Edit tour

Windows Analysis Report
Orden de compra.exe

Overview

General Information

Sample name:	Orden de compra.exe
Analysis ID:	1501078
MD5:	d9323dddde2041d8b26f7d696499091c
SHA1:	535dc286d8a67be9bca93674ff800c44cfb9b2d1
SHA256:	08c422305e7b10e56d7338bcdf37637b0837e47b6accdee26b43fa93cf3e435d
Tags:	exe
Infos:

Detection

DarkTortilla, FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Orden de compra.exe (PID: 4332 cmdline: "C:\Users\user\Desktop\Orden de compra.exe" MD5: D9323DDDDE2041D8B26F7D696499091C)

AddInProcess32.exe (PID: 1268 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ecc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16eb2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ba10:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13bff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2207161212.0000000003361000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: Orden de compra.exe PID: 4332	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: Orden de compra.exe PID: 4332	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.AddInProcess32.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ecc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16eb2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
4.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.AddInProcess32.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dec3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x160b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0.2.Orden de compra.exe.76d0000.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Orden de compra.exe.76d0000.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Orden de compra.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Orden de compra.exe	Virustotal: Detection: 34%			Perma Link
Source: Orden de compra.exe	ReversingLabs: Detection: 55%

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Orden de compra.exe

Joe Sandbox ML: detected

Source: Orden de compra.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0042BFF3 NtClose,	4_2_0042BFF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082B60 NtClose,LdrInitializeThunk,	4_2_01082B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01082DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01082C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010835C0 NtCreateMutant,LdrInitializeThunk,	4_2_010835C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01084340 NtSetContextThread,	4_2_01084340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01084650 NtSuspendThread,	4_2_01084650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082B80 NtQueryInformationFile,	4_2_01082B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082BA0 NtEnumerateValueKey,	4_2_01082BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082BE0 NtQueryValueKey,	4_2_01082BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082BF0 NtAllocateVirtualMemory,	4_2_01082BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082AB0 NtWaitForSingleObject,	4_2_01082AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082AD0 NtReadFile,	4_2_01082AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082AF0 NtWriteFile,	4_2_01082AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082D00 NtSetInformationFile,	4_2_01082D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082D10 NtMapViewOfSection,	4_2_01082D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082D30 NtUnmapViewOfSection,	4_2_01082D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082DB0 NtEnumerateKey,	4_2_01082DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082DD0 NtDelayExecution,	4_2_01082DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082C00 NtQueryInformationProcess,	4_2_01082C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082C60 NtCreateKey,	4_2_01082C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082CA0 NtQueryInformationToken,	4_2_01082CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082CC0 NtQueryVirtualMemory,	4_2_01082CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082CF0 NtOpenProcess,	4_2_01082CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082F30 NtCreateSection,	4_2_01082F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082F60 NtCreateProcessEx,	4_2_01082F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082F90 NtProtectVirtualMemory,	4_2_01082F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082FA0 NtQuerySection,	4_2_01082FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082FB0 NtResumeThread,	4_2_01082FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082FE0 NtCreateFile,	4_2_01082FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082E30 NtWriteVirtualMemory,	4_2_01082E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082E80 NtReadVirtualMemory,	4_2_01082E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082EA0 NtAdjustPrivilegesToken,	4_2_01082EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082EE0 NtQueueApcThread,	4_2_01082EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083010 NtOpenDirectoryObject,	4_2_01083010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083090 NtSetValueKey,	4_2_01083090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010839B0 NtGetContextThread,	4_2_010839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083D10 NtOpenProcessToken,	4_2_01083D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01083D70 NtOpenThread,	4_2_01083D70

Source: C:\Users\user\Desktop\Orden de compra.exe

Code function: 0_2_09E09C68 CreateProcessAsUserW,

0_2_09E09C68

Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018EA3D8	0_2_018EA3D8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018E6748	0_2_018E6748
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018E4680	0_2_018E4680
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018E7388	0_2_018E7388
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_018EA3C8	0_2_018EA3C8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04B00	0_2_09E04B00
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E08A90	0_2_09E08A90
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0A240	0_2_09E0A240
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02CE0	0_2_09E02CE0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04448	0_2_09E04448
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E00040	0_2_09E00040
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E00012	0_2_09E00012
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0AB28	0_2_09E0AB28
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04AF0	0_2_09E04AF0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0E2F8	0_2_09E0E2F8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E0EA00	0_2_09E0EA00
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02CD0	0_2_09E02CD0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E08483	0_2_09E08483
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E08490	0_2_09E08490
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03C68	0_2_09E03C68
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03C78	0_2_09E03C78
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04438	0_2_09E04438
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E067EB	0_2_09E067EB
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E067F8	0_2_09E067F8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02F80	0_2_09E02F80
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E02F70	0_2_09E02F70
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E07F59	0_2_09E07F59
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03600	0_2_09E03600
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E03610	0_2_09E03610
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA10040	0_2_0BA10040
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B3B0	0_2_0BA1B3B0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B3C0	0_2_0BA1B3C0
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1EF58	0_2_0BA1EF58
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA176B8	0_2_0BA176B8
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1763D	0_2_0BA1763D
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE10040	0_2_0BE10040
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE1D81B	0_2_0BE1D81B
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE1003B	0_2_0BE1003B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00403010	4_2_00403010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040F913	4_2_0040F913
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401190	4_2_00401190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041621F	4_2_0041621F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00416223	4_2_00416223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004022A4	4_2_004022A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004022B0	4_2_004022B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040FB33	4_2_0040FB33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401B87	4_2_00401B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401B90	4_2_00401B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040DBB1	4_2_0040DBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040DBB3	4_2_0040DBB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00402480	4_2_00402480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0042E5B3	4_2_0042E5B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040100	4_2_01040100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D8158	4_2_010D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011041A2	4_2_011041A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011101AA	4_2_011101AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011081CC	4_2_011081CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A352	4_2_0110A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011103E6	4_2_011103E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D02C0	4_2_010D02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01110591	4_2_01110591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4420	4_2_010F4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01102446	4_2_01102446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FE4F6	4_2_010FE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01074750	4_2_01074750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104C7C0	4_2_0104C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106C6E0	4_2_0106C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111A9A6	4_2_0111A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105A840	4_2_0105A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01052840	4_2_01052840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010368B8	4_2_010368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E8F0	4_2_0107E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110AB40	4_2_0110AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01106BD7	4_2_01106BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105AD00	4_2_0105AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010ECD1F	4_2_010ECD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01068DBF	4_2_01068DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104ADE0	4_2_0104ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050C00	4_2_01050C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0CB5	4_2_010F0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040CF2	4_2_01040CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01092F28	4_2_01092F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070F30	4_2_01070F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F2F30	4_2_010F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C4F40	4_2_010C4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CEFA0	4_2_010CEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042FC8	4_2_01042FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105CFE0	4_2_0105CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110EE26	4_2_0110EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050E59	4_2_01050E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110CE93	4_2_0110CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062E90	4_2_01062E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110EEDB	4_2_0110EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108516C	4_2_0108516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103F172	4_2_0103F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111B16B	4_2_0111B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105B1B0	4_2_0105B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FF0CC	4_2_010FF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010570C0	4_2_010570C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110F0E0	4_2_0110F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011070E9	4_2_011070E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110132D	4_2_0110132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103D34C	4_2_0103D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0109739A	4_2_0109739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010552A0	4_2_010552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106B2C0	4_2_0106B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F12ED	4_2_010F12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01107571	4_2_01107571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010ED5B0	4_2_010ED5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011195C3	4_2_011195C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110F43F	4_2_0110F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01041460	4_2_01041460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110F7B0	4_2_0110F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010417EC	4_2_010417EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01095630	4_2_01095630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011016CC	4_2_011016CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E5910	4_2_010E5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01059950	4_2_01059950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106B950	4_2_0106B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BD800	4_2_010BD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010538E0	4_2_010538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FB76	4_2_0110FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106FB80	4_2_0106FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108DBF9	4_2_0108DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C5BF0	4_2_010C5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01107A46	4_2_01107A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FA49	4_2_0110FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C3A6C	4_2_010C3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EDAAC	4_2_010EDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01095AA0	4_2_01095AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F1AA3	4_2_010F1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FDAC6	4_2_010FDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01053D40	4_2_01053D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01101D5A	4_2_01101D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01107D73	4_2_01107D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106FDC0	4_2_0106FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C9C32	4_2_010C9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FCF2	4_2_0110FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FF09	4_2_0110FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01051F92	4_2_01051F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110FFB1	4_2_0110FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01013FD2	4_2_01013FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01013FD5	4_2_01013FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01059EB0	4_2_01059EB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0103B970 appears 283 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01085130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 010CF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01097E54 appears 109 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 010BEA12 appears 86 times

Source: Orden de compra.exe, 00000000.00000002.2206216626.000000000141E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Orden de compra.exe
Source: Orden de compra.exe, 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHPzFG9.dll" vs Orden de compra.exe
Source: Orden de compra.exe, 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHPzFG9.dll" vs Orden de compra.exe
Source: Orden de compra.exe, 00000000.00000002.2224165565.0000000005A50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs Orden de compra.exe

Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Orden de compra.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de compra.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Mutant created: NULL

Source: Orden de compra.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Orden de compra.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\Orden de compra.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Orden de compra.exe	Virustotal: Detection: 34%
Source: Orden de compra.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\Orden de compra.exe

File read: C:\Users\user\Desktop\Orden de compra.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Orden de compra.exe "C:\Users\user\Desktop\Orden de compra.exe"
Source: C:\Users\user\Desktop\Orden de compra.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\Orden de compra.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Orden de compra.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Orden de compra.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Orden de compra.exe

Static file information: File size 2419712 > 1048576

Source: Orden de compra.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x24e600

Source: Orden de compra.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.Orden de compra.exe.76d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra.exe.76d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2207161212.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de compra.exe PID: 4332, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: Orden de compra.exe, n5T.cs

.Net Code: NewLateBinding.LateCall(objectValue2, (Type)null, "Invoke", new object[2]{null,Ra4()}, (string[])null, (Type[])null, (bool[])null, true)

Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_09E04438 push 5DE58B90h; ret	0_2_09E043E9
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA197B1 push ebx; ret	0_2_0BA197B2
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B388 push eax; ret	0_2_0BA1B389
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1A31B push edi; ret	0_2_0BA1A322
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA19747 push edx; ret	0_2_0BA1975A
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA196E5 push edx; ret	0_2_0BA1975A
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1AED1 pushad ; ret	0_2_0BA1AED2
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA19CE1 push esp; ret	0_2_0BA19CE2
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BA1B8C0 pushad ; ret	0_2_0BA1B8C1
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE1D29B push ebx; ret	0_2_0BE1D2A1
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE16205 push eax; ret	0_2_0BE1630E
Source: C:\Users\user\Desktop\Orden de compra.exe	Code function: 0_2_0BE17991 pushfd ; ret	0_2_0BE17992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00423E33 pushad ; iretd	4_2_00423EEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00415062 push edx; retf	4_2_00415066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041E23E push edx; retf	4_2_0041E23F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004142A4 push esi; iretd	4_2_004142A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004032B0 push eax; ret	4_2_004032B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00408349 push ss; retf	4_2_0040834A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041EB78 push 39FD2CB0h; ret	4_2_0041EB7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040831C push esi; retf	4_2_0040831D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040C38A push edi; retf	4_2_0040C38B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041E513 push ecx; retf	4_2_0041E514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00413518 pushfd ; ret	4_2_00413519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00411DE8 push 7D2EA5D3h; retf	4_2_00411DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041A5FF push ebp; iretd	4_2_0041A601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041E58D push ss; iretd	4_2_0041E598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00406EA8 push edi; iretd	4_2_00406EA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0101225F pushad ; ret	4_2_010127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010127FA pushad ; ret	4_2_010127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010409AD push ecx; mov dword ptr [esp], ecx	4_2_010409B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0101283D push eax; iretd	4_2_01012858

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Orden de compra.exe

File opened: C:\Users\user\Desktop\Orden de compra.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Orden de compra.exe PID: 4332, type: MEMORYSTR

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\Orden de compra.exe

Section loaded: OutputDebugStringW count: 1939

Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 18A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 3360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 64D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 5B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 78A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 88A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 8AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 78A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: 8AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: C120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: D120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: D5C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory allocated: E5C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_0108096E rdtsc

4_2_0108096E

Source: C:\Users\user\Desktop\Orden de compra.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Window / User API: threadDelayed 2674			Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Window / User API: threadDelayed 7120			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

API coverage: 0.6 %

Source: C:\Users\user\Desktop\Orden de compra.exe TID: 6300	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe TID: 6300	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6884	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: Orden de compra.exe, 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp, Orden de compra.exe, 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: Orden de compra.exe, 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 806010189GSOFTWARE\VMware, Inc.\VMware VGAuth

Source: C:\Users\user\Desktop\Orden de compra.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_0108096E rdtsc

4_2_0108096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_004171D3 LdrLoadDll,

4_2_004171D3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov eax, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE10E mov ecx, dword ptr fs:[00000030h]	4_2_010EE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01100115 mov eax, dword ptr fs:[00000030h]	4_2_01100115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov ecx, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov eax, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov eax, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EA118 mov eax, dword ptr fs:[00000030h]	4_2_010EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070124 mov eax, dword ptr fs:[00000030h]	4_2_01070124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov ecx, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D4144 mov eax, dword ptr fs:[00000030h]	4_2_010D4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046154 mov eax, dword ptr fs:[00000030h]	4_2_01046154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046154 mov eax, dword ptr fs:[00000030h]	4_2_01046154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C156 mov eax, dword ptr fs:[00000030h]	4_2_0103C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D8158 mov eax, dword ptr fs:[00000030h]	4_2_010D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114164 mov eax, dword ptr fs:[00000030h]	4_2_01114164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114164 mov eax, dword ptr fs:[00000030h]	4_2_01114164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FC188 mov eax, dword ptr fs:[00000030h]	4_2_010FC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FC188 mov eax, dword ptr fs:[00000030h]	4_2_010FC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01080185 mov eax, dword ptr fs:[00000030h]	4_2_01080185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4180 mov eax, dword ptr fs:[00000030h]	4_2_010E4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4180 mov eax, dword ptr fs:[00000030h]	4_2_010E4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C019F mov eax, dword ptr fs:[00000030h]	4_2_010C019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A197 mov eax, dword ptr fs:[00000030h]	4_2_0103A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A197 mov eax, dword ptr fs:[00000030h]	4_2_0103A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A197 mov eax, dword ptr fs:[00000030h]	4_2_0103A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011061C3 mov eax, dword ptr fs:[00000030h]	4_2_011061C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011061C3 mov eax, dword ptr fs:[00000030h]	4_2_011061C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov ecx, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE1D0 mov eax, dword ptr fs:[00000030h]	4_2_010BE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011161E5 mov eax, dword ptr fs:[00000030h]	4_2_011161E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010701F8 mov eax, dword ptr fs:[00000030h]	4_2_010701F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C4000 mov ecx, dword ptr fs:[00000030h]	4_2_010C4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E2000 mov eax, dword ptr fs:[00000030h]	4_2_010E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E016 mov eax, dword ptr fs:[00000030h]	4_2_0105E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A020 mov eax, dword ptr fs:[00000030h]	4_2_0103A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C020 mov eax, dword ptr fs:[00000030h]	4_2_0103C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6030 mov eax, dword ptr fs:[00000030h]	4_2_010D6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042050 mov eax, dword ptr fs:[00000030h]	4_2_01042050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6050 mov eax, dword ptr fs:[00000030h]	4_2_010C6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106C073 mov eax, dword ptr fs:[00000030h]	4_2_0106C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104208A mov eax, dword ptr fs:[00000030h]	4_2_0104208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010380A0 mov eax, dword ptr fs:[00000030h]	4_2_010380A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D80A8 mov eax, dword ptr fs:[00000030h]	4_2_010D80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011060B8 mov eax, dword ptr fs:[00000030h]	4_2_011060B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011060B8 mov ecx, dword ptr fs:[00000030h]	4_2_011060B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C20DE mov eax, dword ptr fs:[00000030h]	4_2_010C20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A0E3 mov ecx, dword ptr fs:[00000030h]	4_2_0103A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C60E0 mov eax, dword ptr fs:[00000030h]	4_2_010C60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010480E9 mov eax, dword ptr fs:[00000030h]	4_2_010480E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C0F0 mov eax, dword ptr fs:[00000030h]	4_2_0103C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010820F0 mov ecx, dword ptr fs:[00000030h]	4_2_010820F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A30B mov eax, dword ptr fs:[00000030h]	4_2_0107A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A30B mov eax, dword ptr fs:[00000030h]	4_2_0107A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A30B mov eax, dword ptr fs:[00000030h]	4_2_0107A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C310 mov ecx, dword ptr fs:[00000030h]	4_2_0103C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060310 mov ecx, dword ptr fs:[00000030h]	4_2_01060310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov eax, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov ecx, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov eax, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01118324 mov eax, dword ptr fs:[00000030h]	4_2_01118324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A352 mov eax, dword ptr fs:[00000030h]	4_2_0110A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C2349 mov eax, dword ptr fs:[00000030h]	4_2_010C2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov ecx, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C035C mov eax, dword ptr fs:[00000030h]	4_2_010C035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E8350 mov ecx, dword ptr fs:[00000030h]	4_2_010E8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111634F mov eax, dword ptr fs:[00000030h]	4_2_0111634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E437C mov eax, dword ptr fs:[00000030h]	4_2_010E437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106438F mov eax, dword ptr fs:[00000030h]	4_2_0106438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106438F mov eax, dword ptr fs:[00000030h]	4_2_0106438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E388 mov eax, dword ptr fs:[00000030h]	4_2_0103E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E388 mov eax, dword ptr fs:[00000030h]	4_2_0103E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E388 mov eax, dword ptr fs:[00000030h]	4_2_0103E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038397 mov eax, dword ptr fs:[00000030h]	4_2_01038397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038397 mov eax, dword ptr fs:[00000030h]	4_2_01038397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038397 mov eax, dword ptr fs:[00000030h]	4_2_01038397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FC3CD mov eax, dword ptr fs:[00000030h]	4_2_010FC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0104A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010483C0 mov eax, dword ptr fs:[00000030h]	4_2_010483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov eax, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov eax, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov ecx, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EE3DB mov eax, dword ptr fs:[00000030h]	4_2_010EE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E43D4 mov eax, dword ptr fs:[00000030h]	4_2_010E43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E43D4 mov eax, dword ptr fs:[00000030h]	4_2_010E43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010503E9 mov eax, dword ptr fs:[00000030h]	4_2_010503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0105E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010763FF mov eax, dword ptr fs:[00000030h]	4_2_010763FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103823B mov eax, dword ptr fs:[00000030h]	4_2_0103823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0111625D mov eax, dword ptr fs:[00000030h]	4_2_0111625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C8243 mov eax, dword ptr fs:[00000030h]	4_2_010C8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C8243 mov ecx, dword ptr fs:[00000030h]	4_2_010C8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103A250 mov eax, dword ptr fs:[00000030h]	4_2_0103A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046259 mov eax, dword ptr fs:[00000030h]	4_2_01046259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA250 mov eax, dword ptr fs:[00000030h]	4_2_010FA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA250 mov eax, dword ptr fs:[00000030h]	4_2_010FA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044260 mov eax, dword ptr fs:[00000030h]	4_2_01044260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044260 mov eax, dword ptr fs:[00000030h]	4_2_01044260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044260 mov eax, dword ptr fs:[00000030h]	4_2_01044260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103826B mov eax, dword ptr fs:[00000030h]	4_2_0103826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F0274 mov eax, dword ptr fs:[00000030h]	4_2_010F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E284 mov eax, dword ptr fs:[00000030h]	4_2_0107E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E284 mov eax, dword ptr fs:[00000030h]	4_2_0107E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0283 mov eax, dword ptr fs:[00000030h]	4_2_010C0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0283 mov eax, dword ptr fs:[00000030h]	4_2_010C0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0283 mov eax, dword ptr fs:[00000030h]	4_2_010C0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502A0 mov eax, dword ptr fs:[00000030h]	4_2_010502A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502A0 mov eax, dword ptr fs:[00000030h]	4_2_010502A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov ecx, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D62A0 mov eax, dword ptr fs:[00000030h]	4_2_010D62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0104A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011162D6 mov eax, dword ptr fs:[00000030h]	4_2_011162D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502E1 mov eax, dword ptr fs:[00000030h]	4_2_010502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502E1 mov eax, dword ptr fs:[00000030h]	4_2_010502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010502E1 mov eax, dword ptr fs:[00000030h]	4_2_010502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6500 mov eax, dword ptr fs:[00000030h]	4_2_010D6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114500 mov eax, dword ptr fs:[00000030h]	4_2_01114500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050535 mov eax, dword ptr fs:[00000030h]	4_2_01050535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E53E mov eax, dword ptr fs:[00000030h]	4_2_0106E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048550 mov eax, dword ptr fs:[00000030h]	4_2_01048550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048550 mov eax, dword ptr fs:[00000030h]	4_2_01048550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107656A mov eax, dword ptr fs:[00000030h]	4_2_0107656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107656A mov eax, dword ptr fs:[00000030h]	4_2_0107656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107656A mov eax, dword ptr fs:[00000030h]	4_2_0107656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042582 mov eax, dword ptr fs:[00000030h]	4_2_01042582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01042582 mov ecx, dword ptr fs:[00000030h]	4_2_01042582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01074588 mov eax, dword ptr fs:[00000030h]	4_2_01074588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E59C mov eax, dword ptr fs:[00000030h]	4_2_0107E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C05A7 mov eax, dword ptr fs:[00000030h]	4_2_010C05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C05A7 mov eax, dword ptr fs:[00000030h]	4_2_010C05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C05A7 mov eax, dword ptr fs:[00000030h]	4_2_010C05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010645B1 mov eax, dword ptr fs:[00000030h]	4_2_010645B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010645B1 mov eax, dword ptr fs:[00000030h]	4_2_010645B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E5CF mov eax, dword ptr fs:[00000030h]	4_2_0107E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E5CF mov eax, dword ptr fs:[00000030h]	4_2_0107E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010465D0 mov eax, dword ptr fs:[00000030h]	4_2_010465D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0107A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0107A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0106E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010425E0 mov eax, dword ptr fs:[00000030h]	4_2_010425E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C5ED mov eax, dword ptr fs:[00000030h]	4_2_0107C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C5ED mov eax, dword ptr fs:[00000030h]	4_2_0107C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078402 mov eax, dword ptr fs:[00000030h]	4_2_01078402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078402 mov eax, dword ptr fs:[00000030h]	4_2_01078402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078402 mov eax, dword ptr fs:[00000030h]	4_2_01078402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E420 mov eax, dword ptr fs:[00000030h]	4_2_0103E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E420 mov eax, dword ptr fs:[00000030h]	4_2_0103E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103E420 mov eax, dword ptr fs:[00000030h]	4_2_0103E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103C427 mov eax, dword ptr fs:[00000030h]	4_2_0103C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C6420 mov eax, dword ptr fs:[00000030h]	4_2_010C6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A430 mov eax, dword ptr fs:[00000030h]	4_2_0107A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107E443 mov eax, dword ptr fs:[00000030h]	4_2_0107E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA456 mov eax, dword ptr fs:[00000030h]	4_2_010FA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106245A mov eax, dword ptr fs:[00000030h]	4_2_0106245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103645D mov eax, dword ptr fs:[00000030h]	4_2_0103645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC460 mov ecx, dword ptr fs:[00000030h]	4_2_010CC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106A470 mov eax, dword ptr fs:[00000030h]	4_2_0106A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106A470 mov eax, dword ptr fs:[00000030h]	4_2_0106A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106A470 mov eax, dword ptr fs:[00000030h]	4_2_0106A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010FA49A mov eax, dword ptr fs:[00000030h]	4_2_010FA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010464AB mov eax, dword ptr fs:[00000030h]	4_2_010464AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010744B0 mov ecx, dword ptr fs:[00000030h]	4_2_010744B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CA4B0 mov eax, dword ptr fs:[00000030h]	4_2_010CA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010404E5 mov ecx, dword ptr fs:[00000030h]	4_2_010404E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C700 mov eax, dword ptr fs:[00000030h]	4_2_0107C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040710 mov eax, dword ptr fs:[00000030h]	4_2_01040710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070710 mov eax, dword ptr fs:[00000030h]	4_2_01070710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C720 mov eax, dword ptr fs:[00000030h]	4_2_0107C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C720 mov eax, dword ptr fs:[00000030h]	4_2_0107C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BC730 mov eax, dword ptr fs:[00000030h]	4_2_010BC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107273C mov eax, dword ptr fs:[00000030h]	4_2_0107273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107273C mov ecx, dword ptr fs:[00000030h]	4_2_0107273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107273C mov eax, dword ptr fs:[00000030h]	4_2_0107273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107674D mov esi, dword ptr fs:[00000030h]	4_2_0107674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107674D mov eax, dword ptr fs:[00000030h]	4_2_0107674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107674D mov eax, dword ptr fs:[00000030h]	4_2_0107674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE75D mov eax, dword ptr fs:[00000030h]	4_2_010CE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040750 mov eax, dword ptr fs:[00000030h]	4_2_01040750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082750 mov eax, dword ptr fs:[00000030h]	4_2_01082750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082750 mov eax, dword ptr fs:[00000030h]	4_2_01082750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C4755 mov eax, dword ptr fs:[00000030h]	4_2_010C4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048770 mov eax, dword ptr fs:[00000030h]	4_2_01048770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050770 mov eax, dword ptr fs:[00000030h]	4_2_01050770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E678E mov eax, dword ptr fs:[00000030h]	4_2_010E678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010407AF mov eax, dword ptr fs:[00000030h]	4_2_010407AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F47A0 mov eax, dword ptr fs:[00000030h]	4_2_010F47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104C7C0 mov eax, dword ptr fs:[00000030h]	4_2_0104C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C07C3 mov eax, dword ptr fs:[00000030h]	4_2_010C07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010627ED mov eax, dword ptr fs:[00000030h]	4_2_010627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010627ED mov eax, dword ptr fs:[00000030h]	4_2_010627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010627ED mov eax, dword ptr fs:[00000030h]	4_2_010627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE7E1 mov eax, dword ptr fs:[00000030h]	4_2_010CE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010447FB mov eax, dword ptr fs:[00000030h]	4_2_010447FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010447FB mov eax, dword ptr fs:[00000030h]	4_2_010447FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE609 mov eax, dword ptr fs:[00000030h]	4_2_010BE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105260B mov eax, dword ptr fs:[00000030h]	4_2_0105260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01082619 mov eax, dword ptr fs:[00000030h]	4_2_01082619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105E627 mov eax, dword ptr fs:[00000030h]	4_2_0105E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01076620 mov eax, dword ptr fs:[00000030h]	4_2_01076620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078620 mov eax, dword ptr fs:[00000030h]	4_2_01078620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104262C mov eax, dword ptr fs:[00000030h]	4_2_0104262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0105C640 mov eax, dword ptr fs:[00000030h]	4_2_0105C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A660 mov eax, dword ptr fs:[00000030h]	4_2_0107A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A660 mov eax, dword ptr fs:[00000030h]	4_2_0107A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01072674 mov eax, dword ptr fs:[00000030h]	4_2_01072674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110866E mov eax, dword ptr fs:[00000030h]	4_2_0110866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110866E mov eax, dword ptr fs:[00000030h]	4_2_0110866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044690 mov eax, dword ptr fs:[00000030h]	4_2_01044690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044690 mov eax, dword ptr fs:[00000030h]	4_2_01044690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C6A6 mov eax, dword ptr fs:[00000030h]	4_2_0107C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010766B0 mov eax, dword ptr fs:[00000030h]	4_2_010766B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A6C7 mov ebx, dword ptr fs:[00000030h]	4_2_0107A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A6C7 mov eax, dword ptr fs:[00000030h]	4_2_0107A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE6F2 mov eax, dword ptr fs:[00000030h]	4_2_010BE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C06F1 mov eax, dword ptr fs:[00000030h]	4_2_010C06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C06F1 mov eax, dword ptr fs:[00000030h]	4_2_010C06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE908 mov eax, dword ptr fs:[00000030h]	4_2_010BE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BE908 mov eax, dword ptr fs:[00000030h]	4_2_010BE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038918 mov eax, dword ptr fs:[00000030h]	4_2_01038918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038918 mov eax, dword ptr fs:[00000030h]	4_2_01038918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC912 mov eax, dword ptr fs:[00000030h]	4_2_010CC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C892A mov eax, dword ptr fs:[00000030h]	4_2_010C892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D892B mov eax, dword ptr fs:[00000030h]	4_2_010D892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C0946 mov eax, dword ptr fs:[00000030h]	4_2_010C0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114940 mov eax, dword ptr fs:[00000030h]	4_2_01114940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962 mov eax, dword ptr fs:[00000030h]	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962 mov eax, dword ptr fs:[00000030h]	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01066962 mov eax, dword ptr fs:[00000030h]	4_2_01066962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108096E mov eax, dword ptr fs:[00000030h]	4_2_0108096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108096E mov edx, dword ptr fs:[00000030h]	4_2_0108096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0108096E mov eax, dword ptr fs:[00000030h]	4_2_0108096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC97C mov eax, dword ptr fs:[00000030h]	4_2_010CC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4978 mov eax, dword ptr fs:[00000030h]	4_2_010E4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E4978 mov eax, dword ptr fs:[00000030h]	4_2_010E4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010529A0 mov eax, dword ptr fs:[00000030h]	4_2_010529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010409AD mov eax, dword ptr fs:[00000030h]	4_2_010409AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010409AD mov eax, dword ptr fs:[00000030h]	4_2_010409AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C89B3 mov esi, dword ptr fs:[00000030h]	4_2_010C89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C89B3 mov eax, dword ptr fs:[00000030h]	4_2_010C89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010C89B3 mov eax, dword ptr fs:[00000030h]	4_2_010C89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A9D3 mov eax, dword ptr fs:[00000030h]	4_2_0110A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D69C0 mov eax, dword ptr fs:[00000030h]	4_2_010D69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0104A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010749D0 mov eax, dword ptr fs:[00000030h]	4_2_010749D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE9E0 mov eax, dword ptr fs:[00000030h]	4_2_010CE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010729F9 mov eax, dword ptr fs:[00000030h]	4_2_010729F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010729F9 mov eax, dword ptr fs:[00000030h]	4_2_010729F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC810 mov eax, dword ptr fs:[00000030h]	4_2_010CC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov ecx, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01062835 mov eax, dword ptr fs:[00000030h]	4_2_01062835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E483A mov eax, dword ptr fs:[00000030h]	4_2_010E483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E483A mov eax, dword ptr fs:[00000030h]	4_2_010E483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107A830 mov eax, dword ptr fs:[00000030h]	4_2_0107A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01052840 mov ecx, dword ptr fs:[00000030h]	4_2_01052840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01070854 mov eax, dword ptr fs:[00000030h]	4_2_01070854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044859 mov eax, dword ptr fs:[00000030h]	4_2_01044859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01044859 mov eax, dword ptr fs:[00000030h]	4_2_01044859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6870 mov eax, dword ptr fs:[00000030h]	4_2_010D6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6870 mov eax, dword ptr fs:[00000030h]	4_2_010D6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE872 mov eax, dword ptr fs:[00000030h]	4_2_010CE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CE872 mov eax, dword ptr fs:[00000030h]	4_2_010CE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040887 mov eax, dword ptr fs:[00000030h]	4_2_01040887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CC89D mov eax, dword ptr fs:[00000030h]	4_2_010CC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106E8C0 mov eax, dword ptr fs:[00000030h]	4_2_0106E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_011108C0 mov eax, dword ptr fs:[00000030h]	4_2_011108C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110A8E4 mov eax, dword ptr fs:[00000030h]	4_2_0110A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0107C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0107C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114B00 mov eax, dword ptr fs:[00000030h]	4_2_01114B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BEB1D mov eax, dword ptr fs:[00000030h]	4_2_010BEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EB20 mov eax, dword ptr fs:[00000030h]	4_2_0106EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EB20 mov eax, dword ptr fs:[00000030h]	4_2_0106EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01108B28 mov eax, dword ptr fs:[00000030h]	4_2_01108B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01108B28 mov eax, dword ptr fs:[00000030h]	4_2_01108B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4B4B mov eax, dword ptr fs:[00000030h]	4_2_010F4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4B4B mov eax, dword ptr fs:[00000030h]	4_2_010F4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01112B57 mov eax, dword ptr fs:[00000030h]	4_2_01112B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010E8B42 mov eax, dword ptr fs:[00000030h]	4_2_010E8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6B40 mov eax, dword ptr fs:[00000030h]	4_2_010D6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010D6B40 mov eax, dword ptr fs:[00000030h]	4_2_010D6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0110AB40 mov eax, dword ptr fs:[00000030h]	4_2_0110AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01038B50 mov eax, dword ptr fs:[00000030h]	4_2_01038B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EEB50 mov eax, dword ptr fs:[00000030h]	4_2_010EEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0103CB7E mov eax, dword ptr fs:[00000030h]	4_2_0103CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050BBE mov eax, dword ptr fs:[00000030h]	4_2_01050BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050BBE mov eax, dword ptr fs:[00000030h]	4_2_01050BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4BB0 mov eax, dword ptr fs:[00000030h]	4_2_010F4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010F4BB0 mov eax, dword ptr fs:[00000030h]	4_2_010F4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040BCD mov eax, dword ptr fs:[00000030h]	4_2_01040BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040BCD mov eax, dword ptr fs:[00000030h]	4_2_01040BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01040BCD mov eax, dword ptr fs:[00000030h]	4_2_01040BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060BCB mov eax, dword ptr fs:[00000030h]	4_2_01060BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060BCB mov eax, dword ptr fs:[00000030h]	4_2_01060BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01060BCB mov eax, dword ptr fs:[00000030h]	4_2_01060BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EEBD0 mov eax, dword ptr fs:[00000030h]	4_2_010EEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048BF0 mov eax, dword ptr fs:[00000030h]	4_2_01048BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048BF0 mov eax, dword ptr fs:[00000030h]	4_2_01048BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048BF0 mov eax, dword ptr fs:[00000030h]	4_2_01048BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EBFC mov eax, dword ptr fs:[00000030h]	4_2_0106EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CCBF0 mov eax, dword ptr fs:[00000030h]	4_2_010CCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010CCA11 mov eax, dword ptr fs:[00000030h]	4_2_010CCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA24 mov eax, dword ptr fs:[00000030h]	4_2_0107CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0106EA2E mov eax, dword ptr fs:[00000030h]	4_2_0106EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01064A35 mov eax, dword ptr fs:[00000030h]	4_2_01064A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01064A35 mov eax, dword ptr fs:[00000030h]	4_2_01064A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA38 mov eax, dword ptr fs:[00000030h]	4_2_0107CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01046A50 mov eax, dword ptr fs:[00000030h]	4_2_01046A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050A5B mov eax, dword ptr fs:[00000030h]	4_2_01050A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01050A5B mov eax, dword ptr fs:[00000030h]	4_2_01050A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA6F mov eax, dword ptr fs:[00000030h]	4_2_0107CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA6F mov eax, dword ptr fs:[00000030h]	4_2_0107CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0107CA6F mov eax, dword ptr fs:[00000030h]	4_2_0107CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010EEA60 mov eax, dword ptr fs:[00000030h]	4_2_010EEA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BCA72 mov eax, dword ptr fs:[00000030h]	4_2_010BCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_010BCA72 mov eax, dword ptr fs:[00000030h]	4_2_010BCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0104EA80 mov eax, dword ptr fs:[00000030h]	4_2_0104EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01114A80 mov eax, dword ptr fs:[00000030h]	4_2_01114A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01078A90 mov edx, dword ptr fs:[00000030h]	4_2_01078A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01048AA0 mov eax, dword ptr fs:[00000030h]	4_2_01048AA0

