc79745a3a41feb91bc975ebd7b24960f3807dc6c1
Opcode Fuzzy Hash: b972304efd421e8a31e744cb8d262d560e997a4e867e173dac1d63a8d5a8e6b8
Instruction Fuzzy Hash: 4EF024B23046415BFB20961D8C01B22369AE7D0750F69802AEB05CB2C1FB72DE01C398

Function 018D656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3323d3ce5698673c78de769c74c2c039ff2d5d2a001e159244a7a43e550e7a42
Instruction ID: f6e2a8838c5dfee2b07fd1a2293bbd51f68d0226447efbc6ba71386514f82c4c
Opcode Fuzzy Hash: 3323d3ce5698673c78de769c74c2c039ff2d5d2a001e159244a7a43e550e7a42
Instruction Fuzzy Hash: C801A470204789DBF3229B2CCD48F6937E8BB44B14F980590FA15DB6DAE768D6828611

Function 0194437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 6a2fb994e0d9821a90cd18b2064caffa1ae12363929b66f8b40661c8eb0c71fb
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 44F08936381A1347EB76AA2D9530F2AAA99AF90E52B05052CA55ADB640DF60DC018791

Function 0192C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9ad28cf31266e1e55c039ce8c40fd628af8b31620ef2fd51c0a7764896a86c
Instruction ID: a5d6fc6ebcdbb20f54f59578481f364527ea44b607431816c21144afe2a11928
Opcode Fuzzy Hash: cf9ad28cf31266e1e55c039ce8c40fd628af8b31620ef2fd51c0a7764896a86c
Instruction Fuzzy Hash: 8CF08C716093049FC310EF28D846A1EBBE4EF98710F408A5ABC98DB394E634EA00C796

Function 0192E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: ccc579ab3230d0048b6e6684e52fd54c628639b3b12ebe8fb8b0fcb94b1c5c43
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: F0F054337115219BD3219A4ECCC0F16B76CAFD5A60F190465EA489B368C7A0EC0187D1

Function 018D0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: d50cf266ef5d2a617786132ababb095c22968b832c7f1b4d121765e5b7980313
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 04F0B472614204AFE715DB26CC01F96B7E9EF98344F148078A945D7260FAB0EE01C654

Function 0192C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f4dcc9c4da0cd7b1cf16a2ba948b5d25e75b1b559a1ba3b8d014ac38c78244
Instruction ID: e11771620249a7a9e22b84c102e7c032f6b38f1a7b94e83c0bc149dbae2c6d23
Opcode Fuzzy Hash: 52f4dcc9c4da0cd7b1cf16a2ba948b5d25e75b1b559a1ba3b8d014ac38c78244
Instruction Fuzzy Hash: ACF04F74A01249AFCB04EF69D555E9EB7F4EF18340F008055A959EB385DA38EB01CB51

Function 018A47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0db5368bd14bb30f960748ebdac6bd25e2c2da26ddc60a03a14f9895a5533cb
Instruction ID: e5fff83dd1189f57a3f61710b0701a422345c3646f46b8fab45d0f3ae532226a
Opcode Fuzzy Hash: b0db5368bd14bb30f960748ebdac6bd25e2c2da26ddc60a03a14f9895a5533cb
Instruction Fuzzy Hash: AFF024319122E48FFF32CB1CE054B217BC49F08B34F8C486AC549C7502C7A0EA80C601

Function 01960115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad42a590f581724960442f8f4bbf995ca4824a672e709dbb21ea7fea3142b7d5
Instruction ID: 020e954a2dd301447e0ec13757e9611fb82ae813b22a86f97dccf144ac85d3b0
Opcode Fuzzy Hash: ad42a590f581724960442f8f4bbf995ca4824a672e709dbb21ea7fea3142b7d5
Instruction Fuzzy Hash: 64F0A07681A6858ACF32AB3C69D03D16FACB792165F1E1489E8A96720AC5748983C374

Function 018DC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4cb6ca56b012ac83bdc7a8261fb6963ba126e5a87c1e604777885a42771eb76
Instruction ID: 53373b3c4583c9953603e2c286cfa746c1d2c2e945a23eadff5d575b26ebfba1
Opcode Fuzzy Hash: e4cb6ca56b012ac83bdc7a8261fb6963ba126e5a87c1e604777885a42771eb76
Instruction Fuzzy Hash: 03F0E2715117519FE322975CE148B55BBD49B417A4F1C942DE506C7512C760FA80CA51

Function 018E2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: a1b8b55f04e9048b87319b16e4c6181a6244467a8b06498c3d15be89b5c6c65c
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: E2E092723406012BE7129E5D8CC4F477BAE9F93B10F040479B5049E252C9E29E0986A5

Function 01936030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 95706346cca857e4065ccf1c273a4219db595a687a57b238de408418c938676b
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 81F03072104204AFE3218F0AD985F52FBF8EB45765F45C425E6099B661D37AED40CBA4

