Edit tour

Windows Analysis Report
Fm9MoDgH7O.exe

Overview

General Information

Sample name:	Fm9MoDgH7O.exe renamed because original name is a hash value
Original sample name:	d36ab0bd58ada2d5fb9f6560c8d8bf30N.exe
Analysis ID:	1502473
MD5:	d36ab0bd58ada2d5fb9f6560c8d8bf30
SHA1:	4a5bba862c57082a57dbc212d5ea77bc8052e2c3
SHA256:	5f21ac1f06ad83af166db002e2c7a8cd0bd3473f996599ee20c081f8a781a1ed
Tags:	blackmoonexe
Infos:

Detection

BlackMoon, Petite Virus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BlackMoon Ransomware

Yara detected Petite Virus

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to detect virtual machines (SLDT)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

PE file contains sections with non-standard names

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Fm9MoDgH7O.exe (PID: 5596 cmdline: "C:\Users\user\Desktop\Fm9MoDgH7O.exe" MD5: D36AB0BD58ADA2D5FB9F6560C8D8BF30)

m2mwu.exe (PID: 5672 cmdline: c:\m2mwu.exe MD5: 3E788A1E5AFDF4021F750BA94AB81F8F)

re8eo.exe (PID: 4268 cmdline: c:\re8eo.exe MD5: 2774E1DF05B90D037936F23A60ACA218)

4vd771.exe (PID: 2016 cmdline: c:\4vd771.exe MD5: 8CA128B45B8C3C2B4ACA30C66BA6179B)

qnd197.exe (PID: 2680 cmdline: c:\qnd197.exe MD5: 900DAA7A88FB5B3C0AA6AE5968FA0D99)

oaweb.exe (PID: 5780 cmdline: c:\oaweb.exe MD5: 6AE0C9D019D7C2D712A7EEEDD811C257)

36hmq.exe (PID: 1612 cmdline: c:\36hmq.exe MD5: DA8DE9AE678FE5F5DA23AD1426CA4F01)

4uoic.exe (PID: 5408 cmdline: c:\4uoic.exe MD5: 681A984C6E80FCBCBD03EDD8DEDBA853)

w7711.exe (PID: 1860 cmdline: c:\w7711.exe MD5: A3A8E703FEE41784385625A8AB8B718A)

isqwt.exe (PID: 4900 cmdline: c:\isqwt.exe MD5: 2DEC8CCF9A6F8E1CEFD741ECDD527A14)

s1oaw.exe (PID: 6716 cmdline: c:\s1oaw.exe MD5: B916674C0CCC23124E9A9510B6E8AABB)

559900.exe (PID: 1732 cmdline: c:\559900.exe MD5: A0F307EFB8E960701E12A429D4B7DEB0)

spf19.exe (PID: 1260 cmdline: c:\spf19.exe MD5: 1BD31A93D44DC461A7A61DCF3E4FEB0A)

93344.exe (PID: 3164 cmdline: c:\93344.exe MD5: 0E2CAD1FD4DE2E62B83C30E9B8E563E4)

6r61155.exe (PID: 6952 cmdline: c:\6r61155.exe MD5: F24AB32918FA49E5019915D255A577F9)

7788uoi.exe (PID: 6904 cmdline: c:\7788uoi.exe MD5: A673EA56D20763F3D043EF0003BA4A1D)

rh53197.exe (PID: 2472 cmdline: c:\rh53197.exe MD5: D6388AC92017740EDE162A7936D9C108)

5787leo.exe (PID: 4092 cmdline: c:\5787leo.exe MD5: 153E207ECFEEBDB9E7F018399E5C1627)

88oxxqc.exe (PID: 5428 cmdline: c:\88oxxqc.exe MD5: 5BCD3436C64915143B7EE185AC8F5F67)

83377.exe (PID: 4600 cmdline: c:\83377.exe MD5: B0024685B8EAF3030AB9E3209EC142FF)

w3790i.exe (PID: 2996 cmdline: c:\w3790i.exe MD5: 5920096D3CA89F622BF6540E7D9F1AAB)

bp1975.exe (PID: 5780 cmdline: c:\bp1975.exe MD5: B2A3693ED42E3BC17ACE26DD6C65B83A)

90omsp.exe (PID: 1612 cmdline: c:\90omsp.exe MD5: 40C99EB36453A97292F39E06122BE2BB)

lb31975.exe (PID: 4604 cmdline: c:\lb31975.exe MD5: B1335D9EB52CB97D7543FABACBF3D09E)

hb5kc8c.exe (PID: 4584 cmdline: c:\hb5kc8c.exe MD5: 75CE63BF185F462ED7F9E6365CD7AF89)

webp1.exe (PID: 2180 cmdline: c:\webp1.exe MD5: 298240B6E90AC68FBEB9A7BE56EDA3A5)

e81f5.exe (PID: 5332 cmdline: c:\e81f5.exe MD5: C2C439CF8A79D875F09E1C37D3DB36E1)

281l59.exe (PID: 6760 cmdline: c:\281l59.exe MD5: CD950356D8E33513421D8074824D865A)

71122as.exe (PID: 7092 cmdline: c:\71122as.exe MD5: E2070B8B4080AA1C0ACD754F87D44A58)

urh7531.exe (PID: 5664 cmdline: c:\urh7531.exe MD5: A2F0CC47EF04D78F74C482B83B0D6071)

fx2dr.exe (PID: 5596 cmdline: c:\fx2dr.exe MD5: C7B5C78FFABE9046E9219CA302D74903)

mkqnd97.exe (PID: 5672 cmdline: c:\mkqnd97.exe MD5: DBB7FE60E5210C359C1C2C5620C8C0FE)

78d5dr1.exe (PID: 3552 cmdline: c:\78d5dr1.exe MD5: F91CB1621D2BA56DB6F9EAFC940ED3B6)

2qkewqk.exe (PID: 2016 cmdline: c:\2qkewqk.exe MD5: DB13E0DACF9B4068F064388BF65331F7)

ourh31.exe (PID: 764 cmdline: c:\ourh31.exe MD5: 828AC17EAE23DA7778400A135C65442B)

g7112.exe (PID: 4908 cmdline: c:\g7112.exe MD5: 040B9D0493FA77F472C5BB7456187303)

hk977.exe (PID: 6664 cmdline: c:\hk977.exe MD5: D22790FF53C7EDA2CE00F0FA1A363887)

7kiolb.exe (PID: 5780 cmdline: c:\7kiolb.exe MD5: 6B3840F7493601C05D957471E3BD0833)

7kiolb.exe (PID: 6928 cmdline: c:\7kiolb.exe MD5: 6B3840F7493601C05D957471E3BD0833)

pf753.exe (PID: 2188 cmdline: c:\pf753.exe MD5: 1E017F50B0CA791ABFF13DAC87F12B32)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Fm9MoDgH7O.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\urh7531.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\lb31975.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\4uoic.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\spf19.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\hb5kc8c.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\bp1975.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\7788uoi.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\83377.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\pf753.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\93344.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\5787leo.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\6r61155.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\g7112.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\90omsp.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\hk977.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\oaweb.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\re8eo.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\isqwt.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\ourh31.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\e81f5.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\1wk599.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\559900.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\36hmq.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\qnd197.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\2qkewqk.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\w3790i.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\88oxxqc.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\7kiolb.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\fx2dr.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\rh53197.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\281l59.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\s1oaw.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\webp1.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\m2mwu.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\w7711.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\78d5dr1.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\4vd771.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\mkqnd97.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\71122as.exe	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Click to see the 34 entries