Source: C:\Users\user\Desktop\Orden de compra.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Orden de compra.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Orden de compra.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 8C2008	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Users\user\Desktop\Orden de compra.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	211 Process Injection	1 Access Token Manipulation	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	211 Process Injection	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Obfuscated Files or Information	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Software Packing	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Orden de compra.exe	35%	Virustotal		Browse
Orden de compra.exe	55%	ReversingLabs	Win32.Backdoor.FormBook
Orden de compra.exe	100%	Avira	HEUR/AGEN.1314448
Orden de compra.exe	100%	Joe Sandbox ML

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501078
Start date and time:	2024-08-29 12:01:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Orden de compra.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 101 Number of non-executed functions: 216
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:02:42	API Interceptor	25118x Sleep call for process: Orden de compra.exe modified
06:03:51	API Interceptor	3x Sleep call for process: AddInProcess32.exe modified

Process:	C:\Users\user\Desktop\Orden de compra.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
MD5:	E193AFF55D4BDD9951CB4287A7D79653
SHA1:	F94AD920B9E0EB43B5005D74552AB84EAA38E985
SHA-256:	08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
SHA-512:	86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7579869078341765
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Orden de compra.exe
File size:	2'419'712 bytes
MD5:	d9323dddde2041d8b26f7d696499091c
SHA1:	535dc286d8a67be9bca93674ff800c44cfb9b2d1
SHA256:	08c422305e7b10e56d7338bcdf37637b0837e47b6accdee26b43fa93cf3e435d
SHA512:	a4a6f044cfb39549cd8bd9d16584f37b872b7e742f9aa67ff8583ae39f1450395ffde615dbd32b9d462df6038c36aff7bea376dc353267de28e9685827d5afe0
SSDEEP:	49152:2nb1glo964faXOqMuP0FA/WEvwjzfyz6LTG5hSWA:2nb2u96YcOqMuP0FA/tgzKBvd
TLSH:	39B523DE13E55804F27FFAB4B038209116F564CB3811D22F84D5C5EDBB33ACAAA556E2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...P...$.........~.%.. ... %...@.. .......................`%...........`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x65047e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x1E05B37F [Tue Dec 17 17:55:11 1985 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25042c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x252000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x254000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x24e484	0x24e600	d72a50882a356056dc24c54c37c1ab42	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x252000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x254000	0xc	0x200	87062ee954ffdc917a3f55b67af5db96	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	06:02:37
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Orden de compra.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Orden de compra.exe"
Imagebase:	0xe40000
File size:	2'419'712 bytes
MD5 hash:	D9323DDDDE2041D8B26F7D696499091C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2225140854.00000000064D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2226496984.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2207161212.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:03:13
Start date:	29/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x660000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2282244894.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	23.8%
Dynamic/Decrypted Code Coverage:	98.7%
Signature Coverage:	19%
Total number of Nodes:	158
Total number of Limit Nodes:	25

Executed Functions

Function 0BE1003B Relevance: 5.5, Instructions: 5546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814e945155b14065fac38b88a4d9237b91708aff6b9f5a0b245035784c7c14b3
Instruction ID: 13ff3a3fe2972703ee1aefd9274175c6f76382ad8e3909c8c5b845caaa072589
Opcode Fuzzy Hash: 814e945155b14065fac38b88a4d9237b91708aff6b9f5a0b245035784c7c14b3
Instruction Fuzzy Hash: 47B3E574A012188FCB68EF79D99966CBBF2BB89310F5088E9D44DA7350DB349E85CF41

Function 0BE10040 Relevance: 5.5, Instructions: 5545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37e664ca6ade86cf3db298d825c788ffa1d27af2f2a9a34033dc329f7d98dbe
Instruction ID: 39aace23f95522ceafeb82903f5a183754c0dfd2608ea3d1d763127e3d91e6b8
Opcode Fuzzy Hash: a37e664ca6ade86cf3db298d825c788ffa1d27af2f2a9a34033dc329f7d98dbe
Instruction Fuzzy Hash: E3B3E574A012188FCB68EF79D99966CBBF2BB89310F5088E9D44DA7350DB349E85CF41

Function 0BA10040 Relevance: 5.2, Instructions: 5226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2229938982.000000000BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fb51618194f277eafcd8c864379d3ecac10eaa213cc544991465e52ad3ec55
Instruction ID: a4a7efe1aea7d0dfc5831fa82015fe3bb7eece06e3967762e805a5b89a2adc0a
Opcode Fuzzy Hash: e3fb51618194f277eafcd8c864379d3ecac10eaa213cc544991465e52ad3ec55
Instruction Fuzzy Hash: F7B3E974A452198FCB54EF79DA9966CBBF2BB88300F4089E9D489A3350DF349E85CF41

Function 09E02CE0 Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Q, xrefs: 09E02E3E, 09E02E43
Q!, xrefs: 09E02F2F
Q!, xrefs: 09E02F3D

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID: Q!$Q!${Q
API String ID: 0-433760853
Opcode ID: 85f91c15e8c3ccf33d397ad0a20a24fa6d1d25369d18540e876958e30beaf18d
Instruction ID: c5048d7ba0ad03c8d1efa06d330d09f242546aff16cfece8f1e7ef4807217a75
Opcode Fuzzy Hash: 85f91c15e8c3ccf33d397ad0a20a24fa6d1d25369d18540e876958e30beaf18d
Instruction Fuzzy Hash: 3C71F374D10208DFDB14DFA5D5996AEBBF2FF88300F209029E516AB354EB305985CF91

Function 09E0A240 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q+(i, xrefs: 09E0A38D
Q+(i, xrefs: 09E0A37F

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID: Q+(i$Q+(i
API String ID: 0-3998099878
Opcode ID: f7e48092f9d1f68c745e68121955310dcb5aeeb9f6e819cb1f9590ff72fb6469
Instruction ID: 8ae2ff6df7d3df6c2c6b25be9ae55006a78fac547620f8070eaf3a7089b92e0c
Opcode Fuzzy Hash: f7e48092f9d1f68c745e68121955310dcb5aeeb9f6e819cb1f9590ff72fb6469
Instruction Fuzzy Hash: E081FFB4D1121C8FCB14DFE5D5986EEBBB2BF89340F20A42AD41ABB294DB345981CF54

Function 09E02CD0 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Q, xrefs: 09E02E3E, 09E02E43
Q!, xrefs: 09E02F3D

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID: Q!${Q
API String ID: 0-1531552201
Opcode ID: c65a89178ae978f965e621d2c6543272aa48691eb90cf4b3624ba9cda380ad00
Instruction ID: 479d4ad3d17827d21af1d06ce03f6c6536ba86df21fa29071c316e558904f967
Opcode Fuzzy Hash: c65a89178ae978f965e621d2c6543272aa48691eb90cf4b3624ba9cda380ad00
Instruction Fuzzy Hash: EB71E474E10208DFDB14DFA5D599AAEBBF2FF88300F20852AE516A7354EB305985CF91

Function 09E09C68 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 09E09DD3

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 2a28f8846c825bbe458d602ed286a1b5455da7def71c03e1c5f6c3ee17b66e0b
Instruction ID: 14ec2e129527e3d075e9bd03333986a62cf7f76f4e481b111944d7dcb2282223
Opcode Fuzzy Hash: 2a28f8846c825bbe458d602ed286a1b5455da7def71c03e1c5f6c3ee17b66e0b
Instruction Fuzzy Hash: CD51F4719002299FDB24CF99C840BDDBBB5BF88314F1485AAE808B7251DB75AA85CF50

Function 018E7388 Relevance: 1.0, Instructions: 992COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775100492652b566d59c295ebca36ff341d1366a71074bcf5c7cb9e16f120c06
Instruction ID: 8283a37f89a2b5da6e436366be1fd2a58855c6ace9d19a56a11d2a88496f4f57
Opcode Fuzzy Hash: 775100492652b566d59c295ebca36ff341d1366a71074bcf5c7cb9e16f120c06
Instruction Fuzzy Hash: E6926C30A00249DFDB15CF68C888AAEBBF2BF8A314F158559E515DB3A1D734EE41CB90

Function 018E6748 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f450632543d2d55020a505854e24dcf64d066d0e969870b1520b5f79c45325
Instruction ID: 51699c7a9605bdbd50b68ddc7a04ef3b4c92e574288b8037970b8be6af521e10
Opcode Fuzzy Hash: 63f450632543d2d55020a505854e24dcf64d066d0e969870b1520b5f79c45325
Instruction Fuzzy Hash: 07726070A002199FDB19DF69C848AAEBBF6FF89304F258069E515EB351EB34DD41CB90

Function 09E04AF0 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32314f018e57283c13f87ff447dae92eb457425f0b20210224b5fe047646e5a
Instruction ID: fc983f25ce06ec1e851503444f4d4f5738e66ef90e4086faea3155cd28f773e9
Opcode Fuzzy Hash: b32314f018e57283c13f87ff447dae92eb457425f0b20210224b5fe047646e5a
Instruction Fuzzy Hash: CC123970D1121A8FCB59CF65C984B9DBBF6FB89300F10D6A9D40AAB354E7749E858F40

Function 0BA1763D Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2229938982.000000000BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911e72dbc034b1cfd11f62c4c3fd8e38cc85a4a7b72e781502f23f3ed318e473
Instruction ID: 55e697b4df93ebd8f78759631ab65510f4a981e15210c0018958f15d728e7674
Opcode Fuzzy Hash: 911e72dbc034b1cfd11f62c4c3fd8e38cc85a4a7b72e781502f23f3ed318e473
Instruction Fuzzy Hash: 02A1E374B043589FDF589F7488546BE7BB2BF89700B09856EE066E7389CE348C86C791

Function 018EA3D8 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602895d61ffc2c88ef2a658545ab78b91607daa14e3feb0ee5ca6a0d2a78e1c2
Instruction ID: 1d6bc68b2f3f859db7e0618211bf8f5ef4924db5efc0cc2bcb75af114773739a
Opcode Fuzzy Hash: 602895d61ffc2c88ef2a658545ab78b91607daa14e3feb0ee5ca6a0d2a78e1c2
Instruction Fuzzy Hash: E1E18174D002288FDB69DF69C994AD9BBF2BF8A310F1081E9D549A7360DB359E81CF50

Function 09E04B00 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de9a00cdaa029ed7d0b373d0be3589f99234d0b692e8737514dca5905972355
Instruction ID: 3986179c6653c6297f7642e4579e1b06ce989b74c46a1f2a1b609c3171a3ccc0
Opcode Fuzzy Hash: 2de9a00cdaa029ed7d0b373d0be3589f99234d0b692e8737514dca5905972355
Instruction Fuzzy Hash: 68D12874A1126A8BCB64CF25C944BD9BBF6BB88340F00D6EAD40AA7254E7709EC58F40

Function 018EA3C8 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b82456647b20631f846494724ba3e9de1fe3bb6b07ccbaba9c6afe07df058c
Instruction ID: 4160b56d26850d3b48c3b1e8a3e4f520e1c0e528dfe7b0cedf8550451bf4b6f6
Opcode Fuzzy Hash: 94b82456647b20631f846494724ba3e9de1fe3bb6b07ccbaba9c6afe07df058c
Instruction Fuzzy Hash: E8C19074D002288FDB69DF69C994AD9BBF2BF8A300F1481E9D549A7360DB359E81CF50

Function 018E4680 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c480534abdf410c623c0f2d25f60385344712f346f11bc79db8ebf1025ba7a
Instruction ID: bbc97792acd7e1c53b82595ed54e5135e57567f8e81d6f744eb70896d361a10e
Opcode Fuzzy Hash: 62c480534abdf410c623c0f2d25f60385344712f346f11bc79db8ebf1025ba7a
Instruction Fuzzy Hash: 45B1D574E00218CFDB28DFA9D944B9EBBF2BF89300F1480A9D459A7365DB349A85CF51

Function 09E08A90 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0e01b0128031e2c09f8902bb531780684a7b03c1413bd7235794171dcfd57c
Instruction ID: 76886e38a0b00d9a862460bddd67cbb532d8f22f50a98a0fefb83c0314ea1aca
Opcode Fuzzy Hash: fd0e01b0128031e2c09f8902bb531780684a7b03c1413bd7235794171dcfd57c
Instruction Fuzzy Hash: 1481B074E11218CFDB64CFA5D958BDDBBB6BF89300F1490AAE409A7350DB345A84CF51

Function 09E04438 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc48ad5efd09e37c76f31b51414430c871c0cb1b346f36b0a93529557e04ed2e
Instruction ID: 77187af6409bb46d83716b6ad454d69e41d0e20e332105e585339e2308c1f55d
Opcode Fuzzy Hash: fc48ad5efd09e37c76f31b51414430c871c0cb1b346f36b0a93529557e04ed2e
Instruction Fuzzy Hash: 73519175D0420A9BCB14CFA6D5516EEFBB5FBC8340F10E42AD611A62A0F7748A85CF91

Function 09E04448 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec894d8f1b536f3cd5d51a4322fce0abf27fa688736f2df09a77581d5ef2c3b4
Instruction ID: 0c654ae64122b85a33bb78d5501af310d382f29aeb3875cd04390ee884db5f91
Opcode Fuzzy Hash: ec894d8f1b536f3cd5d51a4322fce0abf27fa688736f2df09a77581d5ef2c3b4
Instruction Fuzzy Hash: 3B417EB4D1420A9BCB14CFA6D5515EEFBB5FF89340F00E82AD611B72A0E7744A81CF94

Function 0BA17CFF Relevance: 1.6, APIs: 1, Instructions: 75
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 0BA17DA8

Memory Dump Source

Source File: 00000000.00000002.2229938982.000000000BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba10000_Orden de compra.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 77f6fe61d043c8945cf423f2e177f08e2b2ad0e40267583ce6954b67b7031ad4
Instruction ID: 0fa314dc9498738d1b8c2ecb62181b3eb1dc518dedf8990d75390f959610b1b7
Opcode Fuzzy Hash: 77f6fe61d043c8945cf423f2e177f08e2b2ad0e40267583ce6954b67b7031ad4
Instruction Fuzzy Hash: 7821A0B1C097898FCB02CB64C4103E9BFB0AF47210F1A41DBC494EB292D3385D05CBA2

Function 09E0C1C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09E0C250

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ef894313a81218cec08c1d5e536945ad4cf6d60075be3cfc128f02f9f784639c
Instruction ID: fc03a3eeb97b5b659d384799cd747eecf8cca21a9764d0f7a7c3442d078d5ad3
Opcode Fuzzy Hash: ef894313a81218cec08c1d5e536945ad4cf6d60075be3cfc128f02f9f784639c
Instruction Fuzzy Hash: 05212771D003499FDB10CFAAC885BDEBBF5FF88310F10852AE959A7240D7789955CBA4

Function 09E0B778 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 09E0B7F6

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e3b713e63dfcc627ae476317dbb407dffcb0541a6cec5339f9584d6522512e7f
Instruction ID: 9949834726ecbe23c331be27d59f9d7bc81490c60693e4b51eed111373579085
Opcode Fuzzy Hash: e3b713e63dfcc627ae476317dbb407dffcb0541a6cec5339f9584d6522512e7f
Instruction Fuzzy Hash: 08210471D003098FDB10DFAAC4857EEBBF4FF88264F14842AD459A7240DB78A985CFA5