Function 018A0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: d2a032501a908e36388938a0562338a20a67aa509b943e3c05a31657072366b0
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 00F0E5392043459BEB16CF19D040A957FA4FB41354B054058FD46CB311D736EB81CB51

Function 018D49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 11a31ce5fea955fcd927e283f2735300e60b108410e858e9c51b1e395aeb0ee2
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 7EE0D832244349ABD3311A5D8800F667BA5DBD07A0F160429E240CBA55DB70DE40C7DA

Function 01974164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae327211153d124f3cdddf21e29ac8dc1fa1268e3307dddb889c1a07c74f14b
Instruction ID: d35e08f089edfe47bf075e6320163302da9881dc57d0bbd72d9f6308ac906369
Opcode Fuzzy Hash: cae327211153d124f3cdddf21e29ac8dc1fa1268e3307dddb889c1a07c74f14b
Instruction Fuzzy Hash: 3CF06531A255D14FEB72E72CF594B5577E8BF60731F5A0564D409C7913C724EC80C650

Function 0194678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: fdb94384193bb593ddab3219feadae40cde88fa66c2bb1b0773bfc56f06c2515
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 3BE0DF72A40314BBDB22D7998D01F9ABEBCDB90FA0F150054B604E7194E530EE00C690

Function 019708C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: e180ac0f429f9d9cbbac6e77a0fddb319a3479f060b7ca1acc4557329146169a
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: CEE09B316403508BCB258A1DC140BD3B7ECDFD6761F19807DE90D47612C232F842C6D1

Function 018A25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a6e0a48c65e1c6acf7446fb9766ddd5903eac3e3e8163e3eba72c6adb0ba1a
Instruction ID: 01aa0ff77b8c526b8532bdabbefbd1f667f3fc526ee1e5b4e78fa9bf095998e8
Opcode Fuzzy Hash: b0a6e0a48c65e1c6acf7446fb9766ddd5903eac3e3e8163e3eba72c6adb0ba1a
Instruction Fuzzy Hash: A1E092321005549BC721BF2DDD01F8A779AEBA4360F054515B115971A0CA70AA10C7C5

Function 0195A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: af2768ce9a848afd135080e15ea0f9161e09685d9d206bd2092673880f61cb46
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 3CE09231010612DFE772AF6ED848B527FE5BF50B12F148D2CE09A624B0C7B599C1CB45

Function 01924000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 73c071c11c34429635950b636c59e34528cf4f0e4f9eef578e28d1a1a063d43f
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 17E0C2343403158FE715CF1AC040B627BBABFD5A11F28C068E9488F209EB36E882CB40

Function 018DCA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0af6da361d184b58ebc80ff5732ba2c2172098f0fb1c423c65e6a67cace2b6
Instruction ID: 4b095358b2023e455d8e746d5223e6e7544a70827c96e72a97c6f4a2fd6159a1
Opcode Fuzzy Hash: 7b0af6da361d184b58ebc80ff5732ba2c2172098f0fb1c423c65e6a67cace2b6
Instruction Fuzzy Hash: 75D02B724D51206ACB36E11C7C44FD33B5A9B40760F014869F108D2010D624CE81D2C5

Function 0189823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 4e5db3da81668b0b167cc5a4c82d11c311a9390d4e988e236a1adf6c5115dc10
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 52E08C32440A1AEEDF322F69DC04F5177A6FF9AB10F24486AF081860A486B4AA81CA45

Function 018A2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5214ee715f54e73b61b73f0c8f9aa779c04aed162ca4412811912082ba30e3b1
Instruction ID: acd933e8d62ecc7a39014e6176dc02787e0e74f604d7137e078d198b52db0ca3
Opcode Fuzzy Hash: 5214ee715f54e73b61b73f0c8f9aa779c04aed162ca4412811912082ba30e3b1
Instruction Fuzzy Hash: 95E08C331004506BC721FA5DDD50E8A739AEBA4360F440121B150872A4CA60AE00C795

Function 018D8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 1c2dd9a4e7fb0d0afaf6773b42cfdb9d32c91b98539b49d5cb7e3c3b088abb5c
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: EDE08633111B188BC728EE18D511B7277A4EF45720F09463EE61387780C534F544C796

Function 018F6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: f18243087f95e244e0dcdca34422057f6f06a1940c0a56dacf307ac15948a71b
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 19D05E36511A50AFC3329F1BEA00C53BBF9FBC4B10705062EA545C3A24C670E906CBA0

Function 018DE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 069dfe048b9b2f27d6e3b41fdf2e7c7bc9002e512ce7ce4ad6a43ba0ff914372
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 3DD0A932204620ABD772AA1CFC00FC333E8BB88B21F060859B008C7158C360AC81CA84