Memory Dumps

Source	Rule	Description	Author
00000022.00000003.1682894023.000000000064D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000021.00000002.1682343006.0000000000401000.00000040.00000001.01000000.00000024.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000017.00000003.1674405309.000000000072D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000003.00000003.1650992588.000000000079E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000001.00000003.1649664251.000000000072F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000025.00000002.1685279755.0000000000401000.00000040.00000001.01000000.00000028.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000018.00000002.1676411975.0000000000401000.00000040.00000001.01000000.0000001B.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000006.00000003.1652636895.000000000075E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000026.00000002.1686085936.0000000000401000.00000040.00000001.01000000.00000028.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000D.00000003.1658140773.00000000007ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000001D.00000003.1679325212.000000000057E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000017.00000003.1672593235.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000016.00000003.1672194840.000000000077D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000019.00000003.1676742574.000000000054E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000013.00000003.1662285471.000000000065E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000027.00000003.1686270671.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000010.00000003.1659900086.000000000066E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000017.00000002.1675872305.0000000000401000.00000040.00000001.01000000.0000001A.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000021.00000003.1681701645.000000000065E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000007.00000003.1653176448.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000001F.00000003.1680483421.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000024.00000003.1683878267.000000000058A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000018.00000003.1676228317.000000000072D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000001.00000003.1649533860.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000E.00000003.1658759497.00000000005ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000012.00000003.1661249438.000000000053E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000A.00000003.1655204393.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000D.00000003.1657724335.000000000077A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000004.00000003.1651511750.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000A.00000003.1655122137.000000000055E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000020.00000003.1680999606.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000006.00000003.1652569745.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000001D.00000003.1679256809.000000000050E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000014.00000003.1664173966.000000000061D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000015.00000003.1666334231.000000000052D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000004.00000003.1651445469.000000000065D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000E.00000003.1658830039.000000000065E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000010.00000003.1659831613.00000000005FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000019.00000003.1676809616.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000013.00000003.1662704858.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001A.00000003.1677285923.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000000.00000003.1649054171.000000000075F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000C.00000003.1656767045.000000000075A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001C.00000002.1679047841.000000000068E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000F.00000003.1659290404.000000000046D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000007.00000003.1653108519.000000000065D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000027.00000003.1686156392.000000000056E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000023.00000003.1683526760.000000000079C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000021.00000003.1681609636.00000000005ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000000.00000003.1648983516.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000022.00000003.1682379177.00000000005DA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000018.00000003.1675808868.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000012.00000003.1661172441.00000000004CD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001B.00000003.1677849478.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000011.00000003.1660367415.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000027.00000002.1686485658.0000000000401000.00000040.00000001.01000000.00000029.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000F.00000003.1659360069.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000024.00000002.1684692162.0000000000401000.00000040.00000001.01000000.00000027.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000B.00000003.1656182067.000000000074D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000C.00000003.1657090623.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001E.00000003.1679812641.000000000060E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000024.00000003.1684376837.00000000005FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000008.00000003.1653699442.000000000051E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001A.00000002.1677502488.0000000000401000.00000040.00000001.01000000.0000001D.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000005.00000003.1652036346.000000000086E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000023.00000002.1683951621.0000000000401000.00000040.00000001.01000000.00000026.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000023.00000003.1683629674.000000000080E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000020.00000003.1681072661.000000000054E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000003.00000003.1650924033.000000000072D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000001A.00000003.1677356804.000000000075E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000011.00000003.1660432963.000000000071E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000B.00000003.1656294889.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001C.00000003.1678680014.000000000061D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001B.00000003.1677919754.000000000073E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000025.00000003.1684659208.000000000072A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000014.00000003.1663138809.00000000005AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000009.00000003.1654532288.000000000056D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000005.00000003.1651970984.00000000007FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000002.00000003.1650205146.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000001E.00000003.1679880197.000000000067E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000025.00000003.1684894752.000000000079D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000015.00000003.1664978597.00000000004BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000008.00000003.1653633605.00000000004AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000016.00000003.1667033564.000000000070A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000009.00000003.1653947799.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000001F.00000003.1680414030.000000000076E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
00000002.00000003.1650138046.000000000068D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: Fm9MoDgH7O.exe PID: 5596	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: Fm9MoDgH7O.exe PID: 5596	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: m2mwu.exe PID: 5672	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: m2mwu.exe PID: 5672	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: re8eo.exe PID: 4268	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: re8eo.exe PID: 4268	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 4vd771.exe PID: 2016	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 4vd771.exe PID: 2016	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: qnd197.exe PID: 2680	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: qnd197.exe PID: 2680	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: oaweb.exe PID: 5780	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: oaweb.exe PID: 5780	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 36hmq.exe PID: 1612	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 36hmq.exe PID: 1612	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 4uoic.exe PID: 5408	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 4uoic.exe PID: 5408	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: w7711.exe PID: 1860	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: w7711.exe PID: 1860	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: isqwt.exe PID: 4900	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: isqwt.exe PID: 4900	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: s1oaw.exe PID: 6716	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: s1oaw.exe PID: 6716	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 559900.exe PID: 1732	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 559900.exe PID: 1732	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: spf19.exe PID: 1260	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: spf19.exe PID: 1260	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 93344.exe PID: 3164	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 93344.exe PID: 3164	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 6r61155.exe PID: 6952	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 6r61155.exe PID: 6952	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 7788uoi.exe PID: 6904	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 7788uoi.exe PID: 6904	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: rh53197.exe PID: 2472	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: rh53197.exe PID: 2472	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 5787leo.exe PID: 4092	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 5787leo.exe PID: 4092	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 88oxxqc.exe PID: 5428	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 88oxxqc.exe PID: 5428	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 83377.exe PID: 4600	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 83377.exe PID: 4600	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: w3790i.exe PID: 2996	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: w3790i.exe PID: 2996	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: bp1975.exe PID: 5780	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: bp1975.exe PID: 5780	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 90omsp.exe PID: 1612	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 90omsp.exe PID: 1612	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: lb31975.exe PID: 4604	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: lb31975.exe PID: 4604	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: hb5kc8c.exe PID: 4584	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: hb5kc8c.exe PID: 4584	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: webp1.exe PID: 2180	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: webp1.exe PID: 2180	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: e81f5.exe PID: 5332	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: e81f5.exe PID: 5332	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 281l59.exe PID: 6760	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 281l59.exe PID: 6760	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 71122as.exe PID: 7092	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 71122as.exe PID: 7092	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: urh7531.exe PID: 5664	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: urh7531.exe PID: 5664	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: fx2dr.exe PID: 5596	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: fx2dr.exe PID: 5596	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: mkqnd97.exe PID: 5672	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: mkqnd97.exe PID: 5672	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 78d5dr1.exe PID: 3552	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 78d5dr1.exe PID: 3552	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 2qkewqk.exe PID: 2016	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 2qkewqk.exe PID: 2016	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: ourh31.exe PID: 764	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: ourh31.exe PID: 764	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: g7112.exe PID: 4908	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: g7112.exe PID: 4908	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: hk977.exe PID: 6664	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: hk977.exe PID: 6664	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 7kiolb.exe PID: 5780	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 7kiolb.exe PID: 5780	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 7kiolb.exe PID: 6928	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: 7kiolb.exe PID: 6928	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: pf753.exe PID: 2188	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Process Memory Space: pf753.exe PID: 2188	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Click to see the 193 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.3.559900.exe.784800.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
24.3.hb5kc8c.exe.6f3948.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
21.3.bp1975.exe.4f3910.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0.3.Fm9MoDgH7O.exe.75f020.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
21.3.bp1975.exe.52d868.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
26.3.e81f5.exe.75e470.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
21.3.bp1975.exe.52d868.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
31.3.mkqnd97.exe.7de520.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
1.3.m2mwu.exe.72f0d8.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
20.3.w3790i.exe.61d848.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.3.spf19.exe.7cd980.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
18.3.88oxxqc.exe.53e3a0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
37.3.7kiolb.exe.763c18.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
1.3.m2mwu.exe.72f0d8.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
29.3.urh7531.exe.544918.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
30.3.fx2dr.exe.67e4f0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
24.3.hb5kc8c.exe.6f3948.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
37.3.7kiolb.exe.79dc60.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
5.3.oaweb.exe.834998.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
36.2.hk977.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
36.2.hk977.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
23.2.lb31975.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
23.2.lb31975.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
25.2.webp1.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
25.2.webp1.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
35.2.g7112.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
35.2.g7112.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
33.2.2qkewqk.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
33.2.2qkewqk.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
27.2.281l59.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
27.2.281l59.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
21.2.bp1975.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
32.3.78d5dr1.exe.54e530.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
21.2.bp1975.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
5.3.oaweb.exe.834998.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
15.3.7788uoi.exe.4de350.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
19.2.83377.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
19.2.83377.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
6.3.36hmq.exe.7247b8.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
7.3.4uoic.exe.6ce390.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
5.3.oaweb.exe.86e400.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
22.3.90omsp.exe.77d888.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
30.3.fx2dr.exe.644918.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
33.3.2qkewqk.exe.624a98.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
32.3.78d5dr1.exe.54e530.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
24.3.hb5kc8c.exe.72d8d0.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
8.3.w7711.exe.4e47d8.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
7.2.4uoic.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
7.2.4uoic.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
10.3.s1oaw.exe.5ce2b0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
6.3.36hmq.exe.75e230.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
8.3.w7711.exe.51e270.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
13.3.93344.exe.7ed788.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
6.3.36hmq.exe.75e230.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
27.3.281l59.exe.73e4a0.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
33.2.2qkewqk.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
33.2.2qkewqk.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
33.2.2qkewqk.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
33.2.2qkewqk.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
1.3.m2mwu.exe.72f0d8.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
35.2.g7112.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
35.2.g7112.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
4.3.qnd197.exe.6ce1f0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
23.3.lb31975.exe.72d8c0.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
14.3.6r61155.exe.65e330.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
36.3.hk977.exe.5c3c20.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
36.3.hk977.exe.5c3c20.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
35.3.g7112.exe.80e6d8.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
11.3.559900.exe.7be2c0.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
11.2.559900.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
11.2.559900.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
25.2.webp1.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
25.2.webp1.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
29.2.urh7531.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
29.2.urh7531.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
25.2.webp1.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
25.2.webp1.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
7.3.4uoic.exe.6ce390.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
31.3.mkqnd97.exe.7de520.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
3.3.4vd771.exe.79e310.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
28.3.71122as.exe.68eea0.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
7.3.4uoic.exe.6ce390.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
19.3.83377.exe.6cf2e8.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
35.3.g7112.exe.7d4ab8.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
15.3.7788uoi.exe.4de350.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
20.3.w3790i.exe.5e3900.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
18.3.88oxxqc.exe.53e3a0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
14.3.6r61155.exe.624840.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
13.3.93344.exe.7b38a0.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
23.3.lb31975.exe.72d8c0.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
25.3.webp1.exe.5848d0.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
11.3.559900.exe.7be2c0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
11.2.559900.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
11.2.559900.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
9.3.isqwt.exe.56d718.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.3.re8eo.exe.6fe1c0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
17.3.5787leo.exe.71e390.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0.3.Fm9MoDgH7O.exe.7255f8.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
29.3.urh7531.exe.57e4e0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
5.2.oaweb.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
5.2.oaweb.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
36.2.hk977.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
36.2.hk977.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
9.3.isqwt.exe.56d718.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
26.3.e81f5.exe.75e470.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
26.2.e81f5.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
8.2.w7711.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
8.2.w7711.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
26.2.e81f5.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
28.2.71122as.exe.68eea0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
24.3.hb5kc8c.exe.72d8d0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
29.2.urh7531.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
29.2.urh7531.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
9.3.isqwt.exe.56d718.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0.2.Fm9MoDgH7O.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.Fm9MoDgH7O.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
3.3.4vd771.exe.79e310.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
23.3.lb31975.exe.72d8c0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
24.2.hb5kc8c.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
24.2.hb5kc8c.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
24.2.hb5kc8c.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
24.2.hb5kc8c.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
8.3.w7711.exe.51e270.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
22.3.90omsp.exe.77d888.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
14.2.6r61155.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
14.2.6r61155.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
18.2.88oxxqc.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
18.2.88oxxqc.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
17.3.5787leo.exe.71e390.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
16.3.rh53197.exe.66e370.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
19.3.83377.exe.6957b0.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
26.3.e81f5.exe.75e470.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
22.3.90omsp.exe.77d888.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
7.2.4uoic.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
7.2.4uoic.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
34.3.ourh31.exe.64dc00.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
14.3.6r61155.exe.65e330.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
39.3.pf753.exe.5de5e0.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.3.re8eo.exe.6c4780.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
34.3.ourh31.exe.613be8.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
6.2.36hmq.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
6.2.36hmq.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
28.3.71122as.exe.68eea0.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
20.3.w3790i.exe.61d848.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
4.2.qnd197.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
4.2.qnd197.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
28.2.71122as.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
28.2.71122as.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
8.3.w7711.exe.51e270.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