Function 09E0C940 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09E0C9BE

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: db746f178b9262d415d3410a8e8c9f4dbdbe9167f4cdffadc1fb84f24c84fffc
Instruction ID: 1be216594a4c390b13802477c4e01238b6cfd405bfa06d35b5b80601b4061aff
Opcode Fuzzy Hash: db746f178b9262d415d3410a8e8c9f4dbdbe9167f4cdffadc1fb84f24c84fffc
Instruction Fuzzy Hash: 92212971D003098FDB10DFAAC4857EEBBF4EF89314F54842AD459A7240DB78A985CFA5

Function 09E0C6B8 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 09E0C72F

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 45f07eed95937e2c7e10f6a3d519854b602a27561e3cb5bad775ad4b8fb3dee6
Instruction ID: 34dcb4109710898b8a6ef21d330a276f401ae5d878281ea040f8aec8ef6749bc
Opcode Fuzzy Hash: 45f07eed95937e2c7e10f6a3d519854b602a27561e3cb5bad775ad4b8fb3dee6
Instruction Fuzzy Hash: C1213771C003098FDB10CFAAC444BEEBBF5EF48320F148429D459A7240DB799945CFA0

Function 09E02BD0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 09E02C4B

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 29769ece4a59bf5d468ce238e5fc2f96ff68e02a6a4880f3bd0be5afd3c4785c
Instruction ID: 805d0477d0d79559cf41fac8df7c40ff957c5f22b7b2af44d50bb355a2256ff7
Opcode Fuzzy Hash: 29769ece4a59bf5d468ce238e5fc2f96ff68e02a6a4880f3bd0be5afd3c4785c
Instruction Fuzzy Hash: CA212471D002099FDB10CF9AC485BDEBBF4FB48310F108429E968A7250D378A945CFA1

Function 0BA17D33 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 0BA17DA8

Memory Dump Source

Source File: 00000000.00000002.2229938982.000000000BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba10000_Orden de compra.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8954818bc064c811f8ca6bbc0a8b7ae3d0747a87deead552546702850346f2d8
Instruction ID: 36bfa935bd8c9e91f741860b818d38498d6d05c627c12583dc289a147dd69753
Opcode Fuzzy Hash: 8954818bc064c811f8ca6bbc0a8b7ae3d0747a87deead552546702850346f2d8
Instruction Fuzzy Hash: 132136B1C0065A9BDB10CF9AD5457EEFBB4FF48320F14852AD818A7240D738A945CFA5

Function 0BA17D38 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 0BA17DA8

Memory Dump Source

Source File: 00000000.00000002.2229938982.000000000BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba10000_Orden de compra.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 81691d2d4b882705bbe55059e2262ab17e8d4480d22e46182a5e28d65a340ecf
Instruction ID: 1e16bcde08f9aeb20ea98ee4d11d3c3257648ae35728a75662e5d1b01453c25d
Opcode Fuzzy Hash: 81691d2d4b882705bbe55059e2262ab17e8d4480d22e46182a5e28d65a340ecf
Instruction Fuzzy Hash: 021147B1C006599BDB10CF9AD5447EEFBF4FF48320F14852AD818A7240D738A945CFA5

Function 09E02BD8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 09E02C4B

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0b63edf27f535c968ad0e310ef7e638b4a46775a574f5513d3145625db63ae31
Instruction ID: f9cad5fc067225cdf57d0cc34a3c878c89e1939acff138159f88e02036620090
Opcode Fuzzy Hash: 0b63edf27f535c968ad0e310ef7e638b4a46775a574f5513d3145625db63ae31
Instruction Fuzzy Hash: 1621D3B5D002499FDB10DF9AC485BDEFBF4FB48320F10842AE968A7250D378A945CFA5

Function 09E0BE48 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09E0BEB6

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3ce970c40302036feb298103c5f73b3694b4ac23382ca179b8e5b04a0176d9f0
Instruction ID: 6b88e25e65debc0f5b7059e3e94ae6205ac2293cbdad2a5247c5e803ab4da63e
Opcode Fuzzy Hash: 3ce970c40302036feb298103c5f73b3694b4ac23382ca179b8e5b04a0176d9f0
Instruction Fuzzy Hash: 9C1117719002499FDB20DFAAC845BDEBBF5EF88310F148419E519A7250CB79A955CBA0

Function 09E0CBC8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09E0CC2A

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 49b49a4b0f5d918e743640cc040976e2324d19a2556485da64e2506155e40c0c
Instruction ID: 0b0118a82abf3b6c11024b3ea35c5e72319f137930a08af67a2faf5694dfe4f5
Opcode Fuzzy Hash: 49b49a4b0f5d918e743640cc040976e2324d19a2556485da64e2506155e40c0c
Instruction Fuzzy Hash: B9113671D003488FDB20DFAAC4457EEFBF5EF88224F24881AD559A7240CB79A945CFA4

Function 09E02B30 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09E0D1E5

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1700fcb3e9049b10d205254cf280af20b378cd40b3c4c52789fe7b45d937e875
Instruction ID: 3b225d70887def692165afeb371b6e9ed432b1c3f49319abf4714a202d942e81
Opcode Fuzzy Hash: 1700fcb3e9049b10d205254cf280af20b378cd40b3c4c52789fe7b45d937e875
Instruction Fuzzy Hash: 531106B58003499FDB10CF9AC885BDEBBF8FB58310F108419E559A7240D379A984CFA1

Function 018E8EC8 Relevance: .8, Instructions: 765COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309561697693f2886a1d08f958a5e22c744ccd48b12b5547f0ac7cdc72e898db
Instruction ID: 64b24b7f54f20201002ab678f49b39fb5cf468671a140ffaa6da230e528b6de8
Opcode Fuzzy Hash: 309561697693f2886a1d08f958a5e22c744ccd48b12b5547f0ac7cdc72e898db
Instruction Fuzzy Hash: DC621070E1021D8FEB24DBA5C854B9EBBB6FF99300F1080A9C14AAB391DB795D81DF51

Function 0BE18820 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9500c0d2cba58aff127e2dac55549f89ee5d636044ac6dcf96c2e9ad15a7c31c
Instruction ID: 04def678dad42cb6f8c17ce56949ef4721bb3598169e74ee3791753710eaa471
Opcode Fuzzy Hash: 9500c0d2cba58aff127e2dac55549f89ee5d636044ac6dcf96c2e9ad15a7c31c
Instruction Fuzzy Hash: FDE18C70A10208CFC704FFB9DA9966DBBF6FB89300F9049A8D485A7390DB799D09C759

Function 0BE19A70 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054e1422e6320bec26099652bb150335d446db49f02cd3bb5221a792741f4f93
Instruction ID: ad971d48c676bb4a36a1d0afc59e52baea1f4cc4da12fb9dfa50e4ea755a65d2
Opcode Fuzzy Hash: 054e1422e6320bec26099652bb150335d446db49f02cd3bb5221a792741f4f93
Instruction Fuzzy Hash: 38F12630A082458FC705BBB9D9A926DBFF6BF86300F9544A9D0C5D7391DE389C49C396

Function 0BE19012 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3de44e0099bdaf9eec6c626a507ed36481f89402e926e4b1829b44c9e5cc22
Instruction ID: 35db83f78d37304a893354083b20ae09228e7c06e9f0d8be67c39609d52fdb42
Opcode Fuzzy Hash: 7c3de44e0099bdaf9eec6c626a507ed36481f89402e926e4b1829b44c9e5cc22
Instruction Fuzzy Hash: 35027A34E142188FCB18AFB9D86929CBBF2FB8C311F504969D48AE3355DB349D86CB51

Function 0BE1E4E0 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c149b86e349c44a2506b5e574f91bc130c83ae3f2eb8d7bb53b6ac2de9b71a5
Instruction ID: 9bb3707dc00e858031562e42e96e43d9ef4b7d3806e26cf6668fc56ce73003b4
Opcode Fuzzy Hash: 6c149b86e349c44a2506b5e574f91bc130c83ae3f2eb8d7bb53b6ac2de9b71a5
Instruction Fuzzy Hash: 60E171707142048FC704BB7DD6A962EBBE6BF88310F91C968E48997390DE389C49C756

Function 0BE1881B Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5448ae67f312126d902035c68dc3d583bb71c07617f8d5b2e09a5a5c36859278
Instruction ID: 8a996e2e21dee21272b690897447db515754bee9693d264014fb98bc62020d9a
Opcode Fuzzy Hash: 5448ae67f312126d902035c68dc3d583bb71c07617f8d5b2e09a5a5c36859278
Instruction Fuzzy Hash: 8EE18C70A10218CFC704FFB9DA9966DBBF6FB88300F9049A8D485A7390DB799D48C759

Function 0BE18184 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84936519e509549771a730ca880e1d99c4b99c4ebc4de8fa69d100ac17b80a22
Instruction ID: e967d6760d8292bda23fd7f7139eb0ad453a1e2ed133e88ce5915bae4a95bdd2
Opcode Fuzzy Hash: 84936519e509549771a730ca880e1d99c4b99c4ebc4de8fa69d100ac17b80a22
Instruction Fuzzy Hash: 27E1BF70B002058FC705FBB9D69962E7BE6FB88304F954968D489E7390DB38AD09C7A5

Function 0BE173B8 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e974640806da9e22002f9b9eb7797a6749cf24b4a52f8103bf399b8cd52a4a6
Instruction ID: 8ab8c4ebc2fbae58f4be62d4a9d61b9d3c63ad6b1b6dc6f53ef27e37078f642b
Opcode Fuzzy Hash: 0e974640806da9e22002f9b9eb7797a6749cf24b4a52f8103bf399b8cd52a4a6
Instruction Fuzzy Hash: D2D1AD70B10215CFC704BFB9E99A62DBBE6FB88710F958868D485E7380DE389C49C795

Function 0BE181BB Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7b1a796ea970aa9308ec0c1042fc44ac461e9a1d951df29a7110d4d6ce0356
Instruction ID: a731f77899582a77365e6151e4338b8e790206543f1274c23132a02a6915716b
Opcode Fuzzy Hash: 4f7b1a796ea970aa9308ec0c1042fc44ac461e9a1d951df29a7110d4d6ce0356
Instruction Fuzzy Hash: D5C19D70B102058FC705FBB9D69962E7BE6FB88314F904968D489E7390DF38AD09C7A5

Function 018EA8E9 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1797d9a823a243d1c1ca7818fecb20e4becf9688b5f9618fb7c789db121c778
Instruction ID: 66558828cb5e6e711b9aa5fc740f6bf9209fd987d8f212a49bd93c048993386a
Opcode Fuzzy Hash: b1797d9a823a243d1c1ca7818fecb20e4becf9688b5f9618fb7c789db121c778
Instruction Fuzzy Hash: AEF1B274E01229CFDB69DF64C894B9EBBB2BB89300F1081E9D549A7390DB749E81CF51

Function 018E816F Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468287d2981a658cfea16cebdb5cc17801df849fe441c9e5dfee5b9b0353e2a1
Instruction ID: 085cb62dd8b299cd64a21a7a45a51615e017223201a631b63fa696edcc1a3017
Opcode Fuzzy Hash: 468287d2981a658cfea16cebdb5cc17801df849fe441c9e5dfee5b9b0353e2a1
Instruction Fuzzy Hash: AAD1F971A006148FCB15CFA8C588A9DBBF6BF8A310F198459E519EB365CB34ED41CB64

Function 018E5C29 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0118101ef7c42edc337a58782f49f95480133724a607e9651dcd2aa9e0f9175d
Instruction ID: 0b37b5c5eef6785e7f9eb55527d97239c199a02de687190b1cd748a9883758d1
Opcode Fuzzy Hash: 0118101ef7c42edc337a58782f49f95480133724a607e9651dcd2aa9e0f9175d
Instruction Fuzzy Hash: BFA1BF347102199FDB09EF68C858B7E7BE6FB89344F148428E506DB294DB709E81CBA5

Function 0BE173B3 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e2bc45547a09fbc24e8f21c34df991fdb2e5f88d0f0668bdb053fa43810da2
Instruction ID: 0f0e4b33d2972ea0a68b107e31abbec7f2993f5df6f424ff9e21d2e6be445d70
Opcode Fuzzy Hash: b4e2bc45547a09fbc24e8f21c34df991fdb2e5f88d0f0668bdb053fa43810da2
Instruction Fuzzy Hash: A191AC70B00215CFC715BFB9E99962E7BE6FB88340F948868E445D7380DB799C45CB94

Function 018E6318 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50594e6250d24026f260c80195d656058b6b8f437d6ea6a3757cf001507b21e
Instruction ID: 372fd9d30b671732d6ae7d5f9052c15169d0fb744c064c29c629fac22e2aaee2
Opcode Fuzzy Hash: b50594e6250d24026f260c80195d656058b6b8f437d6ea6a3757cf001507b21e
Instruction Fuzzy Hash: A5818E30B00105CFDB14DF69C488AA9BBF6BF9A314F258169E506E7365E731EE41CB51

Function 0BE1AA00 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446a9045ee2a4cd99f535ec44081da87167b37df30475e53c9f0453455d7760f
Instruction ID: b73c55fe1fdd6efe6a8ade1d41465654c20528dd11b3cb2c113978b95bf7a038
Opcode Fuzzy Hash: 446a9045ee2a4cd99f535ec44081da87167b37df30475e53c9f0453455d7760f
Instruction Fuzzy Hash: 0F719C30B01106CFCB04EBB9DA99A7EBBEABB88300F649939D459D7350DA389D44C795

Function 018E5F20 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79471bd11bac5624ee24fd9f46e58ffa337e1a87f91da3d0a563e06950871508
Instruction ID: 37f24a49f2a80e0c7faac1be95280179d240b665dd48b8260bbad0f542c517f5
Opcode Fuzzy Hash: 79471bd11bac5624ee24fd9f46e58ffa337e1a87f91da3d0a563e06950871508
Instruction Fuzzy Hash: 3161DF343042158FD71A9B39C89873E7AE2AF9A354F24456DE412CB392EF74CE818791

Function 0BE1A75D Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc90d00767ecd1c615f6c4f679c6221d402a0d83382bc6b0a4677d0f123f786
Instruction ID: 7e3ba0616196c167aa676b0f584faab4d580c3eb4d58da0650a0d7f642a8b294
Opcode Fuzzy Hash: 3cc90d00767ecd1c615f6c4f679c6221d402a0d83382bc6b0a4677d0f123f786
Instruction Fuzzy Hash: C851F070B012448FC705EFBDD99962EBFEABB89310F958569C488E3340DA38AD45C399

Function 018E8620 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17587689d188873aa36d1fe8beb0217027929bd649dc43bc13ae153b52b2b057
Instruction ID: 97683b7b14b0877d0627d4b850feb2b896efb8aec8784750b7ea04c17180bb75
Opcode Fuzzy Hash: 17587689d188873aa36d1fe8beb0217027929bd649dc43bc13ae153b52b2b057
Instruction Fuzzy Hash: 6B715C35A10219CFCB15CF68D988A6DBBF6FF46300F1A8499E815DB262D730EE41CB91

Function 018E8B78 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8b5eb792a1c0c40077586925244803fe69aee32b7304ba996d50698adca173
Instruction ID: 9b00ae55536168fdc6f487705761cdd0fe7b32d957e6a1f43fc3b05343641c35
Opcode Fuzzy Hash: 1e8b5eb792a1c0c40077586925244803fe69aee32b7304ba996d50698adca173
Instruction Fuzzy Hash: C851DF313101158FDB55DF3DC888A2E7BE9FF8B71030684AAE516CB261EB31ED118B50

Function 018E9D78 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c286d4ffdeeacedc1f6d33567455b6f374d6eadf921e05f6884c9fcf1f7b64c
Instruction ID: 1c572ea50add627e12f0c4839389a080da331de0156b5c199bc7b9b3645a69b8
Opcode Fuzzy Hash: 9c286d4ffdeeacedc1f6d33567455b6f374d6eadf921e05f6884c9fcf1f7b64c
Instruction Fuzzy Hash: 2F513231A403558FDB169BB88C007D9BBB2EF8AB00F258599D541BF2C1EB725A45C7E1

Function 0BE166FD Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce495ac9ce2787f32746b047c56a09d6a38aad80696b51fcead502cd6307aa3
Instruction ID: e51022d0ed9a8de455a703f8668e1d1ab7f9eec4ac3194e315f03ec88b497b90
Opcode Fuzzy Hash: 4ce495ac9ce2787f32746b047c56a09d6a38aad80696b51fcead502cd6307aa3
Instruction Fuzzy Hash: 9B41C130B111048FC705BBBDE99562EBBEABBC8310F958539D489E3344DE38AC45C399

Function 018EB519 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19a738c553d5055ff06d5c83019e642a95c045d673bc7ac1956568f483d0397
Instruction ID: efef98c8a1dd1bd7b01924d008a00cda4b4e3b7a5bb327b8d4feb6aba14bd071
Opcode Fuzzy Hash: a19a738c553d5055ff06d5c83019e642a95c045d673bc7ac1956568f483d0397
Instruction Fuzzy Hash: 5041F131E053498FCB09DBB988142AEBFF2EFCA311B1584AAD515EB351EA309D05CB91

Function 018EA1EF Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd635c2f259ca473e11f7b1bb7a83cb5bf59efe26534ab7922bc27e8fbafb8cb
Instruction ID: a5eaa14a2df0a7c7307496ed53ac92f8ccb4d3ecacb952a544d0f9d79f21e48a
Opcode Fuzzy Hash: fd635c2f259ca473e11f7b1bb7a83cb5bf59efe26534ab7922bc27e8fbafb8cb
Instruction Fuzzy Hash: 3A513531A44756CFDB129FB4C8003D9BBB1EF9BB10F244599D584BF282EB722A45C791

Function 018E8870 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46011e35f331a88876db895040cdec61845ae480efe7a8cf318275bf00f6a14
Instruction ID: fee67bc5c0c59b82a04b634c2da209ca6385e8b9ef1065cc19be9900182759cc
Opcode Fuzzy Hash: f46011e35f331a88876db895040cdec61845ae480efe7a8cf318275bf00f6a14
Instruction Fuzzy Hash: 11515B35A042658FCB12CF68D98896D7BF1FF57311B0A8495E845DF262D730EE81CB91

Function 018E7FC8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0705f22e4cc9639c0ab6a50c02c22dc967abe90795fb29bd417bd4d408ca2751
Instruction ID: 907aa25650627b60697bfe69ee1233e2439d9cf40d6894f1d2af48af021e1b1c
Opcode Fuzzy Hash: 0705f22e4cc9639c0ab6a50c02c22dc967abe90795fb29bd417bd4d408ca2751
Instruction Fuzzy Hash: FF41DE317002049FDB19AB69D898AAE7BF6BFCE310F144069E506DB391DF31DD428BA4

Function 018EF290 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e2cf174788be09ea213be41ed097fe1a8cefa6a4fd24180647112c2f076c63
Instruction ID: 0377cc847d01fd46c4e9afd2bfe3de08500e9503b51958b95d322361458ddfdc
Opcode Fuzzy Hash: e2e2cf174788be09ea213be41ed097fe1a8cefa6a4fd24180647112c2f076c63
Instruction Fuzzy Hash: 58D0EAB4024508CFC7083B64F90E058FF68EF4DB263802038F50A815299F24A9C1CA71

Function 018E8978 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539593f6f3bcc9eba697edd161629dd106b3788f6ee7d4e1e10056cff80bd155
Instruction ID: f2f8b4cf36418191b43d35d6c2eea8858f336eed00759464ae3809f0266b22c9
Opcode Fuzzy Hash: 539593f6f3bcc9eba697edd161629dd106b3788f6ee7d4e1e10056cff80bd155
Instruction Fuzzy Hash: 31414A716002198FCB169F68D848AAE7BF5FF8A311F1440A5E905CB3A1C734DE81CBA2

Function 018EEB48 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d33c85e02005c2caac1399b6e987a1f2aa2227ab4607b4444869afba3912727
Instruction ID: d43fb0470012ac82602f7e8df56d78d99066e0f07a2003398100336093e82dbd
Opcode Fuzzy Hash: 9d33c85e02005c2caac1399b6e987a1f2aa2227ab4607b4444869afba3912727
Instruction Fuzzy Hash: 7941D3313006069FCB099F29D858A7A7FE6EF8A350F058069F806DB391CB34DD51CBA1

Function 018EAF71 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1e2d6ad6863311cd764ac6332ed9e49bc90d432a175e4846168a587e73a257
Instruction ID: 208fa368d2fa68a0307ed791aec59b7b055ed543f1d96da5c13d468ffb26f90e
Opcode Fuzzy Hash: 2e1e2d6ad6863311cd764ac6332ed9e49bc90d432a175e4846168a587e73a257
Instruction Fuzzy Hash: 8041E6B1E002188FDB18CFAAC888AEDFBF2BF8A301F148129D415B7355D7745946CB54

Function 018E8DA7 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf916deb5471a52e35160a67fa877fe70522d6c89c8fb8a9e6f10dc22feeaa9
Instruction ID: 0cfb51399e34e6fdebd65a8e35fa3737b10b5015196f7436539d17044db225a9
Opcode Fuzzy Hash: 7cf916deb5471a52e35160a67fa877fe70522d6c89c8fb8a9e6f10dc22feeaa9
Instruction Fuzzy Hash: AA2127313142124FDB1A6739889833D3BD7AFCB755B184079D502CB396EE79CD829791

Function 018E4E68 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264c3cf3dec57d93d1e1be04b736a6ef6fb11b6aeb36d575625f72f0053a09ff
Instruction ID: 8e447ef71c272875653c66e83c34e513a0e483ca8a60b41c749872137f80c523
Opcode Fuzzy Hash: 264c3cf3dec57d93d1e1be04b736a6ef6fb11b6aeb36d575625f72f0053a09ff
Instruction Fuzzy Hash: A131503161414AEFCB0A9F68D84CA6E3BE6FB9D350F008028F905DB294CB75DD61CB51

Function 018E8CC0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d7de88896cf47d737d206401d58729b498f18e9af854aebb5f2b0717067feb
Instruction ID: 0e66e77f01342645421651308c32994165721cfc7fb652b3599d998b55c0b598
Opcode Fuzzy Hash: c3d7de88896cf47d737d206401d58729b498f18e9af854aebb5f2b0717067feb
Instruction Fuzzy Hash: AC21F3303041499FEB16DE69D84867F7FEAEFAB340F158426E911C7240DB76DE408B60

Function 018EEF98 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b2fffd8c13a04d229480b503199bb7ff11ab15e350766b126bfeb0d12337d2
Instruction ID: e830795c0e418588b40c7a7776522a64aa2cf39d4993bb60b4a26cdba8472553
Opcode Fuzzy Hash: c5b2fffd8c13a04d229480b503199bb7ff11ab15e350766b126bfeb0d12337d2
Instruction Fuzzy Hash: B831293160014AEFCF169F68D8589AE7FE6EB99350F044029FA15DB290CB35CE61DB91

Function 018E6170 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7798a70897148980453f4a9032a87049e510638b5b9e7a6d6e85e9a4608844
Instruction ID: 0e940fc69691f2ac351ae1b31e4aab3fec106b86e77037095ad58a000b9a6c4a
Opcode Fuzzy Hash: 4f7798a70897148980453f4a9032a87049e510638b5b9e7a6d6e85e9a4608844
Instruction Fuzzy Hash: 0D210335704A119FC31A9A69D89852E7BE2FFDE361B184469E906DB391DF30DD018B90

Function 0BE1A663 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df67910952d320423377082c01adebae7b298768681c7ab244be44dfbb1c69d
Instruction ID: 6425ebda7e7d6105982e5f508af8989af8173e46f6acad54bfef5971886659cf
Opcode Fuzzy Hash: 5df67910952d320423377082c01adebae7b298768681c7ab244be44dfbb1c69d
Instruction Fuzzy Hash: D72184717101149FD704BBBDD99972EBBEAFB88310F844969D498D3340DE389C0987A9

Function 0BE1A670 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7273f7904ac730b59ab841d0747305a8b014d028bd80d8b0d3eb1340054510a6
Instruction ID: d45bba41798c92d9a78a0d05dc5124744a996aa24209cbbcc44dad86634f26a2
Opcode Fuzzy Hash: 7273f7904ac730b59ab841d0747305a8b014d028bd80d8b0d3eb1340054510a6
Instruction Fuzzy Hash: C31193717101149FC704BBBDDA9962EBBEAFB88310F804929D488D3340DE38AC0587A9

Function 0160D0F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206503134.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160d000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b75af580e030ce10ea82722623205097579a036100fbdb15619a9fcc9a41ffc
Instruction ID: 13514c64b27f9016c8c7172b0acad91725735bd867623dd1d01c797a3f25fd28
Opcode Fuzzy Hash: 3b75af580e030ce10ea82722623205097579a036100fbdb15619a9fcc9a41ffc
Instruction Fuzzy Hash: 8A21F275604304EFDB0ADF94DDC0B26BB65EB88315F20C6ADE8094B396C77AD846CA61

Function 0160D2A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206503134.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160d000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308d9409f1d8cbfe7de0fb0b2c9e3064ef419d0a47b737a1d4fbf95f829e54e6
Instruction ID: 6b15fdf783059d3d6b3137c2316ca68ab62c65c4b66119e83460f83db8ad3af5
Opcode Fuzzy Hash: 308d9409f1d8cbfe7de0fb0b2c9e3064ef419d0a47b737a1d4fbf95f829e54e6
Instruction Fuzzy Hash: 082122B1604300DFDB0EDF94D9C0B26BB65EB89314F24C6ADD9094B396C37AD846CA61