Function 0191E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: ae783d140482e9ed87bc3fb917ae7413b6536acd9d8e83c3bd6aae5b56ed8c7e
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 10E08C31A006849BDF13DF9DC640F5ABBB9BB80B00F180044A4089B224C234A900CB40

Function 0189A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 5ab8406ae14d9a5cd7de1a8ef597db773f963594028bb940c75c92c939288f33
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 09D0223221203093CF2C56996850FA37905EB81B94F0E002C380BD3900C0148D42C2E0

Function 018DA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 5e2fde746d77275f2696755358ea389a4060d9a37c602845892db5ee77d5dfb7
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: CCD012371D054DBBCB119FA6DC41F957BA9E764BA0F444020B904C75A0C63AE950D584

Function 018DCA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138ed3e3ccfeed23d6bad9844eaf7483ffaaff6747d9e993ce23049bf4b4d98c
Instruction ID: 2901d23aa63b0b58191cadf5cb1a3efad97df9bbded5cf4a046d8ee78146e971
Opcode Fuzzy Hash: 138ed3e3ccfeed23d6bad9844eaf7483ffaaff6747d9e993ce23049bf4b4d98c
Instruction Fuzzy Hash: 21D0A731549109CBDF16CF8CC510D6E3774FB24B40B40006CE701D1124D324FD01D640

Function 018B02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 60e33b1f030d1807904c14334198c622405e6b5b3c5772c3b4e53b23580fb71f
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 32D0C935616E80CFD61BCB0CC5A4F5633B4BB44F44F810890F501CBB62D62CDA44CA00

Function 018DC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: c47cab1e981a49338cb416f432606802cf7c7b765b578f7c68bf2fd6c14bfd09
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: CEC01232290648AFC712AA99CD41F427BA9EBA8B40F000021F6048B670C631E920EA84

Function 018C0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 60e48cecb1a1513387b97e4ddc5a1daef9c85048897072fb467cb9efe4ce3bbc
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: A7D01236100248EFCB01DF55C890D9A772AFBD8B50F10801DFD19076108A31ED63DA50

Function 018A0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: cf4c7cfe4df76171ce86a7150de5177d257d818772709b89467d11c381ef8a67
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 7CC04879711A428FCF16DF2ED6D4F8977E4FB44740F1A0890E905DBB22E628EA01CA21

Function 018E4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bc78eefcd3c5f1252f928a45ee29abc17ebd8704cbbfaa34acdbc40610f85c
Instruction ID: dd6d99445a928762fd95b8e6a7f6f3a74d290945b14f04d41649853f8bb02801
Opcode Fuzzy Hash: 55bc78eefcd3c5f1252f928a45ee29abc17ebd8704cbbfaa34acdbc40610f85c
Instruction Fuzzy Hash: 31900231605800169640715848845464005E7E2301B55C015E242C554CCB14CB6E5362

Function 018E4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14dbaf589a45e48027032d062925691e6fd9b2595489f0192a963bfbdb7e1327
Instruction ID: 7e958425d84a822f884d1960bac2f71c772a11c941cef583faa5640471baeb79
Opcode Fuzzy Hash: 14dbaf589a45e48027032d062925691e6fd9b2595489f0192a963bfbdb7e1327
Instruction Fuzzy Hash: 8F900261601500464640715848044066005E7E3301395C119A255C560CC718CA6D936A

Function 018E2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79610fd9e33922dc848631254072d188bbfcf66c7be7a4174d7604a4770b452
Instruction ID: 61f379d4021ac6ef836f046dbcd62c4a1e09f77937d3e64aba447a33ccd484f6
Opcode Fuzzy Hash: e79610fd9e33922dc848631254072d188bbfcf66c7be7a4174d7604a4770b452
Instruction Fuzzy Hash: 0C90023120140806D604715848046860005D7D2301F55C015A702C655ED765CAA97232

Function 018E2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69102fec8bc14dc695e14f2969b8834a6e3d712541acc2a3e9316c32b50e3267
Instruction ID: e29a22130c51a09cf82971df2f5b6ce71ad353ca7682865d95c706d35fccb553
Opcode Fuzzy Hash: 69102fec8bc14dc695e14f2969b8834a6e3d712541acc2a3e9316c32b50e3267
Instruction Fuzzy Hash: C190023160540806D650715844147460005D7D2301F55C015A202C654DC755CB6D77A2

Function 018E2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfe5481b2d7c29a297aa150e1965a0999b0f53684a8f40770155ffce484aa86
Instruction ID: a86dcc8a561d0cbd5fc1c1a296fd5817c718929d1beaaa74a4a4acb0b4829f2d
Opcode Fuzzy Hash: 6dfe5481b2d7c29a297aa150e1965a0999b0f53684a8f40770155ffce484aa86
Instruction Fuzzy Hash: B090023120544846D64071584404A460015D7D2305F55C015A206C694DD725CF6DB762