7.3.4uoic.exe.694908.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
20.3.w3790i.exe.61d848.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
39.3.pf753.exe.5de5e0.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
31.2.mkqnd97.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
31.2.mkqnd97.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
36.3.hk977.exe.5fdc58.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
26.2.e81f5.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
26.2.e81f5.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
34.3.ourh31.exe.613be8.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
22.2.90omsp.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
22.2.90omsp.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
26.3.e81f5.exe.75e470.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
3.3.4vd771.exe.7648c8.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
35.3.g7112.exe.7d4ab8.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
38.2.7kiolb.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
38.2.7kiolb.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
19.3.83377.exe.6957b0.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
11.3.559900.exe.7be2c0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
29.2.urh7531.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
29.2.urh7531.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
29.3.urh7531.exe.57e4e0.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
37.3.7kiolb.exe.79dc60.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
19.2.83377.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
19.2.83377.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
13.2.93344.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
13.2.93344.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
30.2.fx2dr.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
30.2.fx2dr.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
1.3.m2mwu.exe.72f0d8.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
13.3.93344.exe.7ed788.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0.2.Fm9MoDgH7O.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.Fm9MoDgH7O.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
6.2.36hmq.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
6.2.36hmq.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
18.3.88oxxqc.exe.53e3a0.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
26.3.e81f5.exe.7248d8.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
35.3.g7112.exe.80e6d8.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
31.3.mkqnd97.exe.7de520.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
38.2.7kiolb.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
38.2.7kiolb.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
22.3.90omsp.exe.743920.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.3.spf19.exe.793aa8.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
37.3.7kiolb.exe.79dc60.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
37.3.7kiolb.exe.79dc60.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
33.3.2qkewqk.exe.65e698.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
16.3.rh53197.exe.66e370.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
15.3.7788uoi.exe.4a4850.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
39.2.pf753.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
15.2.7788uoi.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
39.2.pf753.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
15.2.7788uoi.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
0.3.Fm9MoDgH7O.exe.75f020.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
37.3.7kiolb.exe.763c18.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
38.2.7kiolb.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
38.2.7kiolb.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
33.3.2qkewqk.exe.65e698.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
34.2.ourh31.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
34.2.ourh31.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
4.3.qnd197.exe.694798.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.2.re8eo.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
30.3.fx2dr.exe.67e4f0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.2.re8eo.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
2.2.re8eo.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
2.2.re8eo.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
13.3.93344.exe.7ed788.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
3.3.4vd771.exe.79e310.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
21.3.bp1975.exe.52d868.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
23.2.lb31975.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
23.2.lb31975.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
13.2.93344.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
13.2.93344.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
27.3.281l59.exe.73e4a0.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
10.2.s1oaw.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
39.2.pf753.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
10.2.s1oaw.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
39.2.pf753.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
20.2.w3790i.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
20.2.w3790i.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
2.3.re8eo.exe.6c4780.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
1.2.m2mwu.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
1.2.m2mwu.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
6.2.36hmq.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
6.2.36hmq.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
3.2.4vd771.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
3.2.4vd771.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
22.3.90omsp.exe.743920.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
24.3.hb5kc8c.exe.72d8d0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
27.3.281l59.exe.73e4a0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
34.2.ourh31.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
34.2.ourh31.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
25.3.webp1.exe.5be460.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
23.3.lb31975.exe.72d8c0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
16.2.rh53197.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
16.2.rh53197.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
39.3.pf753.exe.5de5e0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
11.2.559900.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
11.2.559900.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
29.3.urh7531.exe.57e4e0.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
18.2.88oxxqc.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
18.2.88oxxqc.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
2.3.re8eo.exe.6fe1c0.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
26.2.e81f5.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
26.2.e81f5.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
32.3.78d5dr1.exe.514940.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
8.3.w7711.exe.4e47d8.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
32.3.78d5dr1.exe.514940.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.2.spf19.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
7.3.4uoic.exe.694908.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.2.spf19.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
36.3.hk977.exe.5fdc58.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
33.3.2qkewqk.exe.65e698.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
18.3.88oxxqc.exe.504878.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
4.3.qnd197.exe.6ce1f0.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
6.3.36hmq.exe.75e230.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
27.3.281l59.exe.73e4a0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
28.3.71122as.exe.654ee0.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
27.3.281l59.exe.7048f8.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
34.3.ourh31.exe.64dc00.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
8.2.w7711.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
8.2.w7711.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
9.2.isqwt.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
9.2.isqwt.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
22.3.90omsp.exe.77d888.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
39.3.pf753.exe.5a4990.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
8.3.w7711.exe.51e270.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
34.3.ourh31.exe.64dc00.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
22.2.90omsp.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
10.3.s1oaw.exe.594800.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
22.2.90omsp.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
31.2.mkqnd97.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
31.2.mkqnd97.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
11.3.559900.exe.7be2c0.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
33.3.2qkewqk.exe.624a98.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
32.3.78d5dr1.exe.54e530.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.3.spf19.exe.7cd980.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
6.3.36hmq.exe.7247b8.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
4.3.qnd197.exe.6ce1f0.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
31.2.mkqnd97.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
31.2.mkqnd97.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
21.3.bp1975.exe.52d868.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
36.3.hk977.exe.5fdc58.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0.2.Fm9MoDgH7O.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.Fm9MoDgH7O.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
14.3.6r61155.exe.65e330.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
17.2.5787leo.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
7.2.4uoic.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
7.2.4uoic.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
17.2.5787leo.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
5.2.oaweb.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
5.2.oaweb.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
16.3.rh53197.exe.634860.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
18.3.88oxxqc.exe.504878.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
30.2.fx2dr.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
30.2.fx2dr.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
34.2.ourh31.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
28.2.71122as.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
34.2.ourh31.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
28.2.71122as.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
9.3.isqwt.exe.56d718.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
17.2.5787leo.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
17.2.5787leo.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
30.3.fx2dr.exe.67e4f0.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
32.2.78d5dr1.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
32.2.78d5dr1.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
19.3.83377.exe.6cf2e8.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
16.2.rh53197.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
16.2.rh53197.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
17.3.5787leo.exe.71e390.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
16.2.rh53197.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
16.2.rh53197.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
31.3.mkqnd97.exe.7a4938.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
16.3.rh53197.exe.634860.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
1.2.m2mwu.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
1.2.m2mwu.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
8.2.w7711.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
8.2.w7711.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
4.2.qnd197.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
25.3.webp1.exe.5be460.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
4.2.qnd197.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
10.3.s1oaw.exe.5ce2b0.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
13.3.93344.exe.7b38a0.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
30.3.fx2dr.exe.67e4f0.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
19.3.83377.exe.6cf2e8.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
39.3.pf753.exe.5de5e0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
19.3.83377.exe.6cf2e8.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
17.3.5787leo.exe.71e390.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
15.3.7788uoi.exe.4de350.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
5.3.oaweb.exe.86e400.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.2.spf19.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
12.2.spf19.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
4.2.qnd197.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
4.2.qnd197.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
9.3.isqwt.exe.533868.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
20.3.w3790i.exe.5e3900.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
10.3.s1oaw.exe.594800.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
4.3.qnd197.exe.694798.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.3.spf19.exe.793aa8.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
9.2.isqwt.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
9.2.isqwt.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
35.2.g7112.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
35.2.g7112.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
21.2.bp1975.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
21.2.bp1975.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
17.3.5787leo.exe.6e4870.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
35.3.g7112.exe.80e6d8.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
37.2.7kiolb.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
37.2.7kiolb.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
24.3.hb5kc8c.exe.72d8d0.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
11.3.559900.exe.784800.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
20.3.w3790i.exe.61d848.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
3.2.4vd771.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
3.2.4vd771.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
19.2.83377.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
19.2.83377.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
35.3.g7112.exe.80e6d8.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
18.3.88oxxqc.exe.53e3a0.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
26.3.e81f5.exe.7248d8.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.2.re8eo.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
2.2.re8eo.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
2.3.re8eo.exe.6fe1c0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
14.3.6r61155.exe.65e330.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
25.3.webp1.exe.5be460.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
28.3.71122as.exe.654ee0.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
10.2.s1oaw.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
17.2.5787leo.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
17.2.5787leo.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
10.2.s1oaw.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
23.3.lb31975.exe.6f3940.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
29.3.urh7531.exe.544918.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
3.2.4vd771.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
3.2.4vd771.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
23.2.lb31975.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
9.3.isqwt.exe.533868.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
23.2.lb31975.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
14.2.6r61155.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
27.2.281l59.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
27.2.281l59.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
14.2.6r61155.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
37.2.7kiolb.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
37.2.7kiolb.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
7.3.4uoic.exe.6ce390.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
10.2.s1oaw.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
10.2.s1oaw.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
22.2.90omsp.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
22.2.90omsp.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
25.3.webp1.exe.5be460.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
14.3.6r61155.exe.624840.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
16.3.rh53197.exe.66e370.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
21.2.bp1975.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
21.2.bp1975.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
32.2.78d5dr1.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
32.2.78d5dr1.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
10.3.s1oaw.exe.5ce2b0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
13.2.93344.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
13.2.93344.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
28.2.71122as.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
28.2.71122as.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
32.2.78d5dr1.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
32.2.78d5dr1.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
28.2.71122as.exe.68eea0.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.2.spf19.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
12.2.spf19.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
15.2.7788uoi.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
15.2.7788uoi.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
23.3.lb31975.exe.6f3940.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
18.2.88oxxqc.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
3.3.4vd771.exe.79e310.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
18.2.88oxxqc.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
5.2.oaweb.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
5.2.oaweb.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
15.2.7788uoi.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
15.2.7788uoi.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
4.3.qnd197.exe.6ce1f0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
39.2.pf753.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
39.2.pf753.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
32.3.78d5dr1.exe.54e530.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
25.3.webp1.exe.5848d0.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
10.3.s1oaw.exe.5ce2b0.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
34.3.ourh31.exe.64dc00.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
5.3.oaweb.exe.86e400.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
13.3.93344.exe.7ed788.2.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
0.3.Fm9MoDgH7O.exe.7255f8.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.3.spf19.exe.7cd980.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
15.3.7788uoi.exe.4a4850.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
21.3.bp1975.exe.4f3910.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
1.3.m2mwu.exe.6f56a8.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
31.3.mkqnd97.exe.7de520.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
29.3.urh7531.exe.57e4e0.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
16.3.rh53197.exe.66e370.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
5.3.oaweb.exe.86e400.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
9.2.isqwt.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
9.2.isqwt.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
30.3.fx2dr.exe.644918.1.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
12.3.spf19.exe.7cd980.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
36.2.hk977.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
20.2.w3790i.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
36.2.hk977.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
20.2.w3790i.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
31.3.mkqnd97.exe.7a4938.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
33.3.2qkewqk.exe.65e698.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
6.3.36hmq.exe.75e230.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
14.2.6r61155.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
14.2.6r61155.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
3.3.4vd771.exe.7648c8.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
36.3.hk977.exe.5fdc58.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
2.3.re8eo.exe.6fe1c0.0.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
1.3.m2mwu.exe.6f56a8.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
15.3.7788uoi.exe.4de350.2.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
30.2.fx2dr.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
30.2.fx2dr.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
20.2.w3790i.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
20.2.w3790i.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
24.2.hb5kc8c.exe.40426f.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
24.2.hb5kc8c.exe.40426f.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
1.2.m2mwu.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
37.2.7kiolb.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
1.2.m2mwu.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
37.2.7kiolb.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1d7d3:$s1: blackmoon 0x1d813:$s2: BlackMoon RunTime Error:
39.3.pf753.exe.5a4990.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
17.3.5787leo.exe.6e4870.1.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
27.2.281l59.exe.40426f.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
27.2.281l59.exe.40426f.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a364:$s1: blackmoon 0x1a3a4:$s2: BlackMoon RunTime Error:
27.3.281l59.exe.7048f8.0.raw.unpack	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Click to see the 467 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Fm9MoDgH7O.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\hb5kc8c.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\83377.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\bp1975.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\7788uoi.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\fx2dr.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\93344.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\hk977.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\5787leo.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\pf753.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\7kiolb.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\e81f5.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\1wk599.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\lb31975.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\281l59.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\4uoic.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\559900.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\oaweb.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\90omsp.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\36hmq.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\88oxxqc.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\qnd197.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\ourh31.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\g7112.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\6r61155.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\isqwt.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\2qkewqk.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\m2mwu.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\4vd771.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\78d5dr1.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\mkqnd97.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\71122as.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for submitted file