Function 018EA2F0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766355451abcb61085b87167c2c5c2f65f9ce2ee2116e7b22b087adddd764864
Instruction ID: 7f745ca0e9081d68ee4ad8c5db2cfa662d7e9a21296885e856ea69b203207c43
Opcode Fuzzy Hash: 766355451abcb61085b87167c2c5c2f65f9ce2ee2116e7b22b087adddd764864
Instruction Fuzzy Hash: 48219F31E5031ADAEB11EBA8CC01BD9B775FF99700F618211E6047B1C0E7B47A95CB90

Function 018E4E58 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15c20ac57d20955b10d332469e049b927ff56d3086cff90f42b7400dfa084ed
Instruction ID: 10e0f9267c36be1777031f6adc5170d61544d355e91e94dcf9c7f994ecc8ec15
Opcode Fuzzy Hash: c15c20ac57d20955b10d332469e049b927ff56d3086cff90f42b7400dfa084ed
Instruction Fuzzy Hash: 2621A43260824ADFCB069F78D45C66A3FE1FB9A321F008069E549CB391CB748D51CB60

Function 018E7FB9 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb65b58ab373517b272e4fe06490e65c33b892b295510d6c4676c038781d272e
Instruction ID: ec2d4b2245cd4be90805d081e33da585a7fdf5c376ca1c80fa18f09568a76f3d
Opcode Fuzzy Hash: cb65b58ab373517b272e4fe06490e65c33b892b295510d6c4676c038781d272e
Instruction Fuzzy Hash: 4F215E35A101049FCB149F68D899A9DBBB6FF8D310F148169E915E7354DB32AD50CBA0

Function 0160D2A3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206503134.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160d000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction ID: fada26772e367c05dca17aa5a80ede0ec675556c967a2aebbea133a687a0ce57
Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction Fuzzy Hash: B111BE75504240DFCB0ACF94D9C4B16BF61FB85314F28C6A9D8494B3A6C33AD40ACB61

Function 0160D0EB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206503134.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160d000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction ID: b80e718acf50804dd1e2d785f3ea120b312c03d03053209ff6fbc6d30445ec28
Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction Fuzzy Hash: 52118B75504280DFDB1ACF94D9C4B16FFA2FB84314F24C6AAD8494B796C33AD44ACB61

Function 015ED7B1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206437119.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ed000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331dfdc271d01d50c48724691ea1b415559733476f7259a7a979f1852700fec6
Instruction ID: c71ba73c0707f93537071e37edf04061d757162db900c9d5410a55ea6ebb873d
Opcode Fuzzy Hash: 331dfdc271d01d50c48724691ea1b415559733476f7259a7a979f1852700fec6
Instruction Fuzzy Hash: D101A7718083449BF7258F55CC88B67BBF8FF41264F18C41AED094E183D7799845CAB5

Function 018EB8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2615fbb7743984aafa830f4f9651b342ee16a663bce74ef94a02cd8b138b1fa8
Instruction ID: 0ddd20e23b1d6768f6aff765f62d907f0681d3f8303b3fc58e99e59c3b70d2d3
Opcode Fuzzy Hash: 2615fbb7743984aafa830f4f9651b342ee16a663bce74ef94a02cd8b138b1fa8
Instruction Fuzzy Hash: C8F0BB32B042045BD715DA9AB445F5BB7EAEBC1270F24846FE19CD7341DE306800CB50

Function 015ED7B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206437119.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ed000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3059852f75e9a12036c5761a3480864b14c81609983ba927b706a9cf07faf6
Instruction ID: 7d6ec20718f30fa51961d1a08677de2a835142d3648d7fed16fd93f638e30c92
Opcode Fuzzy Hash: 3b3059852f75e9a12036c5761a3480864b14c81609983ba927b706a9cf07faf6
Instruction Fuzzy Hash: AAF0C2718083449EE7248E09D8C8BA6FFE8EB41224F18C45AED0C0F283C2799844CAB1

Function 0BE1E418 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18797a4c84b64ec55c5af2afbceb74042593522271e3585c8140d770e2654a4a
Instruction ID: 1f080515dee2a2ba79394f101b7740a5a452622693856d4aa610626d77e6856a
Opcode Fuzzy Hash: 18797a4c84b64ec55c5af2afbceb74042593522271e3585c8140d770e2654a4a
Instruction Fuzzy Hash: 0FF0DAB0D0420A9FDB54DFA9C842ABEBFF4AB48200F1089AAE918E7201D77095408BE1

Function 0BE1E413 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b005570023427951d587cc00a853399bacdcf1e9e581e5958fd7891d92f91206
Instruction ID: bedb3c80f7fe0556e5e82979f3280a3404fdb01ec560561395bddce9cdcdfbc9
Opcode Fuzzy Hash: b005570023427951d587cc00a853399bacdcf1e9e581e5958fd7891d92f91206
Instruction Fuzzy Hash: 28F0DAB0D0020A9FDB54DFA9C846AAEBFF4AB48200F10886AA914F7201D7709540CBE1

Function 018E65B7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caee209ec29ebc39069afc6290eb43234aa9659a446f8e3abd09bae39776aa74
Instruction ID: 1a87be455e0036d44d3871afe3fe3ffa21c2e5729e439c388c61cd8f70b925ba
Opcode Fuzzy Hash: caee209ec29ebc39069afc6290eb43234aa9659a446f8e3abd09bae39776aa74
Instruction Fuzzy Hash: B4E086300143058FC346EF61EC81A9437BAAEC5640B44A654D0444A911DFA899554F51

Function 0BE16DDB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8151d40c5f0f355a4c182dfff8c7249f1e4ba5efe30f4e4e60473b0e9dbcf0d5
Instruction ID: 23e294bfd162797066018e0320633a3e9446fc34550dcb36f3b4d1a91e7977d5
Opcode Fuzzy Hash: 8151d40c5f0f355a4c182dfff8c7249f1e4ba5efe30f4e4e60473b0e9dbcf0d5
Instruction Fuzzy Hash: C4E09A7100A291AFC312AB32EC180943F31A922A8834D5086E042C6153C62D8802CB21

Function 0BE1E3BB Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119c5755a58f974f0a7e2366bd2de80793335c74bdaf9acdd0cb3cb50b8d94c8
Instruction ID: b057c7ea4250fb7808ec388a8d44ba4ebde3ba43a66a00b3c0968e83161defbc
Opcode Fuzzy Hash: 119c5755a58f974f0a7e2366bd2de80793335c74bdaf9acdd0cb3cb50b8d94c8
Instruction Fuzzy Hash: 19E09AB1D44219DFD740EF69C945B9EBBF0BB08600F21C965D415E7211E77496058F92

Function 0BE1E3C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3073d093df2375eac4b8d7765f330de0b5c95a0cd0bae7d44e9ad20e2bc588ee
Instruction ID: 703e5b07c0511438450cfc2c1bd73ac15aff6786c76f051f79d952197c542d23
Opcode Fuzzy Hash: 3073d093df2375eac4b8d7765f330de0b5c95a0cd0bae7d44e9ad20e2bc588ee
Instruction Fuzzy Hash: D7E0B6B0D44219DFD740EFB9C905A9EBBF0BF08600F21C9A9D419E7211EBB496058F92

Function 0BE16E1B Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f1734c582936d570f3da4ea0639b4f58222e583af6dabc07f89b8902512b0
Instruction ID: 27cf4b65cf3dd257c1c2877bae3cb290fe9247ece59939b5217de689d76dce64
Opcode Fuzzy Hash: 0f0f1734c582936d570f3da4ea0639b4f58222e583af6dabc07f89b8902512b0
Instruction Fuzzy Hash: 32E0B634101205EFDB25BF72FC0E5283769FA28A4E754A428E506C2254DB7AD851CA50

Function 018E4519 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aede44bc5b7bb226a387f28e923ef24941ae2dd244411370720482cc8e7e892
Instruction ID: b3605abc109d2211a0f6554ba9651fbff3dbb75381ad717519150290cc277841
Opcode Fuzzy Hash: 1aede44bc5b7bb226a387f28e923ef24941ae2dd244411370720482cc8e7e892
Instruction Fuzzy Hash: 25D05E714492429FE326CBA8ECA9B64BF70BF47305B085695910593166C724A1A4CBA5

Function 018E8075 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa730f09a0c0a2f81cf7b463d2b1e7caa4d8d811e6b3399dbaac9fe7e8a9986d
Instruction ID: f659a2d5e9b425b569ab73180821bf26ed518f524344574b1a7dd24cf861dfb3
Opcode Fuzzy Hash: fa730f09a0c0a2f81cf7b463d2b1e7caa4d8d811e6b3399dbaac9fe7e8a9986d
Instruction Fuzzy Hash: 91D0677AB000089FDB059F98E8409DDF776FB9C221B448126EA15A3265C631A961DB64

Function 0BE1E4B8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ab290d86f75da7489e073d9f2fbcaff291a10c0668265445e47a24b19c8c2f
Instruction ID: 386aaed4109fa1a03e7cfbc760b6d643014f3a9a98558abd73cfb1aa705ba9a4
Opcode Fuzzy Hash: e8ab290d86f75da7489e073d9f2fbcaff291a10c0668265445e47a24b19c8c2f
Instruction Fuzzy Hash: 74D012362441089E9B40EB95E841D62BBECBB246003408422F908C7420E721E474E761

Function 018E65C8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142960d38e4884aa17a049cebd138aed68411f771c541ab8634b958ee58108d8
Instruction ID: 85d0c658323a8316c759f8d48ca642685923e1b08c19ebc62a01541d8ba08b23
Opcode Fuzzy Hash: 142960d38e4884aa17a049cebd138aed68411f771c541ab8634b958ee58108d8
Instruction Fuzzy Hash: 97C0123042030AC7D54EFB71E945A69377FBAC8640B40E614D0090A545EFFD9C844AD5

Function 018E4528 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392efc31a36166502fa60a490879cd977f50ba57f515b94a38c75b431cf3405e
Instruction ID: e7351054c6642e2420f9ffdffddb42614d4561aadcb506f0d03570181c1b1d02
Opcode Fuzzy Hash: 392efc31a36166502fa60a490879cd977f50ba57f515b94a38c75b431cf3405e
Instruction Fuzzy Hash: 50C09B710557058BD2252A58781C735B6EC6707305F842920670C524559B649464C699

Function 018E4A00 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206693513.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f505697f549d8e4ab1fd08950796103dc789af0e597c572479fd6708c6fd4d3
Instruction ID: cf613d1bce4ae1378e65d26fc02c0a42fb6237e89594c9d3c6a4e8b7281ed8b1
Opcode Fuzzy Hash: 0f505697f549d8e4ab1fd08950796103dc789af0e597c572479fd6708c6fd4d3
Instruction Fuzzy Hash: ACB09235E56108EBCB08AE90F5484FCB738EBCB226F103061E11EE34209B209E258A28

Function 0BE18E2A Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
Instruction ID: 29acb54a10177bf3805cfb1b7f7eed1b5b335d54bfc0a314cb60db809c434307
Opcode Fuzzy Hash: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
Instruction Fuzzy Hash: 11B01237B040089809004088B8010D8F31CE1861377104163D32E51001122122300161

Function 0BE1A64B Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b98ad1907ae15a43b05939ca07dc86d4114f1a10e0c1171f4a5db4e79a667d7
Instruction ID: cc15db7c98829f2459ab2f4184940e28ceca35b96742e060ca53f301f86b0741
Opcode Fuzzy Hash: 7b98ad1907ae15a43b05939ca07dc86d4114f1a10e0c1171f4a5db4e79a667d7
Instruction Fuzzy Hash: D2A00132520185AB8E08EF10EA5AA293B26E69E34270894589202D6256DB649DA7CB20

Non-executed Functions

Function 09E0AB28 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

4|q, xrefs: 09E0B5DD

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID: 4|q
API String ID: 0-612143306
Opcode ID: 87c903e941579e11f1c57a581e32cfe1ce72be51504a48d5fef4cb433acca5c1
Instruction ID: cdb547d723bf48514e49cde0989fd4da7b62aeabac11f4ba86fbadfbfddc158f
Opcode Fuzzy Hash: 87c903e941579e11f1c57a581e32cfe1ce72be51504a48d5fef4cb433acca5c1
Instruction Fuzzy Hash: 9A51C5B0E002588FEB68DFAAD8547DDBBB2BFC9300F14D1AAD509B7254EB3059858F50

Function 0BE1D81B Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230066633.000000000BE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7951d6795a94cb9cb4838eef5b44d75af695f949c36ade85369c578de2f532ac
Instruction ID: 3ccf7905388ea73c4bcd2b4f166ec49e9fc762eacc3bfc21a5d069fde137dad7
Opcode Fuzzy Hash: 7951d6795a94cb9cb4838eef5b44d75af695f949c36ade85369c578de2f532ac
Instruction Fuzzy Hash: 4F52CC30A002488FCB05EBB9D95865DBFF2FF89300F5589AAE489E7361DB389D45CB51

Function 0BA1EF58 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2229938982.000000000BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1981afd6fc4b19e8c7abf5609c7cbb8e6d61b8e3b38a220869eb5b00cf9bc0
Instruction ID: 75b3ba44bbb78d584c045d085f315354a368f337210b6f323d6a3e10aff98e73
Opcode Fuzzy Hash: 7c1981afd6fc4b19e8c7abf5609c7cbb8e6d61b8e3b38a220869eb5b00cf9bc0
Instruction Fuzzy Hash: 8F129D70B142589FCB44EBBDD99925DBBE6FBC8300F918929D489E7380DE38AC05C759

Function 09E0E2F8 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60db4ef4187f20cb53126fd3158f140ee9b5f9a09b605d1dd118c05595e0ff0d
Instruction ID: f563551c7eabc6b76e303eae2aa4c10696a1dd3222638c42c162a34f760a33d5
Opcode Fuzzy Hash: 60db4ef4187f20cb53126fd3158f140ee9b5f9a09b605d1dd118c05595e0ff0d
Instruction Fuzzy Hash: 92E188717016048BDB29EB75C86476AB7E6AFC8604F1488BDE15A8B3D1DF34EC82CB51

Function 09E0EA00 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78914f3fb53e7d28ec871b00810d0ec8a8042b648b048bef6ea2c61dcc2b8e9
Instruction ID: 707ca626e9a7d9e1cad36285872ce870589d1258e7a03092a416a2fa5d1f0d3f
Opcode Fuzzy Hash: e78914f3fb53e7d28ec871b00810d0ec8a8042b648b048bef6ea2c61dcc2b8e9
Instruction Fuzzy Hash: DCD1A734A00605CFDB18DF69C598AA9B7F1BF8D705F1594B9E406AB3A1DB31AD80CF60

Function 0BA1B3B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2229938982.000000000BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8ac3dbe40b4748b5f21508c44ae41cf95cf7d0f40014e526d17576c5c297be
Instruction ID: b5c8b426c5bb8899128186d8c9ef013b1ea74e0a5f5d0440030454ea94a7f69c
Opcode Fuzzy Hash: 7a8ac3dbe40b4748b5f21508c44ae41cf95cf7d0f40014e526d17576c5c297be
Instruction Fuzzy Hash: 8CD1D63582475A9ADB15EBA4D990AADB7B1FF99300F10C79AD04937210EB70AEC4CF91

Function 0BA1B3C0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2229938982.000000000BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5847e62f391084f91219ab06c2e018a5a71281f73cc507d35d7d9b07f85725
Instruction ID: 4dd28aed998b748746c58d5ab35916985e485360d4d2f59236a7b6d324c8ab2b
Opcode Fuzzy Hash: aa5847e62f391084f91219ab06c2e018a5a71281f73cc507d35d7d9b07f85725
Instruction Fuzzy Hash: A1D1D63582075A9ACB15EBA4D990AADB7B1FF99340F10C79AD04937210EF70AEC4CF81

Function 0BA176B8 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2229938982.000000000BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba10000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b27118d72f9f52c6346fda7257e6ae7ee27340c5f336b65164fd1c37e4891e7
Instruction ID: d0f7ac775514554610a40a44fc4835e9c4fec2b3a19b7917ddd20d7076af83b0
Opcode Fuzzy Hash: 5b27118d72f9f52c6346fda7257e6ae7ee27340c5f336b65164fd1c37e4891e7
Instruction Fuzzy Hash: 4281A474B002189BDF98DF75885467E7BB7BFC8700B09892EE466E7348DE349C858791

Function 09E00012 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95b0fdf6a7dd5b0df71df01e44311bc0c777a9a59dd5aa12e13197e510a1a72
Instruction ID: dbbaa50614bb63dee4a48c399173fee908a0a56c2aa427dab1a772374afe039b
Opcode Fuzzy Hash: b95b0fdf6a7dd5b0df71df01e44311bc0c777a9a59dd5aa12e13197e510a1a72
Instruction Fuzzy Hash: 26518071E056588FEB19CF6B8D4538AFBF3AFC9300F14C1BA854CAA255EB3409858F51

Function 09E00040 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4fc688f1a03968af384945f3497f7e839462ce0f5375e9fa4fe7088d8293c6
Instruction ID: 7d978160ef81dafd20d47b4a7f310930220933be899b57d5d41b49a3b0bf75e0
Opcode Fuzzy Hash: df4fc688f1a03968af384945f3497f7e839462ce0f5375e9fa4fe7088d8293c6
Instruction Fuzzy Hash: FA416B71E116188BEB68CF6B8D4539EFBF3BFC9300F14C1BA850CA6254EB340A858E51

Function 09E07F59 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41713225389b2e254c6c3cf94cf86d2332d17d46469a2d94462f9d9ef0056b2
Instruction ID: 79685942e9a33fc1772d68e44067381b100b3a58363b86668ff811bdc213b2dc
Opcode Fuzzy Hash: b41713225389b2e254c6c3cf94cf86d2332d17d46469a2d94462f9d9ef0056b2
Instruction Fuzzy Hash: 3C411670E05219CFDB54CFA9D9506DEBBB2FB88340F14982AD106F7294D73599518F18

Function 09E03610 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96299393f87abd061712777db97c99021e7af2ac29f23e1d8f58743f3cd8591
Instruction ID: 803e4efbeec72aa4ddcd15584fbe94c582dcc2b12b7dd5715d82deb558d25db5
Opcode Fuzzy Hash: e96299393f87abd061712777db97c99021e7af2ac29f23e1d8f58743f3cd8591
Instruction Fuzzy Hash: 39212771E116198BDB08CFABD8406EEFBF7AFC9310F14C12AE518A7254DB304A418F91

Function 09E067F8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e51de166f99c751df949e36d949665ad43a51a7e8ffeaba8c847bfd13a8daa2
Instruction ID: 77af330426b53995a57452d5395d433823f41858669b939272987e35e3356dc4
Opcode Fuzzy Hash: 9e51de166f99c751df949e36d949665ad43a51a7e8ffeaba8c847bfd13a8daa2
Instruction Fuzzy Hash: E6113371E106189BDB08CFAAD8406EEFBF7ABC8200F14C13AD408A7254DB305A518FA1

Function 09E02F80 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0516cdd80a13b27ccf9be197b52c0abe80b7052eccdb9d7f4fe53baf7d13c71b
Instruction ID: 2cae10d1c2b93959ff0fc6f8c97e0ed60d90b1c36d4b914b30d6ee1e40552d48
Opcode Fuzzy Hash: 0516cdd80a13b27ccf9be197b52c0abe80b7052eccdb9d7f4fe53baf7d13c71b
Instruction Fuzzy Hash: 3F114771E112199BDB18CFABE8406EEFBF7BBC9310F14C03AE408B7254DA304A418B94

Function 09E08490 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ad0690a8d59a0df45f82a8f25d45e8bd56df79d6e741d856cb8a79db242d9e
Instruction ID: ea5ba8b53ca26949b0beefa0955ca95316d1bf87a53ca59cd2433b0324154c61
Opcode Fuzzy Hash: 38ad0690a8d59a0df45f82a8f25d45e8bd56df79d6e741d856cb8a79db242d9e
Instruction Fuzzy Hash: F0112971E116198BDB48CFABD9406DEFBF7BBC8210F14C03AD518A7254DB315A418F51

Function 09E03C78 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6846dd7fa23bbc30c2c176babd787e23b1aa2a1c6f33620afffeb5d1796ec1
Instruction ID: d29ccf33441b9bae0678e9ab30394e51f6c10cb393916fc51192b9a83a03be35
Opcode Fuzzy Hash: 1a6846dd7fa23bbc30c2c176babd787e23b1aa2a1c6f33620afffeb5d1796ec1
Instruction Fuzzy Hash: 48111A71E116189BDB58CFABE9406EEFBF7EBC8300F14C06AD508A7254EA3059518F51

Function 09E02F70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e98878cc6b670752c4e0fa8501ee19c2c2337d739321d657414756619e9224c
Instruction ID: 4db8fa2c2b0bd6405e30be45192eb907975545fd26bc86bf645b0365e67885cd
Opcode Fuzzy Hash: 9e98878cc6b670752c4e0fa8501ee19c2c2337d739321d657414756619e9224c
Instruction Fuzzy Hash: 371149B1E116189BDB58CFABD9456AEFAF7BBC9300F18C03AD408B7354DA304A428F55

Function 09E03C68 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c6473486893a625eb64244128705dccc4a0057cd48dca50cb826749a636891
Instruction ID: 347594f8208310072230101a632f8a8cf9d69dfd78669d0579337a98541f7d02
Opcode Fuzzy Hash: b5c6473486893a625eb64244128705dccc4a0057cd48dca50cb826749a636891
Instruction Fuzzy Hash: 271107B1E116189BEB58CFABD9456AEFAF7AFC9300F14C06AD408E7254EA304A418F51

Function 09E03600 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02acc29bc649f8c894f1a9639632d84ee21b679dd2819700106fc921fc478494
Instruction ID: 2d5c298257a1fea3fe419cdaf4f2c88accab85cfa0b01705c02b4fd4b9f7fa0b
Opcode Fuzzy Hash: 02acc29bc649f8c894f1a9639632d84ee21b679dd2819700106fc921fc478494
Instruction Fuzzy Hash: 17214AB1E116198BDB08CFAAD94069EFAF3AFC9300F14C16AD408A7294EB344A458F51

Function 09E067EB Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb678a0865ec4a9603f26d0e486a03fcf592ab0e79e4d72d201b0d07c865140
Instruction ID: d815622d87efec05c7a3b992886bd674187b3b555949c3d364e081dc4eeacac4
Opcode Fuzzy Hash: 8fb678a0865ec4a9603f26d0e486a03fcf592ab0e79e4d72d201b0d07c865140
Instruction Fuzzy Hash: FC113770E116189BDB58CFABC8417AEFAF7AFC8200F14C13AD408A6254DA305A528F95

Function 09E08483 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228028509.0000000009E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e00000_Orden de compra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085e2a14eb10b19fce2107b8b382c66aa225d04d63d30e0cf6005d330fa1a117
Instruction ID: b6f498fe12628e1e753b3787b6a84cb64616ed582362fdfdf0e245af25089ff7
Opcode Fuzzy Hash: 085e2a14eb10b19fce2107b8b382c66aa225d04d63d30e0cf6005d330fa1a117
Instruction Fuzzy Hash: 4B1104B1E116199BEB48CFABD94579EFAF7ABC8300F14C13A9418B7254EA305A428F51

Analysis Process: AddInProcess32.exePID: 1268, Parent PID: 4332COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	4.9%
Signature Coverage:	8.2%
Total number of Nodes:	122
Total number of Limit Nodes:	15

Executed Functions

Function 004171D3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417245

Memory Dump Source

Source File: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: e2791ed772329917c02c9115e9eff285c52f266abcf8129acc19dadf8995ea94
Instruction ID: 5fff17664ac7e0ccf0ac6c23b5c3c1ab514c474f8f74d841afef940a9700116a
Opcode Fuzzy Hash: e2791ed772329917c02c9115e9eff285c52f266abcf8129acc19dadf8995ea94
Instruction Fuzzy Hash: 7D0152B1E0010DABDF10DAE1DC42FDEB378AB54308F0081A6F90897240F674EB498755

Function 0042BFF3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C027

Memory Dump Source

Source File: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 84decdbb5fc4887b7cd28249dc8590973388249526ddf3fbf81820544b42a3d0
Instruction ID: cab447ca33b1f810ca2efa41fc22f3a3a6f731bf10a1b124397eb47630ec5c8c
Opcode Fuzzy Hash: 84decdbb5fc4887b7cd28249dc8590973388249526ddf3fbf81820544b42a3d0
Instruction Fuzzy Hash: E3E04F326402147BD520BA9ADC45FDBB75DDBC5714F00801AFA086B142C670B90187F5

Function 01082B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01082B6A

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4627e41a129eea82ebd7f48839dfadec157fd613dfabe9e0f87e47e8b126f655
Instruction ID: 299b492bca1a78f1aa89ecaede80a1e338993cf2a79bbbdba7863256518faf4a
Opcode Fuzzy Hash: 4627e41a129eea82ebd7f48839dfadec157fd613dfabe9e0f87e47e8b126f655
Instruction Fuzzy Hash: AD90026120240403560571588424616400A97E1201B55C022E18185A0DC52989917229

Function 01082DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01082DFA

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9178fd1a6dbfe9cabca383aebcf6ad82dd2c44d4efce09455d299a28285590dd
Instruction ID: 87df3c3ab795596314f7a556f9e4f620de3d2ca3b10aebbd214f41fa41730dfa
Opcode Fuzzy Hash: 9178fd1a6dbfe9cabca383aebcf6ad82dd2c44d4efce09455d299a28285590dd
Instruction Fuzzy Hash: F190023120140813E61171588514707000997D1241F95C413A0C28568DD65A8A52B225