Function 018E2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326e2baf3ed8fb8c30eb3134c78f60525d2275faedf15d27765ea49643890ac0
Instruction ID: 139607dce6ff9e24a176c7dd3889a9f5b84b9d5174a324e7fc896538e011c2a4
Opcode Fuzzy Hash: 326e2baf3ed8fb8c30eb3134c78f60525d2275faedf15d27765ea49643890ac0
Instruction Fuzzy Hash: 9A90023120140806D6807158440464A0005D7D3301F95C019A202D654DCB15CB6D77A2

Function 018E2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223950775bd89aedc105007af6250a8d62a0853226863e749bb097a5168400ba
Instruction ID: a11856767b2824dd571eacd08378298d34a79faaf482879d3094d2b8d7d73807
Opcode Fuzzy Hash: 223950775bd89aedc105007af6250a8d62a0853226863e749bb097a5168400ba
Instruction Fuzzy Hash: 4590026120240007460571584414616400AD7E2301B55C025E301C590DC625CAA96226

Function 018E2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648c8cf29610393b5c38c69a8074010efa2c7d3862951a4bc4b908c34aadc36e
Instruction ID: 3f65679dd6509d1570b1244eb416fd45a67f3bae9fc7bdc66fd15f50132d3296
Opcode Fuzzy Hash: 648c8cf29610393b5c38c69a8074010efa2c7d3862951a4bc4b908c34aadc36e
Instruction Fuzzy Hash: DB9002A1201540964A00B2588404B0A4505D7E2301B55C01AE305C560CC625CA699236

Function 018E2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082952807f5e5a27aaf4ce546e6d1a31212f0c9a8bbab0f74b92584bc4a17570
Instruction ID: c9eac32901510168d3638301ee1c57649ea7257a6a6d1b9350b8e1d1af9ec275
Opcode Fuzzy Hash: 082952807f5e5a27aaf4ce546e6d1a31212f0c9a8bbab0f74b92584bc4a17570
Instruction Fuzzy Hash: BE900225211400070605B55807045070046D7D7351355C025F301D550CD721CA795222

Function 018E2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b833319456afd653406699e8ff495a78e0becef897b480f406f2f4e346cb5e7f
Instruction ID: 8e1fd83645a33a8336d7f59616dd929f40601d30454b1678a95d6954dfbba9a1
Opcode Fuzzy Hash: b833319456afd653406699e8ff495a78e0becef897b480f406f2f4e346cb5e7f
Instruction Fuzzy Hash: 81900225221400060645B558060450B0445E7D7351395C019F341E590CC721CA7D5322

Function 018E2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca30bfc6496ae1a76ba5091f9862029f8e8bbfd4b85ec82ddfe14c855ae77396
Instruction ID: 7569680646e55dbab959ef0250005a8452edd48505f74fd6d484f262c2d65616
Opcode Fuzzy Hash: ca30bfc6496ae1a76ba5091f9862029f8e8bbfd4b85ec82ddfe14c855ae77396
Instruction Fuzzy Hash: F990023124140406D641715844046060009E7D2341F95C016A242C554EC755CB6EAB62

Function 018E2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2caeb08b91915e077926781fde5b9de354c4a270985d08eb36818e806be6bfb9
Instruction ID: dbc5f06dee9be9f8bedb3ca63622d0a3ffb1d58510192bedfc9e9ce584aa9060
Opcode Fuzzy Hash: 2caeb08b91915e077926781fde5b9de354c4a270985d08eb36818e806be6bfb9
Instruction Fuzzy Hash: 4E900221242441565A45B15844045074006E7E2341795C016A341C950CC626DA6ED722

Function 018E2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be99aa8a9f8fd083248adc486b2e2cdf6da1da21827ab4d7f61fdaafb41e7b3
Instruction ID: 59be4b94334164c9cac8d2ec36ac062e478a6383286f0bd46a2124621d88d621
Opcode Fuzzy Hash: 8be99aa8a9f8fd083248adc486b2e2cdf6da1da21827ab4d7f61fdaafb41e7b3
Instruction Fuzzy Hash: 3590022120544446D60075585408A060005D7D2305F55D015A306C595DC735CA69A232

Function 018E2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353cc7ad62ea0c2ba463f05c7eb13feb5395111f0485b7db2a506bf84649ec31
Instruction ID: fc3e14527f19b47f40da25d2df6f1ce9546c41d8c67a60a94e40f515aba56500
Opcode Fuzzy Hash: 353cc7ad62ea0c2ba463f05c7eb13feb5395111f0485b7db2a506bf84649ec31
Instruction Fuzzy Hash: 5190022921340006D6807158540860A0005D7D3302F95D419A201D558CCA15CA7D5322