Source: Fm9MoDgH7O.exe	ReversingLabs: Detection: 100%
Source: Fm9MoDgH7O.exe	Virustotal: Detection: 84%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\hb5kc8c.exe	Joe Sandbox ML: detected
Source: C:\83377.exe	Joe Sandbox ML: detected
Source: C:\bp1975.exe	Joe Sandbox ML: detected
Source: C:\7788uoi.exe	Joe Sandbox ML: detected
Source: C:\fx2dr.exe	Joe Sandbox ML: detected
Source: C:\93344.exe	Joe Sandbox ML: detected
Source: C:\hk977.exe	Joe Sandbox ML: detected
Source: C:\5787leo.exe	Joe Sandbox ML: detected
Source: C:\pf753.exe	Joe Sandbox ML: detected
Source: C:\7kiolb.exe	Joe Sandbox ML: detected
Source: C:\e81f5.exe	Joe Sandbox ML: detected
Source: C:\1wk599.exe	Joe Sandbox ML: detected
Source: C:\lb31975.exe	Joe Sandbox ML: detected
Source: C:\281l59.exe	Joe Sandbox ML: detected
Source: C:\4uoic.exe	Joe Sandbox ML: detected
Source: C:\559900.exe	Joe Sandbox ML: detected
Source: C:\oaweb.exe	Joe Sandbox ML: detected
Source: C:\90omsp.exe	Joe Sandbox ML: detected
Source: C:\36hmq.exe	Joe Sandbox ML: detected
Source: C:\88oxxqc.exe	Joe Sandbox ML: detected
Source: C:\qnd197.exe	Joe Sandbox ML: detected
Source: C:\ourh31.exe	Joe Sandbox ML: detected
Source: C:\g7112.exe	Joe Sandbox ML: detected
Source: C:\6r61155.exe	Joe Sandbox ML: detected
Source: C:\isqwt.exe	Joe Sandbox ML: detected
Source: C:\2qkewqk.exe	Joe Sandbox ML: detected
Source: C:\m2mwu.exe	Joe Sandbox ML: detected
Source: C:\4vd771.exe	Joe Sandbox ML: detected
Source: C:\78d5dr1.exe	Joe Sandbox ML: detected
Source: C:\mkqnd97.exe	Joe Sandbox ML: detected
Source: C:\71122as.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Fm9MoDgH7O.exe

Joe Sandbox ML: detected

Source: Fm9MoDgH7O.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_00401489
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0040B403
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_0040B403
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_00414008
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_00413815
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_00413815
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_00408428
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_004150E3
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_004150E3
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_0040E896
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_00408CAE
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0040A0B0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_00413D17
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_00413D17
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_00413D17
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_00413D17
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_004015EF
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_00407982
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004109A0
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_004151A7
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_004151A7
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_004151A7
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_004151A7
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_004151A7
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_004151A7
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_004151A7
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004115AF
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004115AF
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004115AF
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004115AF
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_004115AF
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_004079BA
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_00407E43
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_00407E43
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_00407E43
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_00407E43
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_0040D64A
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_00408A11
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_00401632
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0040B2CE
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0040B2CE
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_00405A86
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_0040169D
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_00405B50
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_00413768
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_00405B1F
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_004137DF
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_004097EE
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	0_2_0040BD2B
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_004137AB
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_00401489
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	1_2_0040B403
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	1_2_0040B403
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_00414008
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	1_2_00413815
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	1_2_00413815
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	1_2_00408428
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	1_2_004150E3
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_004150E3
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_0040E896
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_00408CAE
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	1_2_0040A0B0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	1_2_00413D17
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	1_2_00413D17
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	1_2_00413D17
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	1_2_00413D17
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_004015EF
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_00407982
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004109A0
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_004151A7
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_004151A7
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_004151A7
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_004151A7
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_004151A7
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_004151A7
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_004151A7
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004115AF
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004115AF
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004115AF
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004115AF
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_004115AF
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_004079BA
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_00407E43
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_00407E43
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_00407E43
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	1_2_00407E43
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_0040D64A
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	1_2_00408A11
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	1_2_00401632
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	1_2_0040B2CE
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	1_2_0040B2CE
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_00405A86
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	1_2_0040169D
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_00405B50
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_00413768
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_00405B1F
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_004137DF
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	1_2_004097EE
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	1_2_0040BD2B
Source: C:\m2mwu.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	1_2_004137AB
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_00401489
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	2_2_0040B403
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	2_2_0040B403
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_00414008
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	2_2_00413815
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	2_2_00413815
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	2_2_00408428
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	2_2_004150E3
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_004150E3
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_0040E896
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_00408CAE
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	2_2_0040A0B0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	2_2_00413D17
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	2_2_00413D17
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	2_2_00413D17
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	2_2_00413D17
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_004015EF
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_00407982
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004109A0
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_004151A7
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_004151A7
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_004151A7
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_004151A7
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_004151A7
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_004151A7
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_004151A7
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004115AF
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004115AF
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004115AF
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004115AF
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_004115AF
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_004079BA
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_00407E43
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_00407E43
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_00407E43
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	2_2_00407E43
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_0040D64A
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	2_2_00408A11
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	2_2_00401632
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	2_2_0040B2CE
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	2_2_0040B2CE
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_00405A86
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	2_2_0040169D
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_00405B50
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_00413768
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_00405B1F
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_004137DF
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	2_2_004097EE
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	2_2_0040BD2B
Source: C:\re8eo.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	2_2_004137AB
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_00401489
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_0040B403
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_0040B403
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_00414008
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_00413815
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_00413815
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_00408428
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_004150E3
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_004150E3
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_0040E896
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_00408CAE
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_0040A0B0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_00413D17
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	3_2_00413D17
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_00413D17
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_00413D17
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_004015EF
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_00407982
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004109A0
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_004151A7
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_004151A7
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_004151A7
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_004151A7
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_004151A7
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_004151A7
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_004151A7
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004115AF
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004115AF
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004115AF
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004115AF
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_004115AF
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_004079BA
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_00407E43
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_00407E43
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_00407E43
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_00407E43
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_0040D64A
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_00408A11
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_00401632
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_0040B2CE
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_0040B2CE
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_00405A86
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_0040169D
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_00405B50
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_00413768
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_00405B1F
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_004137DF
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_004097EE
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	3_2_0040BD2B
Source: C:\4vd771.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_004137AB
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_00401489
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	4_2_0040B403
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	4_2_0040B403
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_00414008
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	4_2_00413815
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	4_2_00413815
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	4_2_00408428
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	4_2_004150E3
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_004150E3
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_0040E896
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_00408CAE
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	4_2_0040A0B0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	4_2_00413D17
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	4_2_00413D17
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	4_2_00413D17
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	4_2_00413D17
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_004015EF
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_00407982
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004109A0
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_004151A7
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_004151A7
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_004151A7
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_004151A7
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_004151A7
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_004151A7
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_004151A7
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004115AF
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004115AF
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004115AF
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004115AF
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_004115AF
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_004079BA
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_00407E43
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_00407E43
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_00407E43
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	4_2_00407E43
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_0040D64A
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	4_2_00408A11
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	4_2_00401632
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	4_2_0040B2CE
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	4_2_0040B2CE
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_00405A86
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	4_2_0040169D
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_00405B50
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_00413768
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_00405B1F
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_004137DF
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	4_2_004097EE
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-30h], esp	4_2_0040BD2B
Source: C:\qnd197.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	4_2_004137AB
Source: C:\oaweb.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_00401489
Source: C:\oaweb.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_0040B403
Source: C:\oaweb.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_0040B403
Source: C:\oaweb.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_00414008
Source: C:\oaweb.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_00413815