Function 01082C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01082C7A

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b79a78d75802a04b7140241ceb5e3f15778b3cb23c0e952d6612cb0f2f799a0
Instruction ID: 99af9afd77a436209b1bd99547b222b3def909312503a74d096ad063cbd526d7
Opcode Fuzzy Hash: 8b79a78d75802a04b7140241ceb5e3f15778b3cb23c0e952d6612cb0f2f799a0
Instruction Fuzzy Hash: 1590023120148C02E6107158C41474A000597D1301F59C412A4C28668DC69989917225

Function 010835C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010835CA

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 850f3d2ad865d4771aa63d3ea9fb5361721061bbed11d88266596e4c096bb750
Instruction ID: 69d9f9924e0038b548aa1cc6a15490910e53ede3ad98363af9ea02ab3292ba44
Opcode Fuzzy Hash: 850f3d2ad865d4771aa63d3ea9fb5361721061bbed11d88266596e4c096bb750
Instruction Fuzzy Hash: 0C90023160550802E60071588524706100597D1201F65C412A0C28578DC7998A5176A6

Function 0042C353 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,8D49825B,00000007,00000000,00000004,00000000,00416A4E,000000F4), ref: 0042C38F

Memory Dump Source

Source File: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: da4ee3e92a18b04ea4cfe080d447bb4666bcaa204fda464ea6b16c8ce95a68cd
Instruction ID: e28ac76f2c666a6b4a985f0e5fc36a3b4eb1003c06a1645562192c5e47d38090
Opcode Fuzzy Hash: da4ee3e92a18b04ea4cfe080d447bb4666bcaa204fda464ea6b16c8ce95a68cd
Instruction Fuzzy Hash: B3E06D72640204BBD614EE99DC41FDB33ACEFC9710F008019FA18A7242D670B910C7B4

Function 0042C303 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041DFBB,?,?,00000000,?,0041DFBB,?,?,?), ref: 0042C342

Memory Dump Source

Source File: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d418f1ad3e78c8d5fc3991d9faa2cae116d049e26f01c48ad1d050f406eefb09
Instruction ID: 8a2c42d13485ed484c39c948941f2f174cf09225faae2cbb2ae905bacf101411
Opcode Fuzzy Hash: d418f1ad3e78c8d5fc3991d9faa2cae116d049e26f01c48ad1d050f406eefb09
Instruction Fuzzy Hash: C1E06D717002047BD610EE99EC41E9B37ACEFCA714F008419FA08A7241C670B9108BB5

Function 0042C3A3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042C3D4

Memory Dump Source

Source File: 00000004.00000002.2281484840.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 78c0bbe6f024d62051cab92a9312c4f28145f714dafe43d2a619d51c61125ab2
Instruction ID: cad2509b494d7c0125996992919dbf3c1afef1e6243d380447f7d1f29934f3af
Opcode Fuzzy Hash: 78c0bbe6f024d62051cab92a9312c4f28145f714dafe43d2a619d51c61125ab2
Instruction Fuzzy Hash: 9CE086716402147BC620FA9AEC41F9B776CEFC5714F404419FA186B141C7B0B90587F5

Function 01082C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01082C24

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 704f8b56239ead652321a688aa47b328adc40aefb93deda80e4a33cc087fb9bd
Instruction ID: cbb2070278f2b114879785ac73106817420e1d0971755c657c0f1ea9d2f45f07
Opcode Fuzzy Hash: 704f8b56239ead652321a688aa47b328adc40aefb93deda80e4a33cc087fb9bd
Instruction Fuzzy Hash: CDB09B719055C9C5EF51F7644608717794077D1701F15C062D2C34655F473CC1D1F275

Non-executed Functions

Function 010C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MaxDeadActivationContexts, xrefs: 010C2D82
TracingFlags, xrefs: 010C2549
GlobalFlag2, xrefs: 010C2FC0
DisableHeapLookaside, xrefs: 010C246D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 010C3176
@, xrefs: 010C2942
minkernel\ntdll\ldrinit.c, xrefs: 010C3187
MaxLoaderThreads, xrefs: 010C24EC
@, xrefs: 010C2B74
CFGOptions, xrefs: 010C2967
ShutdownFlags, xrefs: 010C24A1
GlobalFlag, xrefs: 010C2F3F, 010C3059
ExecuteOptions, xrefs: 010C25A0
LdrpInitializeExecutionOptions, xrefs: 010C317D
UnloadEventTraceDepth, xrefs: 010C24C0
FrontEndHeapDebugOptions, xrefs: 010C2489
RaiseExceptionOnPossibleDeadlock, xrefs: 010C2579
UseImpersonatedDeviceMap, xrefs: 010C251C
MinimumStackCommitInBytes, xrefs: 010C2BB0
DisableExceptionChainValidation, xrefs: 010C275F

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 7797a28ef143ae31961c93f9ee616d1690ffb24b8aaae5d22981cbd5725e2d28
Instruction ID: fe12f63451f4581ccf62175fcabb35fbc1a1008544b3f7b41de5a339d93755da
Opcode Fuzzy Hash: 7797a28ef143ae31961c93f9ee616d1690ffb24b8aaae5d22981cbd5725e2d28
Instruction Fuzzy Hash: F8925B71608346ABE765DF18C880BAFB7E8BB84B54F04492DFAD49B650D770E844CF92

Function 01078620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

corrupted critical section, xrefs: 010B54C2
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010B54E2
Invalid debug info address of this critical section, xrefs: 010B54B6
Thread is in a state in which it cannot own a critical section, xrefs: 010B5543
double initialized or corrupted critical section, xrefs: 010B5508
Critical section debug info address, xrefs: 010B541F, 010B552E
Critical section address, xrefs: 010B5425, 010B54BC, 010B5534
Address of the debug info found in the active list., xrefs: 010B54AE, 010B54FA
Critical section address., xrefs: 010B5502
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010B540A, 010B5496, 010B5519
Thread identifier, xrefs: 010B553A
8, xrefs: 010B52E3
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010B54CE
undeleted critical section in freed memory, xrefs: 010B542B

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 82bc0dcb8bcedca902677d9353935631f5be661487309a3944eb64e44ec1d8ff
Instruction ID: 1c63636f4a247c0052140e30a4432f0248179898ae2a8e0b64264777e7f3b514
Opcode Fuzzy Hash: 82bc0dcb8bcedca902677d9353935631f5be661487309a3944eb64e44ec1d8ff
Instruction Fuzzy Hash: 2B819FB4A01359AFEB20CF99CC85BEEBBF5BB48714F10819AF584BB250D775A940CB50

Function 010729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010B25EB
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 010B2506
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 010B2602
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 010B2412
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 010B2498
@, xrefs: 010B259B
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 010B2624
RtlpResolveAssemblyStorageMapEntry, xrefs: 010B261F
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010B22E4
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010B24C0
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 010B2409

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 629e05b8f26c6ec48b099c82cbc14b05d4cb703d9b907452b6c811ac1822d062
Instruction ID: cdb03cc84365e49c67864dd87c1a19e5a016aa804c20dfbc86c28750c2b4994f
Opcode Fuzzy Hash: 629e05b8f26c6ec48b099c82cbc14b05d4cb703d9b907452b6c811ac1822d062
Instruction Fuzzy Hash: 67025FF1D002299BDB61DB54CC80BDEB7B8AF54704F4041EAE689A7241EB71AF84CF59

Function 010E8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

SegmentHeap, xrefs: 010E8BE9
smss.exe, xrefs: 010E8B8B
lsass.exe, xrefs: 010E8BA1
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 010E8BD0
runtimeuserer.exe, xrefs: 010E8B73
csrss.exe, xrefs: 010E8B80
heapType, xrefs: 010E8BCB
svchost.exe, xrefs: 010E8B68
DefaultBrowser_NOPUBLISHERID, xrefs: 010E8D00
services.exe, xrefs: 010E8B96

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimeuserer.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 91ddb88fdda8eb7e1bd2d90bce1298dfc9ac9202bad3c6d59e575f62756647ee
Instruction ID: 1a6254d10637e5e5a933187f9ed84673f838c7b74ed4951067b055e7c21de74e
Opcode Fuzzy Hash: 91ddb88fdda8eb7e1bd2d90bce1298dfc9ac9202bad3c6d59e575f62756647ee
Instruction Fuzzy Hash: A451EF715093059FC329DF1AC848BABBBE8FF94250F14896EE9D9C3244E771D608CB92

Function 010F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010F03A6, 010F04B5, 010F05DD, 010F0682, 010F06D9
RtlReAllocateHeap, xrefs: 010F02BF, 010F0362
Just reallocated block at %p to %Ix bytes, xrefs: 010F05F1
About to reallocate block at %p to %Ix bytes, xrefs: 010F03BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 010F069F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 010F06EA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 010F04D3
HEAP[%wZ]: , xrefs: 010F0399, 010F04A8, 010F05D0, 010F0675, 010F06CC

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 5213dc50f5e522e486234624ebb25452390abd7a1332c321f7429d2a0960f231
Instruction ID: a712ab3202697dec99e1289a0ec8b1a4b2df497af138b1a1f2ecdb3c07b337ae
Opcode Fuzzy Hash: 5213dc50f5e522e486234624ebb25452390abd7a1332c321f7429d2a0960f231
Instruction Fuzzy Hash: B0D1C031500646DFDB66DF68C442AAEBBF2FF8A704F08805DE6C59BA56C734D980CB14

Function 010C89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 010C8A3D
HandleTraces, xrefs: 010C8C8F
VerifierFlags, xrefs: 010C8C50
VerifierDlls, xrefs: 010C8CBD
VerifierDebug, xrefs: 010C8CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 010C8A67
AVRF: -*- final list of providers -*- , xrefs: 010C8B8F

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 20f8204967315291071ac2c40356030df9a4d4a1761adb1a0fe35823652120f9
Instruction ID: b56f257d4760ddd06adb1fdc7f18fd1c2358773131da556bdbc803089dc24cd5
Opcode Fuzzy Hash: 20f8204967315291071ac2c40356030df9a4d4a1761adb1a0fe35823652120f9
Instruction Fuzzy Hash: 70912171601716AFD325EF68D880B9E7BE9AB94F14F05846EFAC0AB245C7709C40CF99

Function 010763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 010B40DF, 010B4141, 010B4205, 010B425F
Delaying execution failed with status 0x%08lx, xrefs: 010B4258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 010B40D8
minkernel\ntdll\ldrinit.c, xrefs: 010B40E9, 010B414B, 010B420F, 010B4269
Process initialization failed with status 0x%08lx, xrefs: 010B413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 010B41FE

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: c10f75a89ac60f26382d24c83be02e6fe9e24106bbd7cc4cea821e3f9fc68a04
Instruction ID: e40928888a6368065a9256839a1e149bc576f241ed9657a8adbbdc830e66632a
Opcode Fuzzy Hash: c10f75a89ac60f26382d24c83be02e6fe9e24106bbd7cc4cea821e3f9fc68a04
Instruction Fuzzy Hash: CD913770F00B11DBEB29DF58D884BEE7BA2BF40B14F000078E5D2AB28ADB759941C795

Function 0103645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01036496
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010999ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01099A2A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01099A01
minkernel\ntdll\ldrinit.c, xrefs: 01099A11, 01099A3A
LdrpInitShimEngine, xrefs: 010999F4, 01099A07, 01099A30

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 50d25cb561ffa9f577f9dff2a3c3daff1858704382eb60dcf4cc35f835c561df
Instruction ID: 0c5c28b4295ffbb16f8286a95a3c753630a25af1b9f7c36105b728b4d5cd20bf
Opcode Fuzzy Hash: 50d25cb561ffa9f577f9dff2a3c3daff1858704382eb60dcf4cc35f835c561df
Instruction Fuzzy Hash: 2751E271218304AFEB25DF24C851BAB7BE8FB84748F00092DF5D59B1A4D735EA44CB92

Function 01072674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 010B219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 010B21BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 010B2178
RtlGetAssemblyStorageRoot, xrefs: 010B2160, 010B219A, 010B21BA
SXS: %s() passed the empty activation context, xrefs: 010B2165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 010B2180

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 1d2bfdce0356e782a0f8ddfe83e2dd620693ef3ebd1e5866d86e01b10040f530
Instruction ID: 63630579c4546860ecdd0e36743bcc3036701553d85a372edbbf51c3d3c7f32e
Opcode Fuzzy Hash: 1d2bfdce0356e782a0f8ddfe83e2dd620693ef3ebd1e5866d86e01b10040f530
Instruction Fuzzy Hash: 20310E36F40225B7F7118A958C85F9FBBB9EB74A50F05405DF7847B141D270AE01C7A1

Function 0107C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 010B8181, 010B81F5
LdrpInitializeProcess, xrefs: 0107C6C4
LdrpInitializeImportRedirection, xrefs: 010B8177, 010B81EB
Unable to build import redirection Table, Status = 0x%x, xrefs: 010B81E5
minkernel\ntdll\ldrinit.c, xrefs: 0107C6C3
Loading import redirection DLL: '%wZ', xrefs: 010B8170

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 5817601f3894ac14685e2648a68ce5b9c8684e41e79dad19eb7d40b217d76bcb
Instruction ID: e9871af56e3112ef241cd49f282dc77278b33be612954792faa03ede03549f55
Opcode Fuzzy Hash: 5817601f3894ac14685e2648a68ce5b9c8684e41e79dad19eb7d40b217d76bcb
Instruction Fuzzy Hash: AE311571744312AFD224EF28D986E9A77D8FF94B10F00055CF9C5AB295E624EC04CBA2

Function 0108096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01082DF0: LdrInitializeThunk.NTDLL ref: 01082DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01080BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01080BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01080D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01080D74

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 06c39d67ec140918eec722358a9e75c14dafa5dfeff7287516882f7a092430de
Instruction ID: 1ffe793ae45db4a2675f8bd7ffcad82bc5a42d90eadfb6f63acd1d5882acf3a0
Opcode Fuzzy Hash: 06c39d67ec140918eec722358a9e75c14dafa5dfeff7287516882f7a092430de
Instruction Fuzzy Hash: 5B4259B1900715DFDB61DF68C880BEAB7F4BF04314F1485A9E9C9AB245E770AA84CF60

Function 010529A0 Relevance: 6.0, Strings: 4, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01053264
, xrefs: 010531A3
HEAP[%wZ]: , xrefs: 01053255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0105327D

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-3126994380
Opcode ID: 9b00b9b31d85e82438c9278220c97bd37c254feaf55c9fb643f7bdf63480ec1f
Instruction ID: bada9d8c9d8ebf439076ac883128d493483eec8ec3b2bb8194bf9719a18c52ed
Opcode Fuzzy Hash: 9b00b9b31d85e82438c9278220c97bd37c254feaf55c9fb643f7bdf63480ec1f
Instruction Fuzzy Hash: 3692CD71A04249DFEBA5CF68C4447AEBBF1FF48304F1880A9E999AB352D735A941CF50

Function 0104A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0104A3F7
8, xrefs: 0104A3E7
LdrResFallbackLangList Exit, xrefs: 0104A3FF
LdrResFallbackLangList Enter, xrefs: 0104A3EF

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: db166ed10804a343e96066c8885d57c248fa4cdac73bdc72319d26d0134ac841
Instruction ID: 669ed9d0ced9a2f1b5cef14723626ea8b8f2a87104ae35a9b668ca591f78fe00
Opcode Fuzzy Hash: db166ed10804a343e96066c8885d57c248fa4cdac73bdc72319d26d0134ac841
Instruction Fuzzy Hash: E8C168B4648386CFD711DF58C184BAAB7E4BF88704F0449BAF9D68B251E734CA45CB92

Function 01078402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01078422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0107855E
minkernel\ntdll\ldrinit.c, xrefs: 01078421
@, xrefs: 01078591

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: eac2220dc4997170f49de816d12e78d4f39b941004ff89917f12c37cb337a6c8
Instruction ID: 49d77431d9fa1392a4fe7450f0dcef1d71a5422acc55c2114cb692dcf67a6929
Opcode Fuzzy Hash: eac2220dc4997170f49de816d12e78d4f39b941004ff89917f12c37cb337a6c8
Instruction Fuzzy Hash: 3A919A71A08345AFD721EF25CC84EABBAECBF84744F40896EFAC496150E734D944CB66

Function 0107273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 010B22B6
.Local, xrefs: 010728D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 010B21D9, 010B22B1
SXS: %s() passed the empty activation context, xrefs: 010B21DE

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: c47db7ab579f1d017bf316edf26146fa776640a5506713543a7585b3e8a23690
Instruction ID: 4b669bb3acfebd2b78e5a41b1c5baba85be451212e611ce8d6b1d828d566a347
Opcode Fuzzy Hash: c47db7ab579f1d017bf316edf26146fa776640a5506713543a7585b3e8a23690
Instruction Fuzzy Hash: 67A1C031D0022ADBDB65CF68CC84BE9B7B1BF58354F1941E9D988AB251D730AE80CF94

Function 010464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 010A0FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 010A106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010A10AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 010A1028

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: c465116eacf4ec6bd72b9eb2727a30b3bbe9698d779c8f6b60d81d55af5912e4
Instruction ID: a25ab58e6ed7b48b5519f838787e4e5a471350884a61e3f50234114b757156dd
Opcode Fuzzy Hash: c465116eacf4ec6bd72b9eb2727a30b3bbe9698d779c8f6b60d81d55af5912e4
Instruction Fuzzy Hash: 7571CFB19043459FCB61EF54C884B9B7BE8AF95754F4004A8F9C88B286E735D588CBD2

Function 0106245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 010AA992
apphelp.dll, xrefs: 01062462
minkernel\ntdll\ldrinit.c, xrefs: 010AA9A2
LdrpDynamicShimModule, xrefs: 010AA998

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 06a7864e60a12941e9d31302e6822e9e72d703379051d75740a28d9ddb269ea0
Instruction ID: 9e20691f65ea77345b90e5a0b5103994489e9a576e0cd3b7b92d80de5b17ab2d
Opcode Fuzzy Hash: 06a7864e60a12941e9d31302e6822e9e72d703379051d75740a28d9ddb269ea0
Instruction Fuzzy Hash: FB316F75B00301EBDB39DF9DD881AAE77F4FB84710F5500A9E9A16B289C7B459C1C750

Function 01050770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010A50BD
(UCRBlock->Size >= *Size), xrefs: 010A50CA
HEAP[%wZ]: , xrefs: 010A50AE

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 1c287ca9ce6706373ffcd626609656a1c6b7e6b2f21600e9f4cc4bef91502e4e
Instruction ID: 15800a8c4c647594e4182e8e71b9199739ec54ec2908b9a639c8cdd23658a23a
Opcode Fuzzy Hash: 1c287ca9ce6706373ffcd626609656a1c6b7e6b2f21600e9f4cc4bef91502e4e
Instruction Fuzzy Hash: 1BF19D30A00606DFEB55CFA8C894BAEB7F5FF45304F1441A9E9969B389D734E981CB90

Function 01066962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01066C24
, xrefs: 010ACA51

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: db3b53ae071663c774c4936d3d3540eae19787da8b6562391a98f5e12029f948
Instruction ID: d143adb75e6a920664e09aba47bf852fae22f446d6be7dcfca185544d92f27f6
Opcode Fuzzy Hash: db3b53ae071663c774c4936d3d3540eae19787da8b6562391a98f5e12029f948
Instruction Fuzzy Hash: F3C29C716083419FEB65CF68C880BABBBE9BF88758F05896DF9C987241D735D804CB52

Function 0103A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 0103A1C1
\??\, xrefs: 0109C1E4
FilterFullPath, xrefs: 0109C2E6

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: c9009003610f8745ae5a3293dec049236c98882519e129aaffbf2db84a9ce600
Instruction ID: 5642817c06752b18241be0e0354ae0bc1cb8eb1faa31c0be51efcb9ff9fd0f72
Opcode Fuzzy Hash: c9009003610f8745ae5a3293dec049236c98882519e129aaffbf2db84a9ce600
Instruction Fuzzy Hash: A4A15B71D012299BEF619F28CD98BEAB7B8EF48710F1041E9E989A7250D7359E84CF50

Function 0107C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 010B82D7
LdrpInitializePerUserWindowsDirectory, xrefs: 010B82DE
minkernel\ntdll\ldrinit.c, xrefs: 010B82E8

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 88e81bf3761136c390d9102b8b24c0a08d77ffb7a0cdd60eb9cc1daa63b65025
Instruction ID: ff5793d52737662bf335285bb6d3622e9d6baeb69590709c58bf7a861b92c422
Opcode Fuzzy Hash: 88e81bf3761136c390d9102b8b24c0a08d77ffb7a0cdd60eb9cc1daa63b65025
Instruction Fuzzy Hash: 1841F1B1904306ABD765EB68DD44B9BBBE8BF44750F00483AF9D8D7258EB70D840CB95

Function 010FC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 010FC1F1
PreferredUILanguages, xrefs: 010FC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 010FC1C5

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 6f7c4aab400fe63967a593885fba815a517be05b67fcdb870106430b8b29de87
Instruction ID: 82491404853212c2ef6b82aca606193119e7707254382416c52bf9183a5c715c
Opcode Fuzzy Hash: 6f7c4aab400fe63967a593885fba815a517be05b67fcdb870106430b8b29de87
Instruction Fuzzy Hash: A0416275E0020DABEF91DAD8C942FEEBBF8EB54700F14406AE685B7640D7749E44CB50

Function 010D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 010D4160
LdrpResValidateFilePath Exit, xrefs: 010D4172
@, xrefs: 010D4225

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 2c2b6bfe725ef286aef50cc85637f33508fd9a2db0755b48e66230ea108b7295
Instruction ID: cdcbacd5aecfb0a8af765b38d8b47123870f6514821cda13071a27dfb019d94b
Opcode Fuzzy Hash: 2c2b6bfe725ef286aef50cc85637f33508fd9a2db0755b48e66230ea108b7295
Instruction Fuzzy Hash: E641F371A043598BEB26DBA9C840BEEBBF8FF55340F140499D981EFB81D7348901CB51

Function 010C4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 010C4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 010C4888
LdrpCheckRedirection, xrefs: 010C488F

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: f696380f59fb5e041bf1876e9b18cfb6d2fd287bd1151e19829c10ea34d20d5c
Instruction ID: 5e08eb7cde2a018dfe680f2bb1e0b4c2f67fd32b9db0e2843680cac7511a583e
Opcode Fuzzy Hash: f696380f59fb5e041bf1876e9b18cfb6d2fd287bd1151e19829c10ea34d20d5c
Instruction Fuzzy Hash: 23419032A046519BCB61CF58D860A6F7BE4FF49E50B0506ADEDD8DB215D730D804CF91

Function 010C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 010C2104
Process initialization failed with status 0x%08lx, xrefs: 010C20F3
LdrpInitializationFailure, xrefs: 010C20FA

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 28b62b0f7ac6ab11f27641303b924a06bb8a843ba24414d62cfa79e8a363cc4b
Instruction ID: d3c2bd4314cd99bf7e04056d1b8694e4d3dc228bd0e7815d2b7677e60469e10a
Opcode Fuzzy Hash: 28b62b0f7ac6ab11f27641303b924a06bb8a843ba24414d62cfa79e8a363cc4b
Instruction Fuzzy Hash: 7CF0A435640219ABEA24EB4CDC42FD937A8EB91E54F50006DFA907B685D1F0A550CA51

Function 010503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010A4D8A

Strings

#%u, xrefs: 010A4D82

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 55fb41c73558bea8abe22fd59633ef29a644091412d2ecd768c675a824893fa1
Instruction ID: 374cd11e1fef26f798d8015f9723878a03947b0916bbc637a941b019e3ea3e1d
Opcode Fuzzy Hash: 55fb41c73558bea8abe22fd59633ef29a644091412d2ecd768c675a824893fa1
Instruction Fuzzy Hash: 04715A75A0014A9FDB41DFA8C990BEEBBF8FF08744F144065E985EB251EA74ED41CBA0

Function 0104A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0104AA25
LdrResSearchResource Enter, xrefs: 0104AA13

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 2b8789497f711f33fffea4d0b7b3eff7861eb50e019f9137f427d36467d68fea
Instruction ID: 29a7e720799279d862ae1aa8aa512909977165fa0a58ad89ee2589403ee88dfb
Opcode Fuzzy Hash: 2b8789497f711f33fffea4d0b7b3eff7861eb50e019f9137f427d36467d68fea
Instruction Fuzzy Hash: 49E161B1B40219DBEB61CED9C980BEEBBB9FF44350F144475E982EB251D7349940CB50

Function 0110A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0110A551
`, xrefs: 0110A44B

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 49ef9d6c27acd856e40f2d50b96403c2424ece4bf7d042d135103dec99057abb
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 42C1B2316043469BE72ACE28D841B6BBBE5BFC4318F084A2DF696CB2D1D7B5D505CB41

Function 010BE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 010BE751
Legacy, xrefs: 010BE75A

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 08f3314112d7f762385aa323511c4bd0ee5bc569f90117654b9e3663c7421533
Instruction ID: 0052bcb019b0b0c26c52ffc0bc844be1357befbe1a0b4f35d10f27328b812a0e
Opcode Fuzzy Hash: 08f3314112d7f762385aa323511c4bd0ee5bc569f90117654b9e3663c7421533
Instruction Fuzzy Hash: 7E613971E406199FDB15DFA8C880BEEBBF5FB48700F14806DE699EB291D731A900CB50