Function 018E2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba865aff2cbf1c1e96e704a63ee0cf365e0d8ba70d220c426e779d3bcdd7610b
Instruction ID: bdfd0d62aa115f107324c3f33b90c26920ddef99f2d1954b5ea32ef0557edce6
Opcode Fuzzy Hash: ba865aff2cbf1c1e96e704a63ee0cf365e0d8ba70d220c426e779d3bcdd7610b
Instruction Fuzzy Hash: 5D90022130140007D640715854186064005E7E3301F55D015E241C554CDA15CA6E5323

Function 018E2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a980349aa3a13c00942c41d10a251c5c1be4dee3d71e5d83024fdb5f70e6a7e0
Instruction ID: bd7e9d8f084e3a048d3d7a220314d04c25b73a0c36fbd0482efad55b82e3a9a3
Opcode Fuzzy Hash: a980349aa3a13c00942c41d10a251c5c1be4dee3d71e5d83024fdb5f70e6a7e0
Instruction Fuzzy Hash: B390023120140406D600759854086460005D7E2301F55D015A702C555EC765CAA96232

Function 018E2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83954c91d061b059335233521a42534a339361b6b9238953b7575010d49cf453
Instruction ID: c5b7c86fab0d4f88b0a3ebcd014f7e0063e73d18f6c48a21ffddedb7d39509fd
Opcode Fuzzy Hash: 83954c91d061b059335233521a42534a339361b6b9238953b7575010d49cf453
Instruction Fuzzy Hash: 4F90022160540406D640715854187060015D7D2301F55D015A202C554DC759CB6D67A2

Function 018E2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30f0f30bdf3e87ee6161599974f614bb026406216433cf6b2875dd1361d41fe
Instruction ID: 8030cf9d0186253ba8f66938e2d612c7fd292ea18a80e295e48f2a488efeb9b1
Opcode Fuzzy Hash: a30f0f30bdf3e87ee6161599974f614bb026406216433cf6b2875dd1361d41fe
Instruction Fuzzy Hash: E090023120140407D600715855087070005D7D2301F55D415A242C558DD756CA696222

Function 018E2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb77f188b90f35559c6add0e075cd2269de70970c93dcae0fceaf7e64c8430b
Instruction ID: 2b343ade601cb66ba02e7037b7820cf466809165dfe5dda0e330c50f65b861b7
Opcode Fuzzy Hash: 9eb77f188b90f35559c6add0e075cd2269de70970c93dcae0fceaf7e64c8430b
Instruction Fuzzy Hash: 1490023120140846D60071584404B460005D7E2301F55C01AA212C654DC715CA697622

Function 018E2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217fd91b31c0ae4f167b683558add911b33930d365151372b22906fc210e86bf
Instruction ID: dce0a4a1283e08f1c002bdddc1f63f27f71a10219e33885438f8679d830fb0ca
Opcode Fuzzy Hash: 217fd91b31c0ae4f167b683558add911b33930d365151372b22906fc210e86bf
Instruction Fuzzy Hash: 6E90023120180406D6007158481470B0005D7D2302F55C015A316C555DC725CA696672

Function 018E2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1907aec8f329f703b97a03fff58166723e16f4b13055058f74ecb517e02f109a
Instruction ID: 21f98a9d9546e03e24835b7176840f75661157fae9026aebfdca1acc1e932245
Opcode Fuzzy Hash: 1907aec8f329f703b97a03fff58166723e16f4b13055058f74ecb517e02f109a
Instruction Fuzzy Hash: 8690023120180406D600715848087470005D7D2302F55C015A716C555EC765CAA96632

Function 018E2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacf5e4242b6a46e395112dea53f4022459b5f98cc8e8cd2167be0a7db84d986
Instruction ID: b3e78a8ea0c623dd7e2052602772b269e6f384a59a76cf8333d5d362234fda07
Opcode Fuzzy Hash: dacf5e4242b6a46e395112dea53f4022459b5f98cc8e8cd2167be0a7db84d986
Instruction Fuzzy Hash: 44900221601400464640716888449064005FBE3311755C125A299C550DC659CA7D5766

Function 018E2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0895e26cccae673e6884646a5febefd8f821c5dac5a02cc19ae5249e429e44ac
Instruction ID: b871d35c272699c6530af8d3fd943df9ff756ca06bb07c423ea3194d005bf55a
Opcode Fuzzy Hash: 0895e26cccae673e6884646a5febefd8f821c5dac5a02cc19ae5249e429e44ac
Instruction Fuzzy Hash: 16900221211C0046D70075684C14B070005D7D2303F55C119A215C554CCA15CA795622

Function 018E2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3119b091d6394799eab459d9a9c4b9ca38ba2f84239da03e23943622e17d59b
Instruction ID: b6d9cdc75c11681c0215dfc9a7ce43d82480ed0ce72ffc3fe78c4410d1ede8a1
Opcode Fuzzy Hash: d3119b091d6394799eab459d9a9c4b9ca38ba2f84239da03e23943622e17d59b
Instruction Fuzzy Hash: 4C90026134140446D60071584414B060005D7E3301F55C019E306C554DC719CE6A6227