Source: Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	String found in binary or memory: http://14.18.141.27:33355/lcy.asp?s11=nc&s12=nc&s13=
Source: Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: http://14.18.141.27:33355/lcy.asp?s11=nc&s12=nc&s13=%POSTGETWinHttp.WinHttpRequest.5.1
Source: Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	String found in binary or memory: http://14.18.141.27:33355/mcy.asp?at=getmb&s13=
Source: Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	String found in binary or memory: http://14.18.141.27:33355/mcy.asp?at=upm&s13=
Source: Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: http://14.18.141.27:33355/mcy.asp?at=upm&s13=http://14.18.141.27:33355/mcy.asp?at=getmb&s13=okno%E-&
Source: Fm9MoDgH7O.exe, m2mwu.exe, re8eo.exe, 4vd771.exe, qnd197.exe, oaweb.exe, w7711.exe, isqwt.exe, s1oaw.exe, 559900.exe, spf19.exe, 93344.exe, 6r61155.exe, 7788uoi.exe, rh53197.exe, 5787leo.exe, 88oxxqc.exe, w3790i.exe, bp1975.exe, 90omsp.exe, webp1.exe	String found in binary or memory: http://www.eyuyan.com)
Source: Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: pf753.exe, 00000027.00000002.1686485658.0000000000401000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://bank.gametea.com:444/bank/domoneyshow.php
Source: Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	String found in binary or memory: https://bank.gametea.com:444/banklockpc/moneyout.php?nickname=
Source: Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: https://bank.gametea.com:444/banklockpc/moneyout.php?nickname=msg_showmoney_sh
Source: Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	String found in binary or memory: https://bank.gametea.com:444/czbanklockpc/chadou.php?nickname=
Source: Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: https://bank.gametea.com:444/czbanklockpc/chadou.php?nickname=msg_chadou
Source: Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	String found in binary or memory: https://bank.gametea.com:444/czbanklockpc/moneyout.php?nickname=
Source: Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	String found in binary or memory: https://bank.gametea.com:444/lsbanklockpc/moneyout.php?nickname=
Source: Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: https://bank.gametea.com:444/lsbanklockpc/moneyout.php?nickname=msg_gamemoney
Source: Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	String found in binary or memory: https://bank.gametea.com:444/nbbanklockpc/moneyout.php?nickname=

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: 36.2.hk977.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.lb31975.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.webp1.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.g7112.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.2qkewqk.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.281l59.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.bp1975.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.83377.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4uoic.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.2qkewqk.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.2qkewqk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.g7112.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.559900.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.webp1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.urh7531.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.webp1.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.559900.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.oaweb.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.hk977.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.e81f5.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.w7711.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.urh7531.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fm9MoDgH7O.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.hb5kc8c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.hb5kc8c.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.6r61155.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.88oxxqc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4uoic.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.36hmq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qnd197.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.71122as.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mkqnd97.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.e81f5.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.90omsp.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.7kiolb.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.urh7531.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.83377.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.93344.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.fx2dr.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fm9MoDgH7O.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.36hmq.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.7kiolb.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.pf753.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.7788uoi.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.7kiolb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.ourh31.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.re8eo.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.re8eo.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.lb31975.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.93344.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.s1oaw.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.pf753.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.w3790i.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.m2mwu.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.36hmq.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4vd771.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.ourh31.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rh53197.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.559900.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.88oxxqc.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.e81f5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.spf19.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.w7711.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.isqwt.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.90omsp.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mkqnd97.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mkqnd97.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Fm9MoDgH7O.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5787leo.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4uoic.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.oaweb.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.fx2dr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.ourh31.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.71122as.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5787leo.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.78d5dr1.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rh53197.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rh53197.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.m2mwu.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.w7711.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qnd197.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.spf19.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qnd197.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.isqwt.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.g7112.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.bp1975.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.7kiolb.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4vd771.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.83377.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.re8eo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.s1oaw.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5787leo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.4vd771.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.lb31975.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.6r61155.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.281l59.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.7kiolb.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.s1oaw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.90omsp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.bp1975.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.78d5dr1.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.93344.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.71122as.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.78d5dr1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.spf19.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.7788uoi.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.88oxxqc.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.oaweb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.7788uoi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.pf753.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.isqwt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.hk977.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.w3790i.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.6r61155.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.fx2dr.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.w3790i.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.hb5kc8c.exe.40426f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.m2mwu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.7kiolb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.281l59.exe.40426f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.1682343006.0000000000401000.00000040.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1685279755.0000000000401000.00000040.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1676411975.0000000000401000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1686085936.0000000000401000.00000040.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1675872305.0000000000401000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1686485658.0000000000401000.00000040.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1684692162.0000000000401000.00000040.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1677502488.0000000000401000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1683951621.0000000000401000.00000040.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fm9MoDgH7O.exe PID: 5596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m2mwu.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: re8eo.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4vd771.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qnd197.exe PID: 2680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oaweb.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 36hmq.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4uoic.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: w7711.exe PID: 1860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: isqwt.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s1oaw.exe PID: 6716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 559900.exe PID: 1732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: spf19.exe PID: 1260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 93344.exe PID: 3164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6r61155.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7788uoi.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rh53197.exe PID: 2472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5787leo.exe PID: 4092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 88oxxqc.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 83377.exe PID: 4600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: w3790i.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bp1975.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 90omsp.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lb31975.exe PID: 4604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hb5kc8c.exe PID: 4584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: webp1.exe PID: 2180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e81f5.exe PID: 5332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 281l59.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 71122as.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: urh7531.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fx2dr.exe PID: 5596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mkqnd97.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 78d5dr1.exe PID: 3552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2qkewqk.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ourh31.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: g7112.exe PID: 4908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hk977.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7kiolb.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7kiolb.exe PID: 6928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pf753.exe PID: 2188, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 36.2.hk977.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 23.2.lb31975.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 25.2.webp1.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 35.2.g7112.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 33.2.2qkewqk.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 27.2.281l59.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 21.2.bp1975.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 19.2.83377.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 7.2.4uoic.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 33.2.2qkewqk.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 33.2.2qkewqk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 35.2.g7112.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 11.2.559900.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 25.2.webp1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 29.2.urh7531.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 25.2.webp1.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 11.2.559900.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 5.2.oaweb.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 36.2.hk977.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 8.2.w7711.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 26.2.e81f5.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 29.2.urh7531.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.Fm9MoDgH7O.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 24.2.hb5kc8c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 24.2.hb5kc8c.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 14.2.6r61155.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 18.2.88oxxqc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 7.2.4uoic.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 6.2.36hmq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.qnd197.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 28.2.71122as.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 31.2.mkqnd97.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 26.2.e81f5.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 22.2.90omsp.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 38.2.7kiolb.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 29.2.urh7531.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 19.2.83377.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 13.2.93344.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 30.2.fx2dr.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.Fm9MoDgH7O.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 6.2.36hmq.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 38.2.7kiolb.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 39.2.pf753.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 15.2.7788uoi.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 38.2.7kiolb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 34.2.ourh31.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 2.2.re8eo.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 2.2.re8eo.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 23.2.lb31975.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 13.2.93344.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 10.2.s1oaw.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 39.2.pf753.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 20.2.w3790i.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 1.2.m2mwu.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 6.2.36hmq.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.2.4vd771.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 34.2.ourh31.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 16.2.rh53197.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 11.2.559900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 18.2.88oxxqc.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 26.2.e81f5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 12.2.spf19.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 8.2.w7711.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 9.2.isqwt.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 22.2.90omsp.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 31.2.mkqnd97.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 31.2.mkqnd97.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.Fm9MoDgH7O.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 7.2.4uoic.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 17.2.5787leo.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 5.2.oaweb.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 30.2.fx2dr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 34.2.ourh31.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 28.2.71122as.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 17.2.5787leo.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 32.2.78d5dr1.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 16.2.rh53197.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 16.2.rh53197.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 1.2.m2mwu.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 8.2.w7711.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.qnd197.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 12.2.spf19.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.qnd197.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 9.2.isqwt.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 35.2.g7112.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 21.2.bp1975.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 37.2.7kiolb.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.2.4vd771.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 19.2.83377.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 2.2.re8eo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 17.2.5787leo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 10.2.s1oaw.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.2.4vd771.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 23.2.lb31975.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 27.2.281l59.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 14.2.6r61155.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 37.2.7kiolb.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 10.2.s1oaw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 22.2.90omsp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 21.2.bp1975.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 32.2.78d5dr1.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 13.2.93344.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 28.2.71122as.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 32.2.78d5dr1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 12.2.spf19.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 15.2.7788uoi.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 18.2.88oxxqc.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 5.2.oaweb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 15.2.7788uoi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 39.2.pf753.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 9.2.isqwt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 36.2.hk977.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 20.2.w3790i.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 14.2.6r61155.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 30.2.fx2dr.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 20.2.w3790i.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 24.2.hb5kc8c.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 1.2.m2mwu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 37.2.7kiolb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 27.2.281l59.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen

PE file has nameless sections

Source: Fm9MoDgH7O.exe	Static PE information: section name:
Source: m2mwu.exe.0.dr	Static PE information: section name:
Source: re8eo.exe.1.dr	Static PE information: section name:
Source: 4vd771.exe.2.dr	Static PE information: section name:
Source: qnd197.exe.3.dr	Static PE information: section name:
Source: oaweb.exe.4.dr	Static PE information: section name:
Source: 36hmq.exe.5.dr	Static PE information: section name:
Source: 4uoic.exe.6.dr	Static PE information: section name:
Source: w7711.exe.7.dr	Static PE information: section name:
Source: isqwt.exe.8.dr	Static PE information: section name:
Source: s1oaw.exe.9.dr	Static PE information: section name:
Source: 559900.exe.10.dr	Static PE information: section name:
Source: spf19.exe.11.dr	Static PE information: section name:
Source: 93344.exe.12.dr	Static PE information: section name:
Source: 6r61155.exe.13.dr	Static PE information: section name:
Source: 7788uoi.exe.14.dr	Static PE information: section name:
Source: rh53197.exe.15.dr	Static PE information: section name:
Source: 5787leo.exe.16.dr	Static PE information: section name:
Source: 88oxxqc.exe.17.dr	Static PE information: section name:
Source: 83377.exe.18.dr	Static PE information: section name:
Source: w3790i.exe.19.dr	Static PE information: section name:
Source: bp1975.exe.20.dr	Static PE information: section name:
Source: 90omsp.exe.21.dr	Static PE information: section name:
Source: lb31975.exe.22.dr	Static PE information: section name:
Source: hb5kc8c.exe.23.dr	Static PE information: section name:
Source: webp1.exe.24.dr	Static PE information: section name:
Source: e81f5.exe.25.dr	Static PE information: section name:
Source: 281l59.exe.26.dr	Static PE information: section name:
Source: 71122as.exe.27.dr	Static PE information: section name:
Source: urh7531.exe.28.dr	Static PE information: section name:
Source: fx2dr.exe.29.dr	Static PE information: section name:
Source: mkqnd97.exe.30.dr	Static PE information: section name:
Source: 78d5dr1.exe.31.dr	Static PE information: section name:
Source: 2qkewqk.exe.32.dr	Static PE information: section name:
Source: ourh31.exe.33.dr	Static PE information: section name:
Source: g7112.exe.34.dr	Static PE information: section name:
Source: hk977.exe.35.dr	Static PE information: section name:
Source: 7kiolb.exe.36.dr	Static PE information: section name:
Source: pf753.exe.38.dr	Static PE information: section name:
Source: 1wk599.exe.39.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_2_0041D857	0_2_0041D857
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_2_00420283	0_2_00420283
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_2_0041D7A0	0_2_0041D7A0
Source: C:\m2mwu.exe	Code function: 1_2_0041D857	1_2_0041D857
Source: C:\m2mwu.exe	Code function: 1_2_00420283	1_2_00420283
Source: C:\m2mwu.exe	Code function: 1_2_0041D7A0	1_2_0041D7A0
Source: C:\re8eo.exe	Code function: 2_2_0041D857	2_2_0041D857
Source: C:\re8eo.exe	Code function: 2_2_00420283	2_2_00420283
Source: C:\re8eo.exe	Code function: 2_2_0041D7A0	2_2_0041D7A0
Source: C:\4vd771.exe	Code function: 3_2_0041D857	3_2_0041D857
Source: C:\4vd771.exe	Code function: 3_2_00420283	3_2_00420283
Source: C:\4vd771.exe	Code function: 3_2_0041D7A0	3_2_0041D7A0
Source: C:\qnd197.exe	Code function: 4_2_0041D857	4_2_0041D857
Source: C:\qnd197.exe	Code function: 4_2_00420283	4_2_00420283
Source: C:\qnd197.exe	Code function: 4_2_0041D7A0	4_2_0041D7A0
Source: C:\oaweb.exe	Code function: 5_2_0041D857	5_2_0041D857
Source: C:\oaweb.exe	Code function: 5_2_00420283	5_2_00420283
Source: C:\oaweb.exe	Code function: 5_2_0041D7A0	5_2_0041D7A0
Source: C:\w7711.exe	Code function: 8_2_0041D857	8_2_0041D857
Source: C:\w7711.exe	Code function: 8_2_00420283	8_2_00420283
Source: C:\w7711.exe	Code function: 8_2_0041D7A0	8_2_0041D7A0
Source: C:\isqwt.exe	Code function: 9_2_0041D857	9_2_0041D857
Source: C:\isqwt.exe	Code function: 9_2_00420283	9_2_00420283
Source: C:\isqwt.exe	Code function: 9_2_0041D7A0	9_2_0041D7A0
Source: C:\s1oaw.exe	Code function: 10_2_0041D857	10_2_0041D857
Source: C:\s1oaw.exe	Code function: 10_2_00420283	10_2_00420283
Source: C:\s1oaw.exe	Code function: 10_2_0041D7A0	10_2_0041D7A0
Source: C:\559900.exe	Code function: 11_2_0041D857	11_2_0041D857
Source: C:\559900.exe	Code function: 11_2_00420283	11_2_00420283
Source: C:\559900.exe	Code function: 11_2_0041D7A0	11_2_0041D7A0
Source: C:\spf19.exe	Code function: 12_2_0041D857	12_2_0041D857
Source: C:\spf19.exe	Code function: 12_2_00420283	12_2_00420283
Source: C:\spf19.exe	Code function: 12_2_0041D7A0	12_2_0041D7A0
Source: C:\93344.exe	Code function: 13_2_0041D857	13_2_0041D857
Source: C:\93344.exe	Code function: 13_2_00420283	13_2_00420283
Source: C:\93344.exe	Code function: 13_2_0041D7A0	13_2_0041D7A0
Source: C:\6r61155.exe	Code function: 14_2_0041D857	14_2_0041D857
Source: C:\6r61155.exe	Code function: 14_2_00420283	14_2_00420283
Source: C:\6r61155.exe	Code function: 14_2_0041D7A0	14_2_0041D7A0
Source: C:\7788uoi.exe	Code function: 15_2_0041D857	15_2_0041D857
Source: C:\7788uoi.exe	Code function: 15_2_00420283	15_2_00420283
Source: C:\7788uoi.exe	Code function: 15_2_0041D7A0	15_2_0041D7A0
Source: C:\rh53197.exe	Code function: 16_2_0041D857	16_2_0041D857
Source: C:\rh53197.exe	Code function: 16_2_00420283	16_2_00420283
Source: C:\rh53197.exe	Code function: 16_2_0041D7A0	16_2_0041D7A0
Source: C:\5787leo.exe	Code function: 17_2_0041D857	17_2_0041D857
Source: C:\5787leo.exe	Code function: 17_2_00420283	17_2_00420283
Source: C:\5787leo.exe	Code function: 17_2_0041D7A0	17_2_0041D7A0
Source: C:\88oxxqc.exe	Code function: 18_2_0041D857	18_2_0041D857
Source: C:\88oxxqc.exe	Code function: 18_2_00420283	18_2_00420283
Source: C:\88oxxqc.exe	Code function: 18_2_0041D7A0	18_2_0041D7A0
Source: C:\w3790i.exe	Code function: 20_2_0041D857	20_2_0041D857
Source: C:\w3790i.exe	Code function: 20_2_00420283	20_2_00420283
Source: C:\w3790i.exe	Code function: 20_2_0041D7A0	20_2_0041D7A0
Source: C:\bp1975.exe	Code function: 21_2_0041D857	21_2_0041D857
Source: C:\bp1975.exe	Code function: 21_2_00420283	21_2_00420283
Source: C:\bp1975.exe	Code function: 21_2_0041D7A0	21_2_0041D7A0
Source: C:\90omsp.exe	Code function: 22_2_0041D857	22_2_0041D857
Source: C:\90omsp.exe	Code function: 22_2_00420283	22_2_00420283
Source: C:\90omsp.exe	Code function: 22_2_0041D7A0	22_2_0041D7A0
Source: C:\webp1.exe	Code function: 25_2_0041D857	25_2_0041D857
Source: C:\webp1.exe	Code function: 25_2_00420283	25_2_00420283
Source: C:\webp1.exe	Code function: 25_2_0041D7A0	25_2_0041D7A0
Source: C:\281l59.exe	Code function: 27_2_0041D857	27_2_0041D857
Source: C:\281l59.exe	Code function: 27_2_00420283	27_2_00420283
Source: C:\281l59.exe	Code function: 27_2_0041D7A0	27_2_0041D7A0
Source: C:\71122as.exe	Code function: 28_2_0041D857	28_2_0041D857
Source: C:\71122as.exe	Code function: 28_2_00420283	28_2_00420283
Source: C:\71122as.exe	Code function: 28_2_0041D7A0	28_2_0041D7A0
Source: C:\urh7531.exe	Code function: 29_2_0041D857	29_2_0041D857
Source: C:\urh7531.exe	Code function: 29_2_00420283	29_2_00420283
Source: C:\urh7531.exe	Code function: 29_2_0041D7A0	29_2_0041D7A0
Source: C:\fx2dr.exe	Code function: 30_2_0041D857	30_2_0041D857
Source: C:\fx2dr.exe	Code function: 30_2_00420283	30_2_00420283
Source: C:\fx2dr.exe	Code function: 30_2_0041D7A0	30_2_0041D7A0
Source: C:\mkqnd97.exe	Code function: 31_2_0041D857	31_2_0041D857
Source: C:\mkqnd97.exe	Code function: 31_2_00420283	31_2_00420283
Source: C:\mkqnd97.exe	Code function: 31_2_0041D7A0	31_2_0041D7A0
Source: C:\78d5dr1.exe	Code function: 32_2_0041D857	32_2_0041D857
Source: C:\78d5dr1.exe	Code function: 32_2_00420283	32_2_00420283
Source: C:\78d5dr1.exe	Code function: 32_2_0041D7A0	32_2_0041D7A0
Source: C:\ourh31.exe	Code function: 34_2_0041D857	34_2_0041D857
Source: C:\ourh31.exe	Code function: 34_2_00420283	34_2_00420283
Source: C:\ourh31.exe	Code function: 34_2_0041D7A0	34_2_0041D7A0