Function 010E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 010E4525
@, xrefs: 010E4437

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 41bd6dd5d0bf97c524ddbe3e438d9b09d5b811749fb28d5f6ab5e96e354c9cef
Instruction ID: 06477f13f5608d0fa2cea502df2186a0f0d4d57621c767c7a7f00b40bb240677
Opcode Fuzzy Hash: 41bd6dd5d0bf97c524ddbe3e438d9b09d5b811749fb28d5f6ab5e96e354c9cef
Instruction Fuzzy Hash: 375128B1E0021EAFDB11DFA9CC84AEEBBF8EB44754F100569E691F7291D7319A05CB60

Function 010404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0104063D
kLsE, xrefs: 01040540

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: c7c7f5f50e8e825e7bc7fe9e2da79e93d6034bbbd60e73a0d97abfc9dd78ff1b
Instruction ID: 40723e8927212c3dba518dbc8bbf5b3f9ec80f755f369eff06a1691ee7a031d8
Opcode Fuzzy Hash: c7c7f5f50e8e825e7bc7fe9e2da79e93d6034bbbd60e73a0d97abfc9dd78ff1b
Instruction Fuzzy Hash: BF51BFB15047429BD724EF68C4806E7BBE8EF88304F10883EFAEA97245E774D545CB92

Function 0104A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0104A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0104A309

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 07365b5f6ee6d791d5bee95a0aac2a1a006660073392ec994b6ef0b60fac7ba1
Instruction ID: 8335eba51d82fa8262ae6eecbad2209d0ea1eb4a5549eb80f9127220ae7d5ff3
Opcode Fuzzy Hash: 07365b5f6ee6d791d5bee95a0aac2a1a006660073392ec994b6ef0b60fac7ba1
Instruction Fuzzy Hash: A3418BB1B44645DBDB218FA9C880BAE7BF4FF85701F1480B9E982DB291E2B5D940CB50

Function 0107A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0107A5E9
Cleanup Group, xrefs: 0107A5E4

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 6168fb5de3ce2072cc375ef3f6188a96fc79768149edd928be7526647a7f075f
Instruction ID: 7cb3e3cfcf41c7fb95e5e282f6f95f94d1d86b1bc402dff15c41f7277354fb88
Opcode Fuzzy Hash: 6168fb5de3ce2072cc375ef3f6188a96fc79768149edd928be7526647a7f075f
Instruction Fuzzy Hash: 370128B2644740EFD311DF14CD45F1A77E9E789715F048939B698CB194E734D904CB4A

Function 0104C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0104C8C3, 0104CA40

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 40d1a337ded4914d793729f3e1155b9bdc89a6e4f7e795307174dd5f47f88579
Instruction ID: 5e481aba5c9dbcdaee7e7077b0509d7d722fbab30d8d898041210f08984d6ba1
Opcode Fuzzy Hash: 40d1a337ded4914d793729f3e1155b9bdc89a6e4f7e795307174dd5f47f88579
Instruction Fuzzy Hash: 81827DB5E012189FEB64CFA9C9807EDBBB1BF58310F1481BAE999AB350D7309D41CB50

Function 010EA118 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

@, xrefs: 010EA68B

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c02ce6194c7b0e20154accbad819ebddacbd5a67ae06809fb85c6e910f828143
Instruction ID: f4a44aaa3b59cd5765fcb55076dfbb5d13ed881442d0a1d0697f46795d54f4e2
Opcode Fuzzy Hash: c02ce6194c7b0e20154accbad819ebddacbd5a67ae06809fb85c6e910f828143
Instruction Fuzzy Hash: 1722AE74704661CEEB65CF2EC498376BBE1AF8D300F08849AE9D68B286D775D452CB60

Function 010C6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 010C65C1

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: da5b140a49648021f31e11a6aa23e04ce4198f2adb9ef8bcad04617620e5a7bf
Instruction ID: 138f019c8408962852a674f1c60fa1264b06df2c424d8b9aefd68781bcbb04b1
Opcode Fuzzy Hash: da5b140a49648021f31e11a6aa23e04ce4198f2adb9ef8bcad04617620e5a7bf
Instruction Fuzzy Hash: AD914271940219AFEB21DF95CD85FEEBBB8EF18B50F104069F641AB291D775A900CBA0

Function 010EE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 010EE1FA

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3b4cb7bd4d612f93c9a9db83d115fe9706efb9fd1afc842a8760bdc2157937d7
Instruction ID: 332ed9a351faa29ea38be42ca599e8e8b41858dad9fac3def7b11b07b9300469
Opcode Fuzzy Hash: 3b4cb7bd4d612f93c9a9db83d115fe9706efb9fd1afc842a8760bdc2157937d7
Instruction Fuzzy Hash: E691BD3190060EAEDB26AFA6DC48FEFBBB9EF45740F104029F581A7250EB359901CB90

Function 0107A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 010B67C9

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 4ac1032f0c9a55be16263be3586751b3648f6fe37c7cf7a8bb6cf33ebd5d0000
Instruction ID: c6c90bd87d6ac6c36ba2a06f43b5f53fc560f51bae636875cd6c29113effb656
Opcode Fuzzy Hash: 4ac1032f0c9a55be16263be3586751b3648f6fe37c7cf7a8bb6cf33ebd5d0000
Instruction Fuzzy Hash: 9A716AB5E0021ADFDF68CF98C590AEDBBF2BF48710F14816EE985A7240E7329941CB54

Function 010E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 010E4A7F

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 0eeaaa9e8913d346d61274a5d04e1d6b604de0e40599fdeb39943faf4af91000
Instruction ID: 673b006116cb273c7858c1f268a9fd423885647dc4b38ef06b7c5beed57714a6
Opcode Fuzzy Hash: 0eeaaa9e8913d346d61274a5d04e1d6b604de0e40599fdeb39943faf4af91000
Instruction Fuzzy Hash: 8A5184B2D0122A9FDF14DF9AD844AEEBBF5AF44610F094169E991FB340D7359801CBE4

Function 0105E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0105E6A4

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 93006be39b5e7b8f8a3d944169f9707a362fe7b249ba7847cba83a60a7cacaf5
Instruction ID: d400d1062f251d98bb6b6adb103f599190d3b5f2115da7a2664b20452e90fef8
Opcode Fuzzy Hash: 93006be39b5e7b8f8a3d944169f9707a362fe7b249ba7847cba83a60a7cacaf5
Instruction Fuzzy Hash: 9D4191726083069BD791DA75C840BAFFBD8BF88714F44096DFAC4D7140E674DA04C796

Function 010BC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 010BC77F

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: c405053475cdd8bb2ea13515c7d3dd2f45029e729c321369017b241958313e8c
Instruction ID: 7487753dff12ad192c7549e8c2692434f9c3ffab8be914ca1c992b8f4fbc58ef
Opcode Fuzzy Hash: c405053475cdd8bb2ea13515c7d3dd2f45029e729c321369017b241958313e8c
Instruction Fuzzy Hash: 264133B1D0112DABEB21DB50CD84FDEB77CAB55714F0045E5EA88AB140DB709E89CFA4

Function 010D6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 010D6B91

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 37f97fe206307bd750956418fc46f829cb4f034d706adaf57926b7b98d451610
Instruction ID: 254e60e4bae2d9efec2570a3e7b68862ce7665258959f6dde609a9fdc5f7813f
Opcode Fuzzy Hash: 37f97fe206307bd750956418fc46f829cb4f034d706adaf57926b7b98d451610
Instruction Fuzzy Hash: 7331F431A0075D9AEB22DF69C850BFE7BE8DF04704F144068E9D1AB282DB76E845CB54

Function 010C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 010C895E

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 57b6ac59fd966bd738597a18bc49771710e46f93cc05666fbbb750cdf0eb5c57
Instruction ID: 7526b10adce54a75f59b62f7d45ca3961c109d2e35098e5773d5ab50594d680d
Opcode Fuzzy Hash: 57b6ac59fd966bd738597a18bc49771710e46f93cc05666fbbb750cdf0eb5c57
Instruction Fuzzy Hash: F0012B713002019BE6685B59DCC4BDE7FA5EFC1F94B0C006EF6C516155CF20A880CF9A

Function 010E2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955c9c2bd2cf5b50be2639d64569d63abae61982942eb3e0df3ebf8e277211cf
Instruction ID: 5a51b1c928a44f287a2336bf4f89e1471b357b9e90bca2b7dee6810bb06d981d
Opcode Fuzzy Hash: 955c9c2bd2cf5b50be2639d64569d63abae61982942eb3e0df3ebf8e277211cf
Instruction Fuzzy Hash: 9742F6726083419FE765CF6AC994A6FBBE9BF88300F08496DFAC287250D770D945CB52

Function 010D8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285a867a741d9df3f350d21868cf721486384c59ed9d3bbf2c8f74277efc6909
Instruction ID: fe51c57ca2d0b5c68137f2ec3975ffb1f547b03423f9e98659d76e3322e25a3d
Opcode Fuzzy Hash: 285a867a741d9df3f350d21868cf721486384c59ed9d3bbf2c8f74277efc6909
Instruction Fuzzy Hash: EE424C75A003198FEB65CF69C841BADBBF5BF48310F15C09AE989AB241DB349985CF50

Function 01052840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bc4e0ae0d6b8a3c2029cd54b4c7a07cd6f62b1e3e4487b149c0f5f57cdedf1
Instruction ID: b2243bf3f82520113155a18cee70c6e971a18ebc6f72ff3a82d258b7a353df08
Opcode Fuzzy Hash: 94bc4e0ae0d6b8a3c2029cd54b4c7a07cd6f62b1e3e4487b149c0f5f57cdedf1
Instruction Fuzzy Hash: 2832ED70A00755CBDB65CFA9C8447BEBBF6BF84304F58416DD5C69B284DB36A842CB50

Function 010D892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100684217f268e29ad00c21c402dbc3826945a313c83469d8d3d661b7d884ad5
Instruction ID: 87372ab511ede437a1901cc5e3ed5c8e5d7354f17411c9d205ffaf5b460e4c93
Opcode Fuzzy Hash: 100684217f268e29ad00c21c402dbc3826945a313c83469d8d3d661b7d884ad5
Instruction Fuzzy Hash: 8AD1E171A0070A8BDB05CF6DC841AFEB7F5AF88314F19C1AAD995A7241E735E905CB60

Function 010465D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f51f190bce9bba1dd85d522cc408a348e7cab98c21c1e2effb4ec2ce41a028a
Instruction ID: 1eab731cf12dfa411a7f3cf68da97598eb653d688c37ecc05332ce3fdd6d513c
Opcode Fuzzy Hash: 8f51f190bce9bba1dd85d522cc408a348e7cab98c21c1e2effb4ec2ce41a028a
Instruction Fuzzy Hash: 0DE17DB5508342CFC755CF28C090A6ABBE4FF8A314F058AADE9D587351EB32E905CB91

Function 01038397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b84159ed3f57becb545aadf410ef76512e41b3496881f38881f6f7cc7a78838
Instruction ID: 8c4ebf48ca57ffa177ed452f11910f6b9fec79fee2ce4406a67d519b7f75dbc6
Opcode Fuzzy Hash: 4b84159ed3f57becb545aadf410ef76512e41b3496881f38881f6f7cc7a78838
Instruction Fuzzy Hash: 53D1E4716002069BDF15DF28C890EBE77E9BF94314F0486AEF995DB280EB34E954CB90

Function 010C8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 32798c2bb6b954142a5f9a0c985aa8faebed74fdd5fb69c0834f72633cb2c994
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 09B16174A00605AFDB64DB99C944AAFBBFAFF84704F10845FAE8297790DA34E905CF14

Function 01050535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: da41ef7cab6a65362c187a61e63d38cc586ac30da007ee2c7c9eb48cf13ddb81
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 36B106356006469FDB51DBA8C850BBFBBF6BF44300F1805A9EAC2DB285DB70E941CB90

Function 010483C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b13e96bdad4be7b10268b261855cfd85e7d40b025dc3923bfe721adb48f6256
Instruction ID: 862b5ed4698d0283529b748613431b33da7189081e1561b914f4e507a294238a
Opcode Fuzzy Hash: 8b13e96bdad4be7b10268b261855cfd85e7d40b025dc3923bfe721adb48f6256
Instruction Fuzzy Hash: 63C168B45083418FD764CF59C484BABB7E5BF88304F44896EE9C987291D774E909CF92

Function 0103C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4bd2fa3be679c8815624f26814d4be72054cfbde64c07d4691077454c902d4c
Instruction ID: 652bc381fe422ba300c860c71fda088bb8496f26f470bf898f780767626682e8
Opcode Fuzzy Hash: f4bd2fa3be679c8815624f26814d4be72054cfbde64c07d4691077454c902d4c
Instruction Fuzzy Hash: 79B16170A002658BEB64DF58C990BA9B7F5EF84740F0485EAD58AE7281EB31DDC5CB20

Function 0106E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773601c45c3b70cc89d685109a459fec751d79d20afae751103210b083445537
Instruction ID: 0d1aa3614e45ac6c724b6387cedbf7c7c1af38427d631eb09d725d5b2d1b53a9
Opcode Fuzzy Hash: 773601c45c3b70cc89d685109a459fec751d79d20afae751103210b083445537
Instruction Fuzzy Hash: 6BA13835E0031A9FEB21DB98C944BEEBBF9BF04754F040165EAD1AB291D7749D40CB91

Function 01080185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099889d67684281f7fc5b6c922dd021ad42dd02dded61f5bbd221d15384d7118
Instruction ID: 353bc091a777fc3190463ab750dc655688eaef38057d09a6ddd0406e196016f3
Opcode Fuzzy Hash: 099889d67684281f7fc5b6c922dd021ad42dd02dded61f5bbd221d15384d7118
Instruction Fuzzy Hash: D5A1D2B0B046169FDB65EF69C890BEAB7F5FF54314F004029EAC597285EB34E845CB50

Function 01114500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44f22cf9b34e4060c05663d76780f2cc15a23b4fbbad298943c5a4b559396d7
Instruction ID: bdc2cd4699a4486b3424904ddbb625c6221056821e469a44c58e8d1c28bac4bb
Opcode Fuzzy Hash: f44f22cf9b34e4060c05663d76780f2cc15a23b4fbbad298943c5a4b559396d7
Instruction Fuzzy Hash: 72A1EFB2A04612EFD71ADF58C980B5ABBE9FF48B44F050538F9859BA58C334ED41CB91

Function 01112B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 1fdbd3cfa5860869bed396a660a31f99f889342372d9694a26f72b2ccad33ec7
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 95B12871E0065ADFDF29CFA9C880AADFBB5FF48310F248169E914A7358D730A941CB94

Function 010C60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551c665a083a012a0a4768dd672da3a2f0eb11e317883c5b42e397937e86fa74
Instruction ID: 2d378c1c2644eba8d280a4d7adb2a21326acc31c686c703019f934af266f8531
Opcode Fuzzy Hash: 551c665a083a012a0a4768dd672da3a2f0eb11e317883c5b42e397937e86fa74
Instruction Fuzzy Hash: 3591B571D00215AFDB25CFA8D894BAEBFF5AF48B10F15416DE690AB341D736D9009FA0

Function 0105E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feff3dfda66ab817413f36688d82d0547d3da82a7e22d65419200894cbda0a1e
Instruction ID: acbfbe3bfa570ddae38133228e6cec98f428f871cf29ec86747a6f3b4ffc5c96
Opcode Fuzzy Hash: feff3dfda66ab817413f36688d82d0547d3da82a7e22d65419200894cbda0a1e
Instruction Fuzzy Hash: DC910471A00616DBEBA49B58C444BBFBBE1EF94718F0540A5EDC59B280EB34DE41CB61

Function 0107E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c11b28f81984ed573c69b4ed630fbfa892ad11b1693354f255419ce169cffeb
Instruction ID: d388952611c3456881e3859118752d11e7f6e175126ad0cf02b0bd20f57f6b6a
Opcode Fuzzy Hash: 7c11b28f81984ed573c69b4ed630fbfa892ad11b1693354f255419ce169cffeb
Instruction Fuzzy Hash: FA817E71E01609AFDB25DFA9C880BEEBBF9FF48314F108469E695A7250D730AC45CB64

Function 0105C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd3f26c798655756dcd7b4598e40a48ed2cd51958f7e36fead4426d94c5e772
Instruction ID: 337c596e5777f52ff03bf26e99c01dd30a0b22e961e0e5d9a310933be09001a5
Opcode Fuzzy Hash: 5dd3f26c798655756dcd7b4598e40a48ed2cd51958f7e36fead4426d94c5e772
Instruction Fuzzy Hash: AE71D075D00229DBDB65CF98D5507BEBBF4FF48710F14816AE991AB350E3349900CBA0

Function 010F47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9333adb4a0e00ae027782cf99301ccb0397eec0d535c436b1d979a0442ff39
Instruction ID: 1b4f7118fe74dbf81b05b7ef9834697159d66d63702c3f7936215020bb0ee2b3
Opcode Fuzzy Hash: ed9333adb4a0e00ae027782cf99301ccb0397eec0d535c436b1d979a0442ff39
Instruction Fuzzy Hash: 9E718171A00205EFDB24DF59DA45A9FBBF8EB80310B0481AEEB94E765CD7318A84CB54

Function 0105260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8ecc9bd51c4f8eccffb1e22aac1cdb4bb428e1d54577f126b844ceee05efbb
Instruction ID: 46f16d4d40aa520a0542db02cdc68f745e376a6505a45cd191ff5848708f3711
Opcode Fuzzy Hash: bf8ecc9bd51c4f8eccffb1e22aac1cdb4bb428e1d54577f126b844ceee05efbb
Instruction Fuzzy Hash: 1371AF76604642CFD391DF68C484B6BB7E5FF88310F0985A9E8D98B352DB34D846CBA1

Function 010C035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 63e9c08282192ca55dc838d9065d06b758abf81fb547441efb71de79e6dbdecf
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 3F716F75A00619EFDB10DFA9C944AEEBBB9FF58700F104569E985AB250DB34EA01CF50

Function 010D62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c47c12c6b5a680a14d8422d2e1450506c60935bb17750081ea97a29bcd76e8
Instruction ID: 774bc61407cafd42ba18e032d605b07d43db47b94412f6e73dcd2958e30aa398
Opcode Fuzzy Hash: e3c47c12c6b5a680a14d8422d2e1450506c60935bb17750081ea97a29bcd76e8
Instruction Fuzzy Hash: AA71F532200701AFE732DF58C844F9ABBE6FF44760F158568E6D68B2A1DB76E944CB50

Function 01118324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d09b4a47693373643e067db89153f550c9524faa39193a145957cf4fb93481b
Instruction ID: 4fd617a245e10c3acf949c03d1bc15ac3c38348c2084c8bd5768e81cbb1e9a65
Opcode Fuzzy Hash: 4d09b4a47693373643e067db89153f550c9524faa39193a145957cf4fb93481b
Instruction Fuzzy Hash: 65711B71E10209AFDB1ADF94CC41FEEBBB9FF04350F108129EA51A7294E774AA05CB91

Function 010FA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83ee05691e653baeba38b8c122c439ede4d52fe32dc25136a66a62a4c6cabc7
Instruction ID: 571095f108409451fe332a224f32a3f4cd5237568348e6fa65774429016b0c34
Opcode Fuzzy Hash: e83ee05691e653baeba38b8c122c439ede4d52fe32dc25136a66a62a4c6cabc7
Instruction Fuzzy Hash: 0651B072604612EFD711DE68C885B5BBBE8EBC8750F00496DBBC4DB550DB31ED0587A2

Function 010E8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59075cd63f80079ddd218a0719ba2e2e9ca02fe7736dc3e976c16c60de8a4678
Instruction ID: 63ac355479eb09b6fb5e67d14e84e9daeb3b7d385269f838a08d1a4fe185a0f5
Opcode Fuzzy Hash: 59075cd63f80079ddd218a0719ba2e2e9ca02fe7736dc3e976c16c60de8a4678
Instruction Fuzzy Hash: D3519EB09007059FD721DF6AC888AABFBF8FF94710F10861ED2D6576A1DBB0A545CB90

Function 0107E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e14b3834890a3433c66d7f9d77f90079da168dcce2fc3f5dff8b5608fb63bd
Instruction ID: 4f025cef5904b076b539e05ee3e76f05f354569519d5963494d0cb8bde4e5f97
Opcode Fuzzy Hash: 99e14b3834890a3433c66d7f9d77f90079da168dcce2fc3f5dff8b5608fb63bd
Instruction Fuzzy Hash: BA516E71601A09DFCB62EF69C9C0EAAB7F9FF14784F4004A9EA9197660DB34ED40CB50

Function 010E4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29c6b8bfb3a597424c8f2ca3f21f4cc89f864269ef62b293680bf6ca131684c
Instruction ID: 140ccc10d27724619e1fcbf175a2036e2e3d32805ce11356a5ed65151bdf1cf3
Opcode Fuzzy Hash: e29c6b8bfb3a597424c8f2ca3f21f4cc89f864269ef62b293680bf6ca131684c
Instruction Fuzzy Hash: CE5178716083029FD754DF2AC884AABBBE5BFC8204F448A6EF5D9C7250EB30D905CB56

Function 010645B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: fa039281f89d9a6529836d7657d15ead2f5a5b17d13b3c425228c2946c7a4f9e
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: E5514C71E0021AABDF15DB94C840BEEBBF9BF49754F044069EA81EB240D778DA44CBA0

Function 010CE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 6772e1dc90cf37965c536372c49615b6dd725a7692b287ed8dae9bf33174ccf1
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 6951957190021AAFEF219F94C884BBFBFB5AB00B24F15466DD69267291D7359E40CFA0

Function 01108B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002f18c0fe80a4f2c7f54ac87941e4a6946ddf6a2cb0da27540549a1240a1ab5
Instruction ID: 025f034778f8104d0a5374b7ba8ca47bf7e6dac8ddb855a0595fb729bf0efd16
Opcode Fuzzy Hash: 002f18c0fe80a4f2c7f54ac87941e4a6946ddf6a2cb0da27540549a1240a1ab5
Instruction Fuzzy Hash: 8F41D871F09A119BD72FDB2DC994BBBBBAAEF90220F048119F955872C1DBB0D801C691

Function 0107A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09de5c1d0755c55a07eca4d8fe106cd9147623c8366ae01efba073692ed40d0
Instruction ID: e65fa6ad27e3f8babd13445403a4a189b52913ed557879720d063b6481d3edcd
Opcode Fuzzy Hash: c09de5c1d0755c55a07eca4d8fe106cd9147623c8366ae01efba073692ed40d0
Instruction Fuzzy Hash: B3411771B40606DBDB29EF6898C1BAE37B5AB58708F04007DFDD2AB245DBB29C40C754

Function 0110A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 4f8b458b92836243c0cca3f35e95216d13e3a5e928fae257fb9d392fb7bbb276
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 9241C732E00716DFD72ECF18D980A6AB7A9FF80214B05862EE952876C0EB70ED54C791

Function 010701F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f82bb3e468c7d06aab5299d76f717e774db971afd98c815ed36d976241f4d7
Instruction ID: 40f8012ceab0bfe59def9248ccaa6b1a959d2d7242fef0ff6cc704c2e7dd15b7
Opcode Fuzzy Hash: d9f82bb3e468c7d06aab5299d76f717e774db971afd98c815ed36d976241f4d7
Instruction Fuzzy Hash: 5B41BF36D00219DBDB14DF98C440AEEB7B4BF4A710F14826AF895F7244D7359D41CBA8

Function 01082750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 7ba1b8fe2524c41085c8c40ffd6863ce695ac6bcd61664f9ba9e2ca663b7ab9e
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 85517975A00219DFCB55CF98C480AAEF7F2FF85710F2481A9D995A7351D734AE42CB90

Function 01046154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4c91699bddf0438cf0c074e252e06f5f1eab7cc15a8137c035f1d156e9892c
Instruction ID: 393f2e50df372efd58f77e222a5eceb322bc03acff787aa842316ac08d024c8c
Opcode Fuzzy Hash: 5d4c91699bddf0438cf0c074e252e06f5f1eab7cc15a8137c035f1d156e9892c
Instruction Fuzzy Hash: 075116B090060AEBDB659B68CD40BE9BBF1EF06304F0482F5D5A5A72D5EB355981CF40

Function 0110866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 19e25e1f47648b772dfba23575beb68f12b54417bd232e541e095687e7c8578b
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 3E41DA75F04216ABDB1ADF99CC84ABFBBBAAF88300F154069E50097385D7B0DD01CB60

Function 01040887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76c3990f79e635004c9ef157a42fc034578204eb9a847fa0e93fd9e461f8b74
Instruction ID: eb63a0f42700faa81bc87399a494a64afd2e31632253fd375b49fa7b77a945fe
Opcode Fuzzy Hash: d76c3990f79e635004c9ef157a42fc034578204eb9a847fa0e93fd9e461f8b74
Instruction Fuzzy Hash: 6741C0F16007029FE725DF28C580AA6B7F5FF49314B108A7DE6C796A54E731E845CB90

Function 0106A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c8187cfc4551cbf25d59b8299d969e87c3efa22b8e7ef96d759014e6196a3e
Instruction ID: 90a13e84ccb82a694d8981e4fec350e9ddc9a899cb4683db2907d6e5c31e2bc5
Opcode Fuzzy Hash: a8c8187cfc4551cbf25d59b8299d969e87c3efa22b8e7ef96d759014e6196a3e
Instruction Fuzzy Hash: E941D031A41215CFDB25EF6CC8947ED7BF8BB58350F0401A5D4A1BB385DB34A940CBA1