Function 018E2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b05d9bc1a3c420cf8386d603495b19f8addf20cd1472df4c8e630c25629ce0
Instruction ID: c6495ae448b46442f041409e3cee8d3545101849b6af17cfbafba6d28973e253
Opcode Fuzzy Hash: a2b05d9bc1a3c420cf8386d603495b19f8addf20cd1472df4c8e630c25629ce0
Instruction Fuzzy Hash: B490026121140046D604715844047060045D7E3301F55C016A315C554CC629CE795226

Function 018E2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c7ccdb748964aab55483d96e261feab396c5f23ae015a210665a86ef7567c6
Instruction ID: 28ae1c1f2a46101f36063fbb77d1f38c979718ee21aa32ea952e11d3c9c6f1e7
Opcode Fuzzy Hash: 26c7ccdb748964aab55483d96e261feab396c5f23ae015a210665a86ef7567c6
Instruction Fuzzy Hash: 9690022160140506D60171584404616000AD7D2341F95C026A302C555ECB25CBAAA232

Function 018E2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccdef35ffecdb1fd3069509fd94853cdcb503f2aff7665f42c13c13ea5b20ed
Instruction ID: 77c07f78b990a51556965bbe4c46d45a39ed8231c2f901e069bcd819159bbfef
Opcode Fuzzy Hash: 3ccdef35ffecdb1fd3069509fd94853cdcb503f2aff7665f42c13c13ea5b20ed
Instruction Fuzzy Hash: 9F90027120140406D640715844047460005D7D2301F55C015A706C554EC759CFED6766

Function 018E2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8704af9f8cc1ad4b330c09ae1941541ae365769687ab78dffe59fe460174dc
Instruction ID: de405e461e16dad9a34915b1a8024f21e368304756d11acfb0833ad6f23e0b3d
Opcode Fuzzy Hash: 6e8704af9f8cc1ad4b330c09ae1941541ae365769687ab78dffe59fe460174dc
Instruction Fuzzy Hash: 1590026120180407D640755848046070005D7D2302F55C015A306C555ECB29CE696236

Function 018E2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2435a7b33b5e17a04d87889bd3274902278045e3415db37894264e3a07ccc14
Instruction ID: 0667e1fbac33f00f394536eb6e5e6458f5e56a3276b2252eb2ecba619e1ebd76
Opcode Fuzzy Hash: d2435a7b33b5e17a04d87889bd3274902278045e3415db37894264e3a07ccc14
Instruction Fuzzy Hash: A590022130140406D602715844146060009D7D3345F95C016E342C555DC725CB6BA233

Function 018E3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f484863cd6a907723b166729f490a8f3cd4ed0ec3ba1f74d91751bea487a7ce
Instruction ID: d81d3652c8bea915396475dc22d88553c7da7a9ac1be06524ecc6174ed881c74
Opcode Fuzzy Hash: 1f484863cd6a907723b166729f490a8f3cd4ed0ec3ba1f74d91751bea487a7ce
Instruction Fuzzy Hash: CD90022124140806D640715884147070006D7D2701F55C015A202C554DC716CB7D67B2

Function 018E3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a49911a48a6b540e3bb21374d4c3e1289ce65e7022685ce9339d05f88888c0
Instruction ID: deabbadbd59c1d28e6ce74513935a8a9f72346f77d56bc485d7c9fb685f0c10a
Opcode Fuzzy Hash: a2a49911a48a6b540e3bb21374d4c3e1289ce65e7022685ce9339d05f88888c0
Instruction Fuzzy Hash: 9690022120184446D64072584804B0F4105D7E3302F95C01DA615E554CCA15CA6D5722

Function 018E39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2aa4eb75e1c7f8fd76d81b9a6e9c3750d100e86cefba3ba0c3c748f230cf4f
Instruction ID: 5a1074a783e51d698113f6ce514341f14085b6d5935005e97a022722c4d68507
Opcode Fuzzy Hash: ef2aa4eb75e1c7f8fd76d81b9a6e9c3750d100e86cefba3ba0c3c748f230cf4f
Instruction Fuzzy Hash: 3690022124545106D650715C44046164005F7E2301F55C025A281C594DC655CA6D6322

Function 018E3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaed8ec473cc1a4670c4d54ddb94da8f3400a4b84600490361b64157219b09a
Instruction ID: d63228e8a5200ab9eb8a569c9f6951efbc8ef1fe6c07ffc1534dfcb8875b07bd
Opcode Fuzzy Hash: daaed8ec473cc1a4670c4d54ddb94da8f3400a4b84600490361b64157219b09a
Instruction Fuzzy Hash: 8E900231202401469A4072585804A4E4105D7E3302B95D419A201D554CCA14CA795322