Source: Fm9MoDgH7O.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 36.2.hk977.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 23.2.lb31975.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 25.2.webp1.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 35.2.g7112.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 33.2.2qkewqk.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 27.2.281l59.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 21.2.bp1975.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 19.2.83377.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 7.2.4uoic.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 33.2.2qkewqk.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 33.2.2qkewqk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 35.2.g7112.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 11.2.559900.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 25.2.webp1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 29.2.urh7531.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 25.2.webp1.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 11.2.559900.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 5.2.oaweb.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 36.2.hk977.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 8.2.w7711.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 26.2.e81f5.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 29.2.urh7531.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.Fm9MoDgH7O.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 24.2.hb5kc8c.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 24.2.hb5kc8c.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 14.2.6r61155.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 18.2.88oxxqc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 7.2.4uoic.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 6.2.36hmq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.qnd197.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 28.2.71122as.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 31.2.mkqnd97.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 26.2.e81f5.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 22.2.90omsp.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 38.2.7kiolb.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 29.2.urh7531.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 19.2.83377.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 13.2.93344.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 30.2.fx2dr.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.Fm9MoDgH7O.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 6.2.36hmq.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 38.2.7kiolb.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 39.2.pf753.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 15.2.7788uoi.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 38.2.7kiolb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 34.2.ourh31.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 2.2.re8eo.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 2.2.re8eo.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 23.2.lb31975.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 13.2.93344.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 10.2.s1oaw.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 39.2.pf753.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 20.2.w3790i.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 1.2.m2mwu.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 6.2.36hmq.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.2.4vd771.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 34.2.ourh31.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 16.2.rh53197.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 11.2.559900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 18.2.88oxxqc.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 26.2.e81f5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 12.2.spf19.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 8.2.w7711.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 9.2.isqwt.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 22.2.90omsp.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 31.2.mkqnd97.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 31.2.mkqnd97.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.Fm9MoDgH7O.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 7.2.4uoic.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 17.2.5787leo.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 5.2.oaweb.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 30.2.fx2dr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 34.2.ourh31.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 28.2.71122as.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 17.2.5787leo.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 32.2.78d5dr1.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 16.2.rh53197.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 16.2.rh53197.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 1.2.m2mwu.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 8.2.w7711.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.qnd197.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 12.2.spf19.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.qnd197.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 9.2.isqwt.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 35.2.g7112.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 21.2.bp1975.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 37.2.7kiolb.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.2.4vd771.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 19.2.83377.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 2.2.re8eo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 17.2.5787leo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 10.2.s1oaw.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.2.4vd771.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 23.2.lb31975.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 27.2.281l59.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 14.2.6r61155.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 37.2.7kiolb.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 10.2.s1oaw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 22.2.90omsp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 21.2.bp1975.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 32.2.78d5dr1.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 13.2.93344.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 28.2.71122as.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 32.2.78d5dr1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 12.2.spf19.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 15.2.7788uoi.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 18.2.88oxxqc.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 5.2.oaweb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 15.2.7788uoi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 39.2.pf753.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 9.2.isqwt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 36.2.hk977.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 20.2.w3790i.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 14.2.6r61155.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 30.2.fx2dr.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 20.2.w3790i.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 24.2.hb5kc8c.exe.40426f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 1.2.m2mwu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 37.2.7kiolb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 27.2.281l59.exe.40426f.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@80/39@0/0

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Fm9MoDgH7O.exe	ReversingLabs: Detection: 100%
Source: Fm9MoDgH7O.exe	Virustotal: Detection: 84%