Function 01038918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6fc614e4d62a7f4a4777a1b929334a9f50308848d41149b591e88dbc400f91
Instruction ID: 3451fbb1d882e2ce2cdf0e76bb4aa0408a64cd60534e77448314f550732db1b8
Opcode Fuzzy Hash: 6a6fc614e4d62a7f4a4777a1b929334a9f50308848d41149b591e88dbc400f91
Instruction Fuzzy Hash: 06415B315083069ED712DF649840A6FB7E8BF84B54F440A6BF9C0D7250E721DE048B93

Function 0103A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: ed82647c583c625eecce82aa50a3fbf087ee15dddda758242a6a5724ead56a46
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 51412A31B00211DBDF51DE58D464BBEF7A5EBD0774F1580AAB9C5CB240D6328D40D790

Function 010409AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5270402f2414ab2a11721388b70b9f705d7740322b6a9cb272b761d7f015dadc
Instruction ID: a27e8cd81255debc0c6bc4a8cdfdfe1ab1f5987b5d6db1849e6d1676af493260
Opcode Fuzzy Hash: 5270402f2414ab2a11721388b70b9f705d7740322b6a9cb272b761d7f015dadc
Instruction Fuzzy Hash: E2418EB1600701EFD761DF18C880BAABBF4FF54314F24896AE989DB251E771E942CB90

Function 01070710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: e5c45ee608db1a4760cd6ac9c11dfb90a14c55a81cd1efdd97444c11606e735b
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 3D411771E00605EFDB64CF98C980AAABBF4FF19700B104A6DE596DB694D730AA44CF94

Function 0104262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc4081f3260a33a1d695e25358e78e550bc448a0f2fa7a945b43ecfbd8fe5cf
Instruction ID: ee07361fa21ba0f1d33cf0747e67224d7e2cd17aaa38f95dc99bb0d0929ad6a9
Opcode Fuzzy Hash: 6dc4081f3260a33a1d695e25358e78e550bc448a0f2fa7a945b43ecfbd8fe5cf
Instruction Fuzzy Hash: 4341E4B0601705DFCB65EF29E9807A9B7F1FF88310F1081B9E4969B2A5DB30A981CF51

Function 0107C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe4d24bc379461cb77e2c3d3177627ff8f635f61912f5326fd16ef110eef02e
Instruction ID: 89fb49e765ff8ec877f4b9260757d9a059fde7e105570d2164075dfb94f91abc
Opcode Fuzzy Hash: bfe4d24bc379461cb77e2c3d3177627ff8f635f61912f5326fd16ef110eef02e
Instruction Fuzzy Hash: 57319AB2A00346DFEB96CF58C140799BBF0FB08718F2085AED159EB251D7369902CF94

Function 010C07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4433333fafa79653a380d28ecf4d4580be4191d69db514413d87d0f51812592d
Instruction ID: d5a45e851e82075374b4e74a95adddd063fab9e919e16ae0dfdb8d6f5216096a
Opcode Fuzzy Hash: 4433333fafa79653a380d28ecf4d4580be4191d69db514413d87d0f51812592d
Instruction Fuzzy Hash: FE418B71508305ABD360DF29C845B9BBBE8FF88654F008A2EF5E8C7294D7709904CB92

Function 010380A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b92e1ed1d5c0b6cf1dde94f219dbf20f69a2aa714ebe55cd9ca9dee8c149ab
Instruction ID: 246d77cca6562fa56c3be9bea4e44bcc0d32e6f147257b4b22a27ee6526731aa
Opcode Fuzzy Hash: a3b92e1ed1d5c0b6cf1dde94f219dbf20f69a2aa714ebe55cd9ca9dee8c149ab
Instruction Fuzzy Hash: 8741E371A055169FCB11DF19C880AADB7BDBF84760F10C3AAE895A7280D734ED418BD0

Function 010C05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ce69b287cefddbf2bd016d70de7704709d15802e296b7c8facd4b56a6c1b8c
Instruction ID: bcb6bea5a92b6ef95f5d72ce9747509abe0c08dbbc5dbffff19a489111b6df2f
Opcode Fuzzy Hash: 90ce69b287cefddbf2bd016d70de7704709d15802e296b7c8facd4b56a6c1b8c
Instruction Fuzzy Hash: FA41D2766086469FC320DF68C840AAEB7E5BFC8B00F14461DF9D597684E730E904CBA6

Function 01044859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fd834ea70553976eb80bed78d2cbf2c49fed8d1c11665c1fa7b6164e008309
Instruction ID: d7d07f7e2ceb94d4eea97a7a1a88bc1246be8f13e41871bbd1d092d3d0bc5622
Opcode Fuzzy Hash: e7fd834ea70553976eb80bed78d2cbf2c49fed8d1c11665c1fa7b6164e008309
Instruction Fuzzy Hash: D141BEB52003069BE725DF28D8C4B2ABBE9AF80364F1444BDEAD5CB291DB70DD41DB91

Function 010502E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: b6f28659952972395b5b026ea06015631fbd2668a5ed4e95a41d75cfa4039605
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 26310771A04245AFDB928B68CC84BDFBFE9EF14350F0481B5F899D7356C6749984CBA0

Function 010EE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bbeec31beaaf0bdc2c05e61af8583115ca58136a609f605122aefe8e5d03e2
Instruction ID: eab29afe006fe60444ae1864f923e71f7af9669656f05969f8d7d85786d79424
Opcode Fuzzy Hash: d3bbeec31beaaf0bdc2c05e61af8583115ca58136a609f605122aefe8e5d03e2
Instruction Fuzzy Hash: 7931A87175075AABD722AF55CC45FAF7AE8AB58B50F100028FA40AB391DBA5DC00C7A0

Function 010F4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d2db8b78e0d59d4f4d753c4d7d32bd7339795d8b37ed9fdc35c2592cc60e3b
Instruction ID: b1bf87eec50590e9973c4bc98601b5c72ef41e97e551e2fdaf1c7e58d404d50d
Opcode Fuzzy Hash: 17d2db8b78e0d59d4f4d753c4d7d32bd7339795d8b37ed9fdc35c2592cc60e3b
Instruction Fuzzy Hash: 1631BD326052059FC365DF19D881A6ABBE5FB80360F0944ADEEE5CBA56D730A940CB90

Function 01044260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a893bb2e3394515cbb2906b9dad37d1ae347d58e4fdfc1747358e1545c444e
Instruction ID: da1a2f3208e3fcfe04d97c83e376996bc3ba10422360b7ed22bd5e85a3dde4fd
Opcode Fuzzy Hash: d9a893bb2e3394515cbb2906b9dad37d1ae347d58e4fdfc1747358e1545c444e
Instruction Fuzzy Hash: 1141AEB1200B49DFD766CF68C880BDA7BE5AF49754F018469FAD9CB254C774E804CB50

Function 010BEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea7e0cfa5c73e0c30c40fcf1080d3417be34e6d6b922b801ec535c9277008ce
Instruction ID: c3acc7d97d8f9e577bcd1e90389f48f80318d1c42a822f8d3ee8cf065b1794ed
Opcode Fuzzy Hash: 8ea7e0cfa5c73e0c30c40fcf1080d3417be34e6d6b922b801ec535c9277008ce
Instruction Fuzzy Hash: 7631C0352016869BF362575CCD88FE77BE8BB40B80F1900E4ABC69B6D2DB28D841C234

Function 011061C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1518e9f53c55950bd6aa443e7aaf710f28f80a18a36c36edfe54903dda5956
Instruction ID: b5b59b7da04a3260d63d58f290733bb75497bf32acd32e7cc35d0bb173568da2
Opcode Fuzzy Hash: 6e1518e9f53c55950bd6aa443e7aaf710f28f80a18a36c36edfe54903dda5956
Instruction Fuzzy Hash: D231C675E0025AABDB1ADF98CC40BAEB7B5FB48B40F454168F940EB284D7B0ED51CB94

Function 010E483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016ba4eb8afddea8639da7c02e594d755e13a8b4f8ffde770fd4612ea60b0a1c
Instruction ID: a183070113818772713198a495795dbe5806520abe14ae35eff47a045ab900ec
Opcode Fuzzy Hash: 016ba4eb8afddea8639da7c02e594d755e13a8b4f8ffde770fd4612ea60b0a1c
Instruction Fuzzy Hash: 52316076A4012DAFCB61DF55DC88BDEBBF9AB98310F1000E5A948E7250DA309E918F90

Function 0106EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9530246a98f29ef48a6e258b7c683b4101c779703a59d71079aee3fbd6098a9
Instruction ID: 727a392404dc66e456673a2e36941bd9e8341c9c986a6579239b0c1452db70ce
Opcode Fuzzy Hash: a9530246a98f29ef48a6e258b7c683b4101c779703a59d71079aee3fbd6098a9
Instruction Fuzzy Hash: 5431A476E00319AFDB61DFA9CC40AAFBBF9EF44750F114465E995E7250D6709A008BA0

Function 011060B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d793af3e58028029d5e468323e81eb0b8b766916c854c30c6ec633b9b7735b85
Instruction ID: de68bc0106de69dc9200cc3767676450271337945cbe8c8804caeeb70dd2ba39
Opcode Fuzzy Hash: d793af3e58028029d5e468323e81eb0b8b766916c854c30c6ec633b9b7735b85
Instruction Fuzzy Hash: 8431C271B40616ABDB1B9B99C850BAFBBB9AF84754F014069E545DB381DBB0DC10CB90

Function 010407AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a1c3157d706249403b028d515718897ee785ae7184a080f81be7d71eb24291
Instruction ID: 1a401bfbd1878c2bc2e451b7016250a52569b63a2b6909cc6fe342424a463077
Opcode Fuzzy Hash: 45a1c3157d706249403b028d515718897ee785ae7184a080f81be7d71eb24291
Instruction Fuzzy Hash: 9531D1B2A04646EBD712DE28C9C0AEBBBA5AFD4250F01453DFED5A7214EA30DC0197E1

Function 01048550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0c060adc8e7e3b63844a0827d9caac02960a5d92ab96dedfd81171677c8764
Instruction ID: 3effb1a750069178c06fd99e5b5c4a83718bfc47c2fefbbab6f4d920d653227d
Opcode Fuzzy Hash: 9a0c060adc8e7e3b63844a0827d9caac02960a5d92ab96dedfd81171677c8764
Instruction Fuzzy Hash: AA318BB16093018FE364CF59C880B6ABBE5AB98700F458ABEF9C49B255D771E844CB91

Function 0107A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 990a601c7e0937988f200d7c286390b9c614fc5758a00ce25ee6de3d9889c9db
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 57311AB2B04B01EFD765CF69CD80B5BBBF8BB08650F08496DA59AC3650E630E900CB64

Function 0106438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95beca965332adb4b3b7422c92de46119b55874bc08f4d3eef5c632c0dfd7b42
Instruction ID: 322d642a02832b390d679218d84b5c8502022bfb340b487c218569f4a8a136b2
Opcode Fuzzy Hash: 95beca965332adb4b3b7422c92de46119b55874bc08f4d3eef5c632c0dfd7b42
Instruction Fuzzy Hash: 0031D431B003059FD724EFA9C981AAEBBFDAB84304F008529D585D7654DB30E941CB90

Function 0103C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11eee867daf8111bd60c51e641c2ad38e7ddcc377992e17a9f6cd0d8976d2b58
Instruction ID: 0688774a88a3456535531a73f78ca77076ea13c6ef0ceeaa5ecc8dd95f9a89fd
Opcode Fuzzy Hash: 11eee867daf8111bd60c51e641c2ad38e7ddcc377992e17a9f6cd0d8976d2b58
Instruction Fuzzy Hash: 333159B15402019BDF61AF68CC50BBDBBB4BF45304F8481A9DDC69B386EA34D982DB90

Function 010FC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 50a4b02e2562a149189d1ab3a89ad74eab1f85837dae5b1b37d67d7bc2c7bd70
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: A4212D3660065AA6DB15AB958902EFBBBB4EF80710F40801FFBD587951EA34ED40C760

Function 0103E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6ed11f7089cd884fd9e5ce7f68dd3cd430519a5f75923d1952c633456387e0
Instruction ID: 366f4cab238379fabcb8d43e2fa9393ec0e2558401794ba26c1c9088a7a17f4a
Opcode Fuzzy Hash: 8d6ed11f7089cd884fd9e5ce7f68dd3cd430519a5f75923d1952c633456387e0
Instruction Fuzzy Hash: 7E31A432A0152D9BDB359A18CC41BEE77BDAB59740F0102A1E6C5A7290D6749E808F90

Function 01074588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 73d9baebc00eeb2f01b35f01371fc9557a5cecdf5d7c36bc542961f55374e1bd
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 1B218D76A00609EBCB15CF98C980A9EBBA5FF4C314F108069EE55DB241D671EA158B94

Function 010744B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d270e73266abc654d4fe9d6da3a6a1352a498181a507ed76dd79e3979d33278d
Instruction ID: dfff5550ec9b98b13402a6cf20b3a67e46feacb5d0e2b423474baa4880c57c9b
Opcode Fuzzy Hash: d270e73266abc654d4fe9d6da3a6a1352a498181a507ed76dd79e3979d33278d
Instruction Fuzzy Hash: EF21D572A047459BC722DF18C880BABB7E5FF88760F014559FD949B642D730ED00CBA6

Function 0103E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 91bbc7b2b329b84d728ba8745dce31372d276cbd41b39048e4db729231ce28f3
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 3E317C31600605EFDB21DF68C984FAAB7F9EF85354F1445A9E6928B690EB30EE01CB50

Function 010BE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0283a6ee060407f0edd3c9843302cef75fef1d0cd4026182f29925fa0574ad3
Instruction ID: 521e329c58cd123bc7a32b182e6c389e2ddc18395ea744fee7ee48c314a975cb
Opcode Fuzzy Hash: a0283a6ee060407f0edd3c9843302cef75fef1d0cd4026182f29925fa0574ad3
Instruction Fuzzy Hash: 16318279A00206EFCB18CF1CC8849EEB7F5FF98344B15445AE8899B395E771EA50CB94

Function 010C06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a503d5ab6f4da3bb14922b832b124ef62aa96baea91f040fd979d6d5c93bdb6
Instruction ID: f38048c7032f627640a8d760712bc21eb8a4106012c5a6050fbd619474c35dce
Opcode Fuzzy Hash: 9a503d5ab6f4da3bb14922b832b124ef62aa96baea91f040fd979d6d5c93bdb6
Instruction Fuzzy Hash: 9E21AD75900229DBCF25DF59C881ABEB7F8FF48740B4000A9F981AB254E738AD41CFA0

Function 010C019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7d65ac67e2d303a7463cc818ce8e90dc1ba85c0b06680d499838be63ec50a0
Instruction ID: 46706bba567c77a080b4e3ea43050c4343d1f5d5811a0f61eccb9a1066b383b5
Opcode Fuzzy Hash: ce7d65ac67e2d303a7463cc818ce8e90dc1ba85c0b06680d499838be63ec50a0
Instruction Fuzzy Hash: FC218B75600645EBD715DB6CD840A6AB7B8FF88B40F1400A9F984DB690D634ED40CB64

Function 010C0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8be004dd6fd64babe94af149ccb965c76b9a701ad2a916994c492a8386f5297
Instruction ID: e339b1f26fc8b90aaef09a61dbafaf69adfac343285030a3203fb2190a380059
Opcode Fuzzy Hash: d8be004dd6fd64babe94af149ccb965c76b9a701ad2a916994c492a8386f5297
Instruction Fuzzy Hash: F121AF7690434ADBD711EF99D844BAFBBECAF91A40F08449ABDC0CB255D734D904CAA2

Function 01062835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2d142176a753f1d9e9b0b8795d5473caaecff24f573c18a6a3e200f915e8a4
Instruction ID: e9fb2720c02030d43f42e08d903aa73a65c04df100f94358672eeac41fca4bc7
Opcode Fuzzy Hash: 7b2d142176a753f1d9e9b0b8795d5473caaecff24f573c18a6a3e200f915e8a4
Instruction Fuzzy Hash: D321F931705681DFE362676C8C04B6A7BD8AF41B74F2903E4FAE29F6D2D768D801C250

Function 0107A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf567b623c1b3490afcb1d3a1c3ae4f1c9a73082f0dbf20a605c1f873474078
Instruction ID: 95b00ebcbe9b37fa2cef881833aa7cfcfe9597a9d0db8f624a950ff90abfaf0a
Opcode Fuzzy Hash: abf567b623c1b3490afcb1d3a1c3ae4f1c9a73082f0dbf20a605c1f873474078
Instruction Fuzzy Hash: 9E219A75600B01DBC729DF29C941B8A77E5EF48744F1884A8A589CBB61E331E842CB98

Function 010FA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b399a91d300f43dc7801ef31563a4530279b192e044d71997f12a01160239848
Instruction ID: c70d8498e64e93c7ea1691b3183dc7b6145743e95f33af6698a2e80fd6b1ada9
Opcode Fuzzy Hash: b399a91d300f43dc7801ef31563a4530279b192e044d71997f12a01160239848
Instruction Fuzzy Hash: FA113672380B11FFE72256589C46F6B7A9ADBD4F60F10002CB78CDB680EB64EC008795

Function 010C0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a580b83a2f771eed320c48e6e30d5c2d6ec4ab505a8215e2d76ad034016f8d50
Instruction ID: 83b7dcd65d836be60ac184adc313a1256ee7bb98c5ddab38ba92f7d0322c9bab
Opcode Fuzzy Hash: a580b83a2f771eed320c48e6e30d5c2d6ec4ab505a8215e2d76ad034016f8d50
Instruction Fuzzy Hash: 4821F6B1E10219ABDB24DFAAD880AEEFBF8FF98A00F10412EE455A7244D7709941CF54

Function 010D80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: b3091aec2f96ecb06a7be347f814bff246df01029d47e59df862a25321ba1b2d
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 22218C76A00209EFDF129FA8CC40BAEBBB9EF88350F20845AF980A7251D734D9509B50

Function 01070124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: c0ff34db420d71088eaa6692a21e9aa96479471e2a6029f153966931b2fec210
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 08110473A40605BFE7229F44DC40F9BBBB9EB81754F100029F6818B180D6B1ED44CB64

Function 01048770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bac8c7807a616712cc7e1975ba17d7271c61d94481ccbd209db35d110959893
Instruction ID: 145ff95340d3fc128dad36067bc4cfc6a5a944f6bc37b9ddc85a9cef9cbc6576
Opcode Fuzzy Hash: 2bac8c7807a616712cc7e1975ba17d7271c61d94481ccbd209db35d110959893
Instruction Fuzzy Hash: 4211C1B17006119BDB55CF8DC4C0A6ABBE9BF8A750B19C4FEEE489F204D6B2D901C790

Function 010480E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54a31fb051333b67f8b46637ef3e7503fe92ddefbbc21c48578ed231d7abf0a
Instruction ID: 50835b71d7fd6ff556007d8ad1541c6ef08a5d68d6fb8ec35a2baee17325932c
Opcode Fuzzy Hash: e54a31fb051333b67f8b46637ef3e7503fe92ddefbbc21c48578ed231d7abf0a
Instruction Fuzzy Hash: 71218EB1A00205DFCB14CF98C590AAEBBF9FB88314F2085AFD545A7320C771AD46CB90

Function 0107674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530eff1c2b2c623a0dd86e10fc826f45d8bd9af1e4c862d1aecc7c8ac57d21e1
Instruction ID: 375b902a9ccdd5d8bfd4d17b14dbe1f899250659e339a33351339ddec6e370f3
Opcode Fuzzy Hash: 530eff1c2b2c623a0dd86e10fc826f45d8bd9af1e4c862d1aecc7c8ac57d21e1
Instruction Fuzzy Hash: B5218E71900A01EFE7648F68C880BAAB7E8FF44390F44882DE5DBC7250DB31A940CB64

Function 010D6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85bd57bbb4d2bfacc7d22da9395b0afcd4e4b3392132a757a1974c5fb69c5e5c
Instruction ID: 29d9c0b8a9516512e36f4c49147dff1d090049431c67d746ede5656630f861f8
Opcode Fuzzy Hash: 85bd57bbb4d2bfacc7d22da9395b0afcd4e4b3392132a757a1974c5fb69c5e5c
Instruction Fuzzy Hash: 3711A332240714EFC722DB6DCD40F9AB7ACEF99B50F114065F685DB251DA72E901C790

Function 0106E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232e4c235c1c37d30a30fc3140b0d5ba9d1dd7fec597089fd2e60d3146aabd83
Instruction ID: ad0a31268c168fe70d638202e96f24b4bc500691e223c641075e4efab55c4d1a
Opcode Fuzzy Hash: 232e4c235c1c37d30a30fc3140b0d5ba9d1dd7fec597089fd2e60d3146aabd83
Instruction Fuzzy Hash: 31116F373001159FCB1ADB29CD40A6F729BDFD1370B64852CD962DB240E9308802C7A0

Function 010766B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64975f371ca0663c157ca76dd430839178859a071b451ffc22d0c1966f97854
Instruction ID: 9449bb0e0fae240d9bbe20ec27de5529b45fd788ad371c6996ac3d3c8e202aa5
Opcode Fuzzy Hash: f64975f371ca0663c157ca76dd430839178859a071b451ffc22d0c1966f97854
Instruction Fuzzy Hash: B611E376E01A45EFDB69CF59C580A5AFBF4FF84690B1140B9D9869B314E630DD00CB94

Function 0110A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 39e3f28df88b55835f67e31206577cbbd50ad65078e562cd8a9fe10a2d4a57f9
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: DB110836A00509AFDB19CB54C801B9EBBB5FF84310F054269EC4597380E771BD41CB80

Function 010CE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 83fcc5f08ff1a8f8fd9b9fd0dcb0bba8fb68bb5eba3493072d29ffbf345e4d96
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: B4118C32601601EBEB619B48C840B9FBFE5EB45B54F05846CEA8D9B260DB31DC48DF90

Function 010627ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7036803cf3692e40a5e1eb0da33921251a14f5fd6fdb6d970f1ef404b8dab0a3
Instruction ID: e976a9b800bf50f49c91f6704b6b819c8459dafc0e9983381a7b4c69ca7664d2
Opcode Fuzzy Hash: 7036803cf3692e40a5e1eb0da33921251a14f5fd6fdb6d970f1ef404b8dab0a3
Instruction Fuzzy Hash: 2501A171706645EFE326A2AD9C84FAB7A9CEB90794F4500A5B9C28B291DA14DC00C2B1

Function 01044690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca5cbc74ddfca9b6101087d2ca21519801d11a0ab3e7cd43e246632af49142c
Instruction ID: 8d94711860e096ccdee4e1c62822ef7dd50d178d10cbbb2c6586737246d5858e
Opcode Fuzzy Hash: bca5cbc74ddfca9b6101087d2ca21519801d11a0ab3e7cd43e246632af49142c
Instruction Fuzzy Hash: 7011ACB6241645AFDB2ACF59D880B567BE8FB8AB64F004169FA84DB350C374E841CF60

Function 01114B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84016ccffab7b5af8cb9f22eb32b997af89aea0bd49a9f0b731198127b594c59
Instruction ID: a67a0c867b26a723e9758e6d0aa7c32f9923592ef655e99e2b35f8b2dcbb0372
Opcode Fuzzy Hash: 84016ccffab7b5af8cb9f22eb32b997af89aea0bd49a9f0b731198127b594c59
Instruction Fuzzy Hash: 2811C6362006159FD729DA69D840F57F7A5FFC4B21F194439EA8687A98DB30A802C794

Function 01076620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dca47442059a5093bddd1636042ac849bf98ef988320b81213f2281b223941
Instruction ID: f6d318ccc7b918a6d6cb8fccde288bce9cb1db3f940305747176cf8477006ba5
Opcode Fuzzy Hash: 86dca47442059a5093bddd1636042ac849bf98ef988320b81213f2281b223941
Instruction Fuzzy Hash: 08118276E00B15ABEB61DF59C9C0B9EFBB8EF88750F904469DA46B7200D731AD018B64

Function 0106E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 764ea19e5741353ebdb1339fc0cf65ff5a33cd7d0864f379983f32bd86a76f1d
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 0D11A9752017C39BE763975CD554B6E77E8EB51794F1900E1EDC18B652F728C842C260

Function 010CE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 474e549885fcc661a1d18d80cdbab674f9298f9bf13a5629dcc18cf9a129255e
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: B701C032600105AFEB619B58CC40B9E7EE9FF44F50F158278EA859B260E771DD40CF90

Function 0103A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 0c89702518950b0eb0aaaf941493b830593ad91fed9eac438df644957931d9f7
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 63010032604B22DBCB618F1D9840A6A7BE8EB95B707008A6DFCD5CB281C331D800CBA0

Function 01114940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7b413cd0305847abb7f12ae382a3e4f2d06e930e579478576b1b20e32943ae
Instruction ID: 46d049268026f1d6493b5d4e08a58a9517926353cbbe9aa5920e5230eff6f54f
Opcode Fuzzy Hash: 0f7b413cd0305847abb7f12ae382a3e4f2d06e930e579478576b1b20e32943ae
Instruction Fuzzy Hash: F00126724415099FC73ADF1CC800E52FBAAEB89B70B254235E9A89B59AE730D801CBD0