Function 018E3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca85e80566fb71116055a66c3a9a80213fcf52333344346f27500fa5f0fba15
Instruction ID: 67a5bf733985b23e9c5afb5ad3d7cbfe369ce356b1afce3cf80123cbf583f317
Opcode Fuzzy Hash: dca85e80566fb71116055a66c3a9a80213fcf52333344346f27500fa5f0fba15
Instruction Fuzzy Hash: 3A90023520140406DA10715858046460046D7D2301F55D415A242C558DC754CAB9A222

Function 018E2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: f21f465b1a5368b7652c6b218e7be056040d7ef3c0cf1aa6c0ceae07126be2a1
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 018E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 018E293C
___swprintf_l.LIBCMT ref: 018E295E
___swprintf_l.LIBCMT ref: 018E29A3
___swprintf_l.LIBCMT ref: 0191A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0191A54E
:%u.%u.%u.%u, xrefs: 0191A5B8
ffff:, xrefs: 0191A504
::%hs%u.%u.%u.%u, xrefs: 0191A527

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 858176113a9b0c3bdd121e82410b4b048d6731121a4cfc41537e466a904eaacd
Instruction ID: 9ccf296ddc0278d7caada25690a020f6b1daa9a5803455b6b48cdfb9aef45b91
Opcode Fuzzy Hash: 858176113a9b0c3bdd121e82410b4b048d6731121a4cfc41537e466a904eaacd
Instruction Fuzzy Hash: B451F6B6A0415ABFCB11EBAC889497EFBFDBB493407148229F5A9D3645D334DF4087A0

Function 01952410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019524A6
___swprintf_l.LIBCMT ref: 019524E2
___swprintf_l.LIBCMT ref: 0195257D
___swprintf_l.LIBCMT ref: 019525A3
___swprintf_l.LIBCMT ref: 019525C8
___swprintf_l.LIBCMT ref: 01952608

Strings

::%hs%u.%u.%u.%u, xrefs: 0195249E
ffff:, xrefs: 0195247D, 0195249D
:%u.%u.%u.%u, xrefs: 019525FF
::ffff:0:%u.%u.%u.%u, xrefs: 019524DA

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: eb23e5a3b7cd7a43d3cd86671f7dafacbfb0b918af37e666624f76f21872f1c0
Instruction ID: f53559e278aaf800f335d90daeffe80733bb4b67ebe2e7cf9a6321d8f2ea7b5f
Opcode Fuzzy Hash: eb23e5a3b7cd7a43d3cd86671f7dafacbfb0b918af37e666624f76f21872f1c0
Instruction Fuzzy Hash: 28510875A00645EECF70DF6CC89097FBBFDEB48305B048869F99AE7642D6B4DA008760

Function 018D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01914742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01914725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01914655
ExecuteOptions, xrefs: 019146A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019146FC
Execute=1, xrefs: 01914713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01914787

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: d3d2e0c49e7e82629537dac92bd8ff3a42afc6ceb2a3c52de3005c9ac3b5999b
Instruction ID: 28675326be6aff16fbeeaa7f24bfe9b494c69dcf0aaa9d31c090642954e37454
Opcode Fuzzy Hash: d3d2e0c49e7e82629537dac92bd8ff3a42afc6ceb2a3c52de3005c9ac3b5999b
Instruction Fuzzy Hash: 7D51193160031E7AEF21EBA9EC89FA977B8EF19708F140499D609E7181EB709B41CF51

Function 01976940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 7e3d08c3732aec8906fa4b046b8dcc03be888991463a2fb8afbf3aed34fa2368
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 0F021671508742AFE309DF18C894A6BBBE5EFD9700F14892DF9898B254DB31E905CB52

Function 018EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 018EB6BF

Strings

0, xrefs: 018EB695
-, xrefs: 018EB650
+, xrefs: 018EB65A
0, xrefs: 018EB66F

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 68c04f06da47faa090e12cadc26a40164b3c6c2c0947ad279e6050bb31d960a0
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: DA81E070E452598FEF298E6CC8997FEBBF1AF47360F18411AD861E7691C7308A40CB51

Function 019520E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0195214F
___swprintf_l.LIBCMT ref: 01952172

Strings

%%%u, xrefs: 01952146
]:%u, xrefs: 01952169
[, xrefs: 0195212B

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 1963e33253a984a7be52202b47f6d78ee425856cf9412fa4f3d9e2c22593d9aa
Instruction ID: 4be54179ae59a794bf68f7a20ee260beb93f55383c11191f8a6e3a00cf2852b7
Opcode Fuzzy Hash: 1963e33253a984a7be52202b47f6d78ee425856cf9412fa4f3d9e2c22593d9aa
Instruction Fuzzy Hash: 5821217AA00119ABDB51DF7DDC44AAF7BEDAF54654F44012AEE49E3201E7309A018BA1

Function 018CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019102E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019102BD
RTL: Re-Waiting, xrefs: 0191031E

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 60c7d93515814fbe59b2feaf11dc0dca938b738b0f8ed53c0f405004dfce4688
Instruction ID: c53510c3d020e59184744d0718d9afd85f8822975c99d2be14602828b6b3a54e
Opcode Fuzzy Hash: 60c7d93515814fbe59b2feaf11dc0dca938b738b0f8ed53c0f405004dfce4688
Instruction Fuzzy Hash: CDE1CE306047459FE725CF2CC884B2ABBE1BB85714F140A1DF6A9CB2D1D775DA85CB42

Function 018DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01917B8E
RTL: Re-Waiting, xrefs: 01917BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01917B7F

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: f451712a75d600787856c8a791ec2f6f429ef70a42280eeabd5485304560f217
Instruction ID: 0d6fcce33fe10006ad21dfc200463afce24f1c675a6c55546ba4958ba839db45
Opcode Fuzzy Hash: f451712a75d600787856c8a791ec2f6f429ef70a42280eeabd5485304560f217
Instruction Fuzzy Hash: F741E3313007079FDB25DE29C840B6AB7E5EF9A711F110A2DF95AD7280DB31E645CB91

Function 018DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0191728C

Strings

RTL: Resource at %p, xrefs: 019172A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01917294
RTL: Re-Waiting, xrefs: 019172C1

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: bd7085361bc51ae2dcd7faa9b0bb15c41431e88e539b09bd4ed18eff24b2ac08
Instruction ID: 5ee761e6f802504b6e0eec760d586b5a9369edf832ee05e43891d573f2065749
Opcode Fuzzy Hash: bd7085361bc51ae2dcd7faa9b0bb15c41431e88e539b09bd4ed18eff24b2ac08
Instruction Fuzzy Hash: 4941023170030BABD725DE69CC81FA6B7A5FF96714F200A19F959EB240DB21E982C7D1

Function 01952300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0195238D
___swprintf_l.LIBCMT ref: 019523B3

Strings

]:%u, xrefs: 019523AA
%%%u, xrefs: 01952384

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: ff668c705b5b7fe424d20d67e971779fbfb74d866c6ddb025239d99756abc07b
Instruction ID: e964f07a9b30c9d2d507142f5b49ab106895dfc1dcc7a3510f6a61d22d95352b
Opcode Fuzzy Hash: ff668c705b5b7fe424d20d67e971779fbfb74d866c6ddb025239d99756abc07b
Instruction Fuzzy Hash: 27317372A00219DFDB60DF2DDC40BAE77FCAB44A11F440599ED49E7201EB30AA488BA0

Function 018E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 018E7E8B

Strings

+, xrefs: 018E7DE8
-, xrefs: 018E7DDD

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 1a85958abcd0ad6a88490ebf8327277bb31706fcc1d87a48655afea2a7aeea4f
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: BB919071E0021A9BEB24DF6DC888ABEBBE5FF46720F14451AE955E72C4E7309B408791

Function 018A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 018A9191
@, xrefs: 018A9175

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 780069e3bbc842ab045a057f0580cb86388502ea0c56d0b09de783311016cf43
Instruction ID: c7abfa3a1603851d0f85c2073ae9658a7a67e3eb8b0a3ed44850ce6f93b11cc0
Opcode Fuzzy Hash: 780069e3bbc842ab045a057f0580cb86388502ea0c56d0b09de783311016cf43
Instruction Fuzzy Hash: A8810C71D042699BDB36CB58CC44BEAB7B8AB48754F0045EAEA1DF7280D7709E84CF61

Function 0192CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0192CFBD

Strings

@4_w@4_w, xrefs: 0192CFD5, 0192CFDA, 0192CFF1
@, xrefs: 0192CF0A

Memory Dump Source

Source File: 00000008.00000002.2034522019.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1870000_ThBJg59JRC.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4_w@4_w
API String ID: 4062629308-713214301
Opcode ID: ffa969c69083c514f58eaaf0a488ff8cfc6b292d8e3b99ee94016d696ee3f644
Instruction ID: 2e6089041430611749fba66224f99d831e35d912e5a3f91c3ad39813be01ccc4
Opcode Fuzzy Hash: ffa969c69083c514f58eaaf0a488ff8cfc6b292d8e3b99ee94016d696ee3f644
Instruction Fuzzy Hash: 3D418F71940225DFDB21DFADC880AAEBBF8FF55B40F00442AE919DB268D734DA01CB61

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ThBJg59JRC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ThBJg59JRC.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01b0obsr.j1u.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ebetdeg.uiz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vudqcmip.uqb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yupdqurk.fi3.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
ThBJg59JRC.exe

Function 09502CF8 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Function 09509590 Relevance: 2.7, Strings: 2, Instructions: 228
COMMON

Function 0924A91C Relevance: 1.9, Strings: 1, Instructions: 625
COMMON

Function 09242106 Relevance: 1.8, Strings: 1, Instructions: 561
COMMON