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe

File read: C:\Users\user\Desktop\Fm9MoDgH7O.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Fm9MoDgH7O.exe "C:\Users\user\Desktop\Fm9MoDgH7O.exe"
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Process created: C:\m2mwu.exe c:\m2mwu.exe
Source: C:\m2mwu.exe	Process created: C:\re8eo.exe c:\re8eo.exe
Source: C:\re8eo.exe	Process created: C:\4vd771.exe c:\4vd771.exe
Source: C:\4vd771.exe	Process created: C:\qnd197.exe c:\qnd197.exe
Source: C:\qnd197.exe	Process created: C:\oaweb.exe c:\oaweb.exe
Source: C:\oaweb.exe	Process created: C:\36hmq.exe c:\36hmq.exe
Source: C:\36hmq.exe	Process created: C:\4uoic.exe c:\4uoic.exe
Source: C:\4uoic.exe	Process created: C:\w7711.exe c:\w7711.exe
Source: C:\w7711.exe	Process created: C:\isqwt.exe c:\isqwt.exe
Source: C:\isqwt.exe	Process created: C:\s1oaw.exe c:\s1oaw.exe
Source: C:\s1oaw.exe	Process created: C:\559900.exe c:\559900.exe
Source: C:\559900.exe	Process created: C:\spf19.exe c:\spf19.exe
Source: C:\spf19.exe	Process created: C:\93344.exe c:\93344.exe
Source: C:\93344.exe	Process created: C:\6r61155.exe c:\6r61155.exe
Source: C:\6r61155.exe	Process created: C:\7788uoi.exe c:\7788uoi.exe
Source: C:\7788uoi.exe	Process created: C:\rh53197.exe c:\rh53197.exe
Source: C:\rh53197.exe	Process created: C:\5787leo.exe c:\5787leo.exe
Source: C:\5787leo.exe	Process created: C:\88oxxqc.exe c:\88oxxqc.exe
Source: C:\88oxxqc.exe	Process created: C:\83377.exe c:\83377.exe
Source: C:\83377.exe	Process created: C:\w3790i.exe c:\w3790i.exe
Source: C:\w3790i.exe	Process created: C:\bp1975.exe c:\bp1975.exe
Source: C:\oaweb.exe	Process created: C:\90omsp.exe c:\90omsp.exe
Source: C:\90omsp.exe	Process created: C:\lb31975.exe c:\lb31975.exe
Source: C:\lb31975.exe	Process created: C:\hb5kc8c.exe c:\hb5kc8c.exe
Source: C:\hb5kc8c.exe	Process created: C:\webp1.exe c:\webp1.exe
Source: C:\webp1.exe	Process created: C:\e81f5.exe c:\e81f5.exe
Source: C:\e81f5.exe	Process created: C:\281l59.exe c:\281l59.exe
Source: C:\281l59.exe	Process created: C:\71122as.exe c:\71122as.exe
Source: C:\71122as.exe	Process created: C:\urh7531.exe c:\urh7531.exe
Source: C:\urh7531.exe	Process created: C:\fx2dr.exe c:\fx2dr.exe
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Process created: C:\mkqnd97.exe c:\mkqnd97.exe
Source: C:\mkqnd97.exe	Process created: C:\78d5dr1.exe c:\78d5dr1.exe
Source: C:\78d5dr1.exe	Process created: C:\2qkewqk.exe c:\2qkewqk.exe
Source: C:\2qkewqk.exe	Process created: C:\ourh31.exe c:\ourh31.exe
Source: C:\ourh31.exe	Process created: C:\g7112.exe c:\g7112.exe
Source: C:\g7112.exe	Process created: C:\hk977.exe c:\hk977.exe
Source: C:\hk977.exe	Process created: C:\7kiolb.exe c:\7kiolb.exe
Source: C:\7kiolb.exe	Process created: C:\7kiolb.exe c:\7kiolb.exe
Source: C:\7kiolb.exe	Process created: C:\pf753.exe c:\pf753.exe
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Process created: C:\m2mwu.exe c:\m2mwu.exe	Jump to behavior
Source: C:\m2mwu.exe	Process created: C:\re8eo.exe c:\re8eo.exe	Jump to behavior
Source: C:\re8eo.exe	Process created: C:\4vd771.exe c:\4vd771.exe	Jump to behavior
Source: C:\4vd771.exe	Process created: C:\qnd197.exe c:\qnd197.exe	Jump to behavior
Source: C:\qnd197.exe	Process created: C:\oaweb.exe c:\oaweb.exe	Jump to behavior
Source: C:\oaweb.exe	Process created: C:\36hmq.exe c:\36hmq.exe	Jump to behavior
Source: C:\36hmq.exe	Process created: C:\4uoic.exe c:\4uoic.exe	Jump to behavior
Source: C:\4uoic.exe	Process created: C:\w7711.exe c:\w7711.exe	Jump to behavior
Source: C:\w7711.exe	Process created: C:\isqwt.exe c:\isqwt.exe	Jump to behavior
Source: C:\isqwt.exe	Process created: C:\s1oaw.exe c:\s1oaw.exe	Jump to behavior
Source: C:\s1oaw.exe	Process created: C:\559900.exe c:\559900.exe	Jump to behavior
Source: C:\559900.exe	Process created: C:\spf19.exe c:\spf19.exe	Jump to behavior
Source: C:\spf19.exe	Process created: C:\93344.exe c:\93344.exe	Jump to behavior
Source: C:\93344.exe	Process created: C:\6r61155.exe c:\6r61155.exe	Jump to behavior
Source: C:\6r61155.exe	Process created: C:\7788uoi.exe c:\7788uoi.exe	Jump to behavior
Source: C:\7788uoi.exe	Process created: C:\rh53197.exe c:\rh53197.exe	Jump to behavior
Source: C:\rh53197.exe	Process created: C:\5787leo.exe c:\5787leo.exe	Jump to behavior
Source: C:\5787leo.exe	Process created: C:\88oxxqc.exe c:\88oxxqc.exe	Jump to behavior
Source: C:\88oxxqc.exe	Process created: C:\83377.exe c:\83377.exe	Jump to behavior
Source: C:\83377.exe	Process created: C:\w3790i.exe c:\w3790i.exe	Jump to behavior
Source: C:\w3790i.exe	Process created: C:\bp1975.exe c:\bp1975.exe	Jump to behavior
Source: C:\bp1975.exe	Process created: C:\90omsp.exe c:\90omsp.exe	Jump to behavior
Source: C:\90omsp.exe	Process created: C:\lb31975.exe c:\lb31975.exe	Jump to behavior
Source: C:\lb31975.exe	Process created: C:\hb5kc8c.exe c:\hb5kc8c.exe	Jump to behavior
Source: C:\hb5kc8c.exe	Process created: C:\webp1.exe c:\webp1.exe	Jump to behavior
Source: C:\webp1.exe	Process created: C:\e81f5.exe c:\e81f5.exe	Jump to behavior
Source: C:\e81f5.exe	Process created: C:\281l59.exe c:\281l59.exe	Jump to behavior
Source: C:\281l59.exe	Process created: C:\71122as.exe c:\71122as.exe	Jump to behavior
Source: C:\71122as.exe	Process created: C:\urh7531.exe c:\urh7531.exe	Jump to behavior
Source: C:\urh7531.exe	Process created: C:\fx2dr.exe c:\fx2dr.exe	Jump to behavior
Source: C:\fx2dr.exe	Process created: C:\mkqnd97.exe c:\mkqnd97.exe	Jump to behavior
Source: C:\mkqnd97.exe	Process created: C:\78d5dr1.exe c:\78d5dr1.exe	Jump to behavior
Source: C:\78d5dr1.exe	Process created: C:\2qkewqk.exe c:\2qkewqk.exe
Source: C:\2qkewqk.exe	Process created: C:\ourh31.exe c:\ourh31.exe
Source: C:\ourh31.exe	Process created: C:\g7112.exe c:\g7112.exe
Source: C:\g7112.exe	Process created: C:\hk977.exe c:\hk977.exe
Source: C:\hk977.exe	Process created: C:\7kiolb.exe c:\7kiolb.exe
Source: C:\7kiolb.exe	Process created: C:\7kiolb.exe c:\7kiolb.exe
Source: C:\7kiolb.exe	Process created: C:\pf753.exe c:\pf753.exe
Source: C:\pf753.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\m2mwu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\re8eo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\4vd771.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\qnd197.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\oaweb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\36hmq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\4uoic.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\w7711.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\isqwt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\s1oaw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\559900.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\spf19.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\93344.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\6r61155.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\7788uoi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\rh53197.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\5787leo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\88oxxqc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\83377.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\w3790i.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\bp1975.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\90omsp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\lb31975.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\hb5kc8c.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\webp1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\e81f5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\281l59.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\71122as.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\urh7531.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\fx2dr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\mkqnd97.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\78d5dr1.exe	Section loaded: apphelp.dll
Source: C:\2qkewqk.exe	Section loaded: apphelp.dll
Source: C:\ourh31.exe	Section loaded: apphelp.dll
Source: C:\g7112.exe	Section loaded: apphelp.dll
Source: C:\hk977.exe	Section loaded: apphelp.dll
Source: C:\7kiolb.exe	Section loaded: apphelp.dll
Source: C:\7kiolb.exe	Section loaded: apphelp.dll
Source: C:\pf753.exe	Section loaded: apphelp.dll

Source: Fm9MoDgH7O.exe	Static PE information: section name:
Source: Fm9MoDgH7O.exe	Static PE information: section name: petite
Source: m2mwu.exe.0.dr	Static PE information: section name:
Source: m2mwu.exe.0.dr	Static PE information: section name: petite
Source: re8eo.exe.1.dr	Static PE information: section name:
Source: re8eo.exe.1.dr	Static PE information: section name: petite
Source: 4vd771.exe.2.dr	Static PE information: section name:
Source: 4vd771.exe.2.dr	Static PE information: section name: petite
Source: qnd197.exe.3.dr	Static PE information: section name:
Source: qnd197.exe.3.dr	Static PE information: section name: petite
Source: oaweb.exe.4.dr	Static PE information: section name:
Source: oaweb.exe.4.dr	Static PE information: section name: petite
Source: 36hmq.exe.5.dr	Static PE information: section name:
Source: 36hmq.exe.5.dr	Static PE information: section name: petite
Source: 4uoic.exe.6.dr	Static PE information: section name:
Source: 4uoic.exe.6.dr	Static PE information: section name: petite
Source: w7711.exe.7.dr	Static PE information: section name:
Source: w7711.exe.7.dr	Static PE information: section name: petite
Source: isqwt.exe.8.dr	Static PE information: section name:
Source: isqwt.exe.8.dr	Static PE information: section name: petite
Source: s1oaw.exe.9.dr	Static PE information: section name:
Source: s1oaw.exe.9.dr	Static PE information: section name: petite
Source: 559900.exe.10.dr	Static PE information: section name:
Source: 559900.exe.10.dr	Static PE information: section name: petite
Source: spf19.exe.11.dr	Static PE information: section name:
Source: spf19.exe.11.dr	Static PE information: section name: petite
Source: 93344.exe.12.dr	Static PE information: section name:
Source: 93344.exe.12.dr	Static PE information: section name: petite
Source: 6r61155.exe.13.dr	Static PE information: section name:
Source: 6r61155.exe.13.dr	Static PE information: section name: petite
Source: 7788uoi.exe.14.dr	Static PE information: section name:
Source: 7788uoi.exe.14.dr	Static PE information: section name: petite
Source: rh53197.exe.15.dr	Static PE information: section name:
Source: rh53197.exe.15.dr	Static PE information: section name: petite
Source: 5787leo.exe.16.dr	Static PE information: section name:
Source: 5787leo.exe.16.dr	Static PE information: section name: petite
Source: 88oxxqc.exe.17.dr	Static PE information: section name:
Source: 88oxxqc.exe.17.dr	Static PE information: section name: petite
Source: 83377.exe.18.dr	Static PE information: section name:
Source: 83377.exe.18.dr	Static PE information: section name: petite
Source: w3790i.exe.19.dr	Static PE information: section name:
Source: w3790i.exe.19.dr	Static PE information: section name: petite
Source: bp1975.exe.20.dr	Static PE information: section name:
Source: bp1975.exe.20.dr	Static PE information: section name: petite
Source: 90omsp.exe.21.dr	Static PE information: section name:
Source: 90omsp.exe.21.dr	Static PE information: section name: petite
Source: lb31975.exe.22.dr	Static PE information: section name:
Source: lb31975.exe.22.dr	Static PE information: section name: petite
Source: hb5kc8c.exe.23.dr	Static PE information: section name:
Source: hb5kc8c.exe.23.dr	Static PE information: section name: petite
Source: webp1.exe.24.dr	Static PE information: section name:
Source: webp1.exe.24.dr	Static PE information: section name: petite
Source: e81f5.exe.25.dr	Static PE information: section name:
Source: e81f5.exe.25.dr	Static PE information: section name: petite
Source: 281l59.exe.26.dr	Static PE information: section name:
Source: 281l59.exe.26.dr	Static PE information: section name: petite
Source: 71122as.exe.27.dr	Static PE information: section name:
Source: 71122as.exe.27.dr	Static PE information: section name: petite
Source: urh7531.exe.28.dr	Static PE information: section name:
Source: urh7531.exe.28.dr	Static PE information: section name: petite
Source: fx2dr.exe.29.dr	Static PE information: section name:
Source: fx2dr.exe.29.dr	Static PE information: section name: petite
Source: mkqnd97.exe.30.dr	Static PE information: section name:
Source: mkqnd97.exe.30.dr	Static PE information: section name: petite
Source: 78d5dr1.exe.31.dr	Static PE information: section name:
Source: 78d5dr1.exe.31.dr	Static PE information: section name: petite
Source: 2qkewqk.exe.32.dr	Static PE information: section name:
Source: 2qkewqk.exe.32.dr	Static PE information: section name: petite
Source: ourh31.exe.33.dr	Static PE information: section name:
Source: ourh31.exe.33.dr	Static PE information: section name: petite
Source: g7112.exe.34.dr	Static PE information: section name:
Source: g7112.exe.34.dr	Static PE information: section name: petite
Source: hk977.exe.35.dr	Static PE information: section name:
Source: hk977.exe.35.dr	Static PE