Function 010BE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c87d9d12c0c9de9bf92c036cea023410309e39b32e8b6b424954dc1e5601d4c
Instruction ID: 88e93367cb5eb5259233aba2c1a0868233d5c11e6cc553753040667c8f578669
Opcode Fuzzy Hash: 9c87d9d12c0c9de9bf92c036cea023410309e39b32e8b6b424954dc1e5601d4c
Instruction Fuzzy Hash: 7111A132241241EFDB16EF19CD80F967BB8FF54B44F2000A5FA459B651C335ED01CA90

Function 01046259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dce7e87370583d70e6b571c8498d6fa92d386d6d13e3c8aad46659a29473d93
Instruction ID: 9828f50801038c5d69a5142ba20c7a570a982a2867a1569c4ea6e6a2161db0e1
Opcode Fuzzy Hash: 5dce7e87370583d70e6b571c8498d6fa92d386d6d13e3c8aad46659a29473d93
Instruction Fuzzy Hash: 0E11707164621DABDB65EB64CD41FE973B4BF04710F5041E4A394AA0E0D7709E81CF84

Function 010C6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63ca2a0da79b1091f0be7a54f3b7697898b4013f509d1c53f89be51a5d6809a
Instruction ID: 23ca9a9059e3adacc48f5280baa7c1be25fa0c0e02232cce493a803151032956
Opcode Fuzzy Hash: d63ca2a0da79b1091f0be7a54f3b7697898b4013f509d1c53f89be51a5d6809a
Instruction Fuzzy Hash: 9E111772900019ABCB26DB94CC84DEFBBBCEF48254F044166A946A7211EA35AA55CBA0

Function 0104208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 30eba8f9e076e999744017e264eb4b30327bd2b87cf92166614cc97217b3d319
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 3501D2723002018BDF559A69E8C0A967BE6BFD4710F1541B5FD81CF247DA718881D390

Function 010D6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbb54518a72775612294a3c107a4812a9216271198ec3e92f966607d6ba828e
Instruction ID: ef65f4555e924a6df2362df3b6c98892a0c2976adbd27e00188e69b8e5196793
Opcode Fuzzy Hash: cfbb54518a72775612294a3c107a4812a9216271198ec3e92f966607d6ba828e
Instruction Fuzzy Hash: E711A1366442469FD711CF58D800BA6BBF9FB5A314F488199E8898B319D732EC81CBA0

Function 010CC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfe3b6372919ee98dd73d2c11ad58b00422234a1194867fe3dabc66e1a0fb5b
Instruction ID: cc75f4fc8a213dd70b2128f94d26a7d8685f81476f6aab0576b4308d34b57a15
Opcode Fuzzy Hash: bdfe3b6372919ee98dd73d2c11ad58b00422234a1194867fe3dabc66e1a0fb5b
Instruction Fuzzy Hash: 421118B1A002099BCB04DFA9D541AAEBBF8FF58750F10806AB945E7351E674EA018BA4

Function 0103C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: f37509742fa7ede827ff49e3e9353d2ca5be22839f55fd2a7640252cd84a813f
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 8501F5322007459FEF6296AAC900AA7B7EDFFC6250F04445AAAC6CB540DA70E502CB60

Function 010820F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39fb01b36502b72207676b6ca985229a4684ab22e3639491da57a51ca38619d
Instruction ID: 1e1fdeefbba2a7d27e269e4926f1b296c637e5acf22c9414363a95fa723b8356
Opcode Fuzzy Hash: f39fb01b36502b72207676b6ca985229a4684ab22e3639491da57a51ca38619d
Instruction Fuzzy Hash: 0A11AD35A0020DEBCF05EFA4C850BEE7BB5EB54340F104058F9819B280E635AE01CB90

Function 0107E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43c1fe4d0f13f844e4bd3db475da6e9579ce6109844e55cc315d69dcdc07767
Instruction ID: e47d35ee0b79a406dacce34cb477fda5f1d3f0ccd284697bbcd34d039e85ef47
Opcode Fuzzy Hash: f43c1fe4d0f13f844e4bd3db475da6e9579ce6109844e55cc315d69dcdc07767
Instruction Fuzzy Hash: A701F7B1601605BFC351AB79CD80E97BBECFF996A47000565B64587550DB34EC11C6E0

Function 010D69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cf2af1f3f05c20b7a993cf736827ff51714e4265d92400e0c622b5c778911e
Instruction ID: 0602daa933930d834547fd3b78d3471ef67c898e37071d57e7d7fde3abec741d
Opcode Fuzzy Hash: d3cf2af1f3f05c20b7a993cf736827ff51714e4265d92400e0c622b5c778911e
Instruction Fuzzy Hash: CB01F0322143169BC364EF6DD4449A7BBE8FF58660F114129F9D587280E731D905CBD1

Function 010CC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c52933e411a245044d92c980f23a5f3b706bfa27a8c96e97640a870ca2cea1
Instruction ID: 8d3a9dfb45bda67bcd9c017d3a9d90c8d97af65bd8da7e89928eaefc4c5b2a78
Opcode Fuzzy Hash: 66c52933e411a245044d92c980f23a5f3b706bfa27a8c96e97640a870ca2cea1
Instruction Fuzzy Hash: AA115B75A0020DABDB15EFA8C954EEEBBB5FB48740F008059FD8697340DA35ED11CB90

Function 010CC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b7c74dfc844271d3e95086d40faea8823cd682b9be2a46693ae43cf5f135ea
Instruction ID: 58c3198c941885e25b6feafbf17a29f46464e372874d7380b2181b64c43c1000
Opcode Fuzzy Hash: f0b7c74dfc844271d3e95086d40faea8823cd682b9be2a46693ae43cf5f135ea
Instruction Fuzzy Hash: 08117C716083099FC700DF69D44199BBBE4EF98710F00451EB998D7350E630E900CB92

Function 0105E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: f89ff16f28014c79a49d1d7805390748ee1104365fd5289253aac0e93a6aceab
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 7B01BC32200580DFE7A28B1CC908F2BBBE8EB44744F0994A5FAC5CB691C628DD80C621

Function 0103826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160ff7f9eebe26b85be0fbfbbddfc9c318a3d409aa2e39732eeda6af27315629
Instruction ID: e103e4c5b312c44d649647340acb7caab52187d0fb06bc5650d3fef513f62c4a
Opcode Fuzzy Hash: 160ff7f9eebe26b85be0fbfbbddfc9c318a3d409aa2e39732eeda6af27315629
Instruction Fuzzy Hash: F0018431B14605DBD718EB6AD8109AE77EDEFC0610F15C1AAE981A7744EE70D901C690

Function 01042582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e61c7485699c2fff80763632b4b670c66bbc783878af9460b99813613456061
Instruction ID: 284938b8fdd18a68894c4e30f0c208830b574b8aaccef9e847cb1830f809db43
Opcode Fuzzy Hash: 6e61c7485699c2fff80763632b4b670c66bbc783878af9460b99813613456061
Instruction Fuzzy Hash: 22F0F972741711B7C7319F569C80F47BEA9EB84B90F004028B6459B600C630ED01DBE0

Function 0106C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: e3e95dae51472c3c6ee681ce72af20502578e08c043607e1731483bbfaa2ae22
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 49F0C2B2600611ABE325DF4DDD40E67FBEEDBD5A80F048168B585C7220EA31ED05CB90

Function 0103C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 8f1fc6fa2c87bb14966fd22378072861ed2971511fa835263b197b8b163171b9
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 79F0FC332046239BF732165A4940B6BAA9D8FD2B64F194037F685FB200CE708D0157D1

Function 0111634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa84f43f4f33f06228a6ab3ba99fc91edc4092efeb462c5de5372ef90f20ca8a
Instruction ID: 5db07d25e343c93e58fe71ee30ef70dee562530b7d1942117c0ed96e2a52794b
Opcode Fuzzy Hash: fa84f43f4f33f06228a6ab3ba99fc91edc4092efeb462c5de5372ef90f20ca8a
Instruction Fuzzy Hash: CD015E71A14209ABCB04DFA9D451A9EB7B8EF58300F10402AB904EB350D6749A018BA0

Function 0111625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9329e1fe8820bf600ada05845c46c6af45b610b7ad16a8e84e4914a3bec0bcfc
Instruction ID: 2bc6c3854ece4afc6bc252dd39cfa958e05f577d873acc923644037b2ed8d373
Opcode Fuzzy Hash: 9329e1fe8820bf600ada05845c46c6af45b610b7ad16a8e84e4914a3bec0bcfc
Instruction Fuzzy Hash: C7017171A0020AABCB04EFA9D451AEEB7F8EF58300F10402AF900EB350D674E901CBA0

Function 011162D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a59b6986de4f74a0f93022be5ed8c9a134d896f805f4ad5fdcb3ac0a3ed3b2
Instruction ID: b50a988413052cac61adc74bface4a4f142e00821972f474c1e2c365b0247d64
Opcode Fuzzy Hash: 06a59b6986de4f74a0f93022be5ed8c9a134d896f805f4ad5fdcb3ac0a3ed3b2
Instruction Fuzzy Hash: 2D017171A14209ABCB04DFA9D441A9EB7F8EF58300F50402AF914EB350D674D901CBA0

Function 011161E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120d49f78b58288e90bdb7b656f11d966a6c859b7b2a759ca8ae4a28e90faebd
Instruction ID: a7ba21a9c089a13957ec710e24819f633583e5ca5f51319cf4a6fb2ff85f076a
Opcode Fuzzy Hash: 120d49f78b58288e90bdb7b656f11d966a6c859b7b2a759ca8ae4a28e90faebd
Instruction Fuzzy Hash: 73018471A042499BCB04DFA9D441ADEB7F8BF58310F144069F541EB380D774EA01CB54

Function 010CA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ce3145d27a971a34db691baf40839c44ffb6a7ee82fd7071c07e3054f3e8fd
Instruction ID: 1f4efe8d362685f5ee802d162d55f1059aa81cf9763e63182d8b049de8b53a37
Opcode Fuzzy Hash: f0ce3145d27a971a34db691baf40839c44ffb6a7ee82fd7071c07e3054f3e8fd
Instruction Fuzzy Hash: 8001783620010DEBCF129F84D840ADE7FA6FB4CA64F058215FA1866224C632D961EF81

Function 0103C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1294553cd4c0f3a9d201a2daf8b011de9da2432d107e571b35805a60b14d985
Instruction ID: 201ebbcf3858bd290330f151415098d786eb0d51f702dcecb55ba90405d5b415
Opcode Fuzzy Hash: b1294553cd4c0f3a9d201a2daf8b011de9da2432d107e571b35805a60b14d985
Instruction Fuzzy Hash: 65F024723042815BF7519619DE11B6233DEE7C2750F6980ABEB85DB2C5E9B5DC018394

Function 0107656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba18c100c01cc95375c81767ba0656cb335faa94a937ffac6beb3b917511918
Instruction ID: c8ded7202e69e682419b83ffa87ff5130b05d2a649cfd7a3843282416357f8e8
Opcode Fuzzy Hash: 7ba18c100c01cc95375c81767ba0656cb335faa94a937ffac6beb3b917511918
Instruction Fuzzy Hash: 8101A470605A82DFF3A2AB2CDD48BAA37E4BB40F44F4841D0BAC3CB6D6D729D541D618

Function 010E437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: ad6a814041cb047ce13f783718a0c99b27c30ffa765bdf4112f4e5e4b1749471
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: D3F0E935741E134BE7B6AA3F8854B2EF6D5AFD0A40B15856C96C1DB640DF20D80087A0

Function 010CE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 9227e8900d41da200dc08459f8f0401f87f2919cbd72c05d882c27347f23276c
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 6EF054327115119BD3719B4DCC80F1BBFA8EFD5E60F590079AA489B260C760EC05CBE0

Function 010CC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fada23a74ef423031be1aaacf91cd61dc8aec212ed8c18914e5c268d8c54ce35
Instruction ID: c8fae3b8941c26a57bbc0a4eded5e24aac995fcdfa051afea371413f3b92823e
Opcode Fuzzy Hash: fada23a74ef423031be1aaacf91cd61dc8aec212ed8c18914e5c268d8c54ce35
Instruction Fuzzy Hash: A8F08C706093049FD354EF68C542A5FB7E4EF98710F40465EB8D8DB394E634E901CB96

Function 01070854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: e85768d66b6e34d597982ed013d3f4b46732c5048198ff4a4d95be6cf521d466
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 9AF0B4B2A10204AFE754DB25CC01F96B6E9EF99340F14C079A9C5D7264FAB1ED01D658

Function 010CC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ad396e73c84d4104be13181688afb5cdbeb55a67ba3f50ff15a3d8b9f6f915
Instruction ID: 31ce65604cd3863cc53b3518be93d09810083a6d337a3393d3eee6abee125398
Opcode Fuzzy Hash: e6ad396e73c84d4104be13181688afb5cdbeb55a67ba3f50ff15a3d8b9f6f915
Instruction Fuzzy Hash: 62F0C270A0020DDFDB04EFA9C515A9EB7F4FF18700F008069B899EB385EA34EA01CB50

Function 010447FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1753ef4b4d92fd9b2660ca0afbafe71a5874a6be3c7d74191ccd0e5a2d2ed1
Instruction ID: 8cdf1ed9426176b6d12ac83632c6e502fd2d7f3a200ed402b538bebe71c4d8cd
Opcode Fuzzy Hash: ab1753ef4b4d92fd9b2660ca0afbafe71a5874a6be3c7d74191ccd0e5a2d2ed1
Instruction Fuzzy Hash: B2F09AB19166E59FF7B28F6CC084B6ABBD49B00A24F0889BED9C9C7942C775D880C650

Function 01100115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7900247587c1ec3a7f5598249e5c2f18558525250656bd97485c896458ff8128
Instruction ID: 2424ac5bb738533d46458f278b8130d8dc31d6884501fd104de77871ba0efbb9
Opcode Fuzzy Hash: 7900247587c1ec3a7f5598249e5c2f18558525250656bd97485c896458ff8128
Instruction Fuzzy Hash: A8F02776819A851ACB3B6B2C69613D12B65A749170F0A1099D5B467249C7B8C9C3C324

Function 0107C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1508f47cf756a0e0ba8a83e6e139c225a3a82c1d90d8d759b1f4f10f41081ae9
Instruction ID: 22f52fad281432a134188c2b25cb74c2bff5a920a7244e338582ae4cbfeb266b
Opcode Fuzzy Hash: 1508f47cf756a0e0ba8a83e6e139c225a3a82c1d90d8d759b1f4f10f41081ae9
Instruction Fuzzy Hash: 43F0E271D116979FF3B2971CC3C8B51BBD4AB087A4F0994A5D9C687512C374E880CA58

Function 01082619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 79ffb098902f086ea4623719c255003d81537750991b525c39ea98933e91dc79
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 2CE0D8723006412BE712BF598CC4F9777AEDFD6B14F040079B9445F251CAE2DC19C6A4

Function 010D6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 64093b4a3e625ce8d7c6b3b9711f15bd9ad920618cc06138b08da56229ec310c
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 98F03972154304AFE3218F49D984F97BBF8EB05364F46C06AF6499B661D37AEC40CBA4

Function 01040710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: c9728a6e430302555c6b66335f4e3b4b28815670e58233d99408504362513cee
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 8EF0E5796043459BDB16EF19D090ADA7BE4FB41360B0000A4FDC28B341D731ED82DB51

Function 010749D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 2d1ca84ac304a7810eb6293999e8b71fa796d552ac3d1a301e149a46f70614a4
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 39E0D832A54185BBD3223A598800B6A77E5DBD47A0F150429E680CB160EB70DC40D7DC

Function 01114164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39835a30b83bb21bc4b467ad1544013ae105d3aebb187ef90a2d7dc977e52c5e
Instruction ID: ee7f318aab00b9e7faf703873912becfe5f33c92e90437137f43f694caca91d5
Opcode Fuzzy Hash: 39835a30b83bb21bc4b467ad1544013ae105d3aebb187ef90a2d7dc977e52c5e
Instruction Fuzzy Hash: 80F0E535A265A14FE77AD72CD140B52B7E0AF10F30F1A09B4D44887D1AD334FC40C650

Function 010E678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 521b49ebf2fd4a55240f859d528b0aee46779cab7abff58d6a327a0a701161f1
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 81E0D832A40110BFDB2197598D05F9BBEECEB64F90F050055B640D7090D531DE00D690

Function 011108C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 7201d80ee83db45207e8034349bd55b3676c1ae48f6131b2ccac16d3f410a7fe
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 4CE09B31E443509BCB298A2DC140A53F7E8DF9D664F15807DEE0547616C331F882C6D1

Function 010425E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec10e3803aa296ca4c8eb9e81af701f43b97ccca37cb60c0fae2af8c6cd7e1a0
Instruction ID: ef4e170351c8ec4b3b9d978e886250158c7559faeeefaa6b3749a39197b66a4d
Opcode Fuzzy Hash: ec10e3803aa296ca4c8eb9e81af701f43b97ccca37cb60c0fae2af8c6cd7e1a0
Instruction Fuzzy Hash: 54E09272100554ABC322BF29DD41FCB7B9AEF643A0F014525B19597190CA30AD50C794

Function 010FA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 40cdd9ca6205d04d4454c3b2cc89f16d0c365c5d2c45beafd14c17578b2a3a69
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: E3E09231010612DFE7726F2AC908B96BBE0BF90711F148C6CA1DA028B0CB75A8C0CB40

Function 010C4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 6e3125afa164df1b71008c109b1eb6b35f9cf1318f1f2632e06701387e5fda41
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: C5E0C2343403058FE755CF19C054B6A7BF6BFD5A10F28C0A8A9888F205EB32E842CB40

Function 0103823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 181aca05b676d2bb7a6c0304adfc101367a10a298813b9b2cc9640dd55459eab
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 63E0CD31005514DFDB313F16DC00F9576E5FF94B50F11899AF0C10606487745C81DB44

Function 01042050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacb9c3b306b9fb1eb0dbef7e14922d8100e9be217caf384905d691df8fe1db0
Instruction ID: 7baa4d925f4df282344c549577d2fbed37ef7efa9151cefe9f5a0960f32dab82
Opcode Fuzzy Hash: bacb9c3b306b9fb1eb0dbef7e14922d8100e9be217caf384905d691df8fe1db0
Instruction Fuzzy Hash: 57E0C272200454ABC312FF5DED40F8A779EEFA43A0F000131F1909B294CA20AD40C7A4

Function 0107E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 3def79f25d30c641fbf3d6f724376eae79580ad92aeae9388dddc64b7ee20681
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 93D0A932604624ABDBB2AA1CFC00FC333E8BB88760F060499B148CB250C360AC81CA84

Function 010BE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: b42fa147ebfacaeba243fbd297e7d1a12b3ce1c4aa04b480a217999b1ede9d63
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 1CE0EC75950684ABDF52DF59C680FDABBF5FB94B40F150098A5885B660C624A900CB40

Function 0103A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: d1de7c2d7b56da2d165912cb5be6a6fe4ce2559227f2b230c77d212245aa0b4e
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 06D02232312030D7CB6896556800FA7AE09ABC0BD0F0A006C388AD3800C0048C82C2E0

Function 0107A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: fc53108840f1ba3cb42f86047c2cd37d90e6e05a7927ecacaa70e79e9f2872bf
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: B6D012371D054DBBCB119F66DC01F957FA9E764BA0F444020B9048B5A0C63AE950D684

Function 010502A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: b494a841dcb875603fd6d09d200426d71a971bc24d41e1e3f62cc62b9f72e09c
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 7ED09239212E80CFD7AA8B4CC5A4B1A73E4BB44B84F8504D0E881CBB26D668D940CA00

Function 0107C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: e0501c8fda940c147429875a29b2198020a12a512891a49d2b95eabcbe7bb98d
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: E8C01232290648AFC712AA99CD01F427BA9EBA8B80F000021F6048B670C631E820EA84

Function 01060310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: d0cdef0b9a952174ce4f1b577020da23cf605bb6cd133a7d1e39a3f314c089a4
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 54D01236140288EFCB05DF41C890D9A772EFBD8710F108019FD19076108A31ED62DA50

Function 01040750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 13597b650119b157a5a2c1690f690789aa0240fee1e33f50ea6d13edade78c21
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 3DC04C797015458FCF55DB19D294F4677F4F744740F1508D0E985CB721E624EC01DA10

Function 01084340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728aab9da256547133054e12e89f31de773d4cde8f85612b37a4069530af925a
Instruction ID: b9725b00107d3c335849abdc36cedb62062be74282174883e319a39aa1b72cbd
Opcode Fuzzy Hash: 728aab9da256547133054e12e89f31de773d4cde8f85612b37a4069530af925a
Instruction Fuzzy Hash: FF90023160580412A640715888945464005A7E1301B55C012E0C28564CCA188A566365

Function 01084650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282ce045d4ada7f2305256a85b3c9675de3b8e40a23a5bbc8167d2deaf62a5e1
Instruction ID: 37f80f76da53c481a3d7267f683a957689b6474bef4ecd18c1d456a040b9e666
Opcode Fuzzy Hash: 282ce045d4ada7f2305256a85b3c9675de3b8e40a23a5bbc8167d2deaf62a5e1
Instruction Fuzzy Hash: DD900261601504425640715888144066005A7E2301395C116A0D58570CC61C8955A36D

Function 01082890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0108293C
___swprintf_l.LIBCMT ref: 0108295E
___swprintf_l.LIBCMT ref: 010829A3
___swprintf_l.LIBCMT ref: 010BA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 010BA54E
::%hs%u.%u.%u.%u, xrefs: 010BA527
:%u.%u.%u.%u, xrefs: 010BA5B8
ffff:, xrefs: 010BA504

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 679f5d4b00d24db3f61c644d6624c57ed557f39a87b3bc1c2039267779385d2d
Instruction ID: ffa97f818d90a04fbffcf25d32b731d9660d01a52c319143d3d3e62808785a3c
Opcode Fuzzy Hash: 679f5d4b00d24db3f61c644d6624c57ed557f39a87b3bc1c2039267779385d2d
Instruction Fuzzy Hash: ED51D5B1A04116BECF21EB9D88909BEFBF8BB49240B108269F4E5D7645D334DE50CBA0

Function 010F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010F24A6
___swprintf_l.LIBCMT ref: 010F24E2
___swprintf_l.LIBCMT ref: 010F257D
___swprintf_l.LIBCMT ref: 010F25A3
___swprintf_l.LIBCMT ref: 010F25C8
___swprintf_l.LIBCMT ref: 010F2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 010F24DA
::%hs%u.%u.%u.%u, xrefs: 010F249E
:%u.%u.%u.%u, xrefs: 010F25FF
ffff:, xrefs: 010F247D, 010F249D

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 563ef053bb1b51a71233a2bed1cae4cd62e348ba213f5102d3686e355871bcec
Instruction ID: 4ee9fb3592d1ccf557ad89f7c3621ae8fa5c782ed21e17602f06d961d8544d1b
Opcode Fuzzy Hash: 563ef053bb1b51a71233a2bed1cae4cd62e348ba213f5102d3686e355871bcec
Instruction Fuzzy Hash: F6510775A04645AFCB70DF9CC8919BFBBFCEF44600B44849DE6D6C7A41EAB4EA408760

Function 01116940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 45f49934d594687de22ddabd5bdceb85c17ea8c102f1e12df187d981e32e7d70
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: AB020571508342AFD709DF18C490A6BFBE5EFC8704F458A2DF9858B258DB72E905CB52

Function 010F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010F214F
___swprintf_l.LIBCMT ref: 010F2172

Strings

[, xrefs: 010F212B
%%%u, xrefs: 010F2146
]:%u, xrefs: 010F2169

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 3fed4026258519a0659005171f6e8dede83ac95ae49a978f092c600f2d42eeb5
Instruction ID: 8593e3d3c1e26b256d98dfbaf9bba530eb246a48f2972c3ec5448c0ae9581b7f
Opcode Fuzzy Hash: 3fed4026258519a0659005171f6e8dede83ac95ae49a978f092c600f2d42eeb5
Instruction Fuzzy Hash: 5C21517AA00119ABDB11DE69CC51AEEBBECBF64640F44016AEA85E7600E730D9418BA5

Function 010F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010F238D
___swprintf_l.LIBCMT ref: 010F23B3

Strings

]:%u, xrefs: 010F23AA
%%%u, xrefs: 010F2384

Memory Dump Source

Source File: 00000004.00000002.2282496705.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1010000_AddInProcess32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 9a1975fbb914e2b226e6fb6eb06b3583c1cf193a4d011f275980a022cce8e831
Instruction ID: fcb123df296fecc0dc6021b719713dd77930b11c5631763f40793b276b8d22a6
Opcode Fuzzy Hash: 9a1975fbb914e2b226e6fb6eb06b3583c1cf193a4d011f275980a022cce8e831
Instruction Fuzzy Hash: 31316672A006199FDB60DF2DCC51BEE77F8EB54610F45459AE989E7240EB30EA448BA0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Orden de compra.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de compra.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Orden de compra.exePID: 4332, Parent PID: 3968

General

Chronological Activities

Analysis Process: AddInProcess32.exePID: 1268, Parent PID: 4332

Windows Analysis Report
Orden de compra.exe

Function 0BE1003B Relevance: 5.5, Instructions: 5546
COMMON

Function 0BE10040 Relevance: 5.5, Instructions: 5545
COMMON

Function 0BA10040 Relevance: 5.2, Instructions: 5226
COMMON

Function 09E02CE0 Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Function 09E0A240 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Function 09E02CD0 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Function 09E09C68 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Function 0BA17CFF Relevance: 1.6, APIs: 1, Instructions: 75
fileCOMMON

Function 09E0C1C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 09E0B778 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 09E0C940 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 09E0C6B8 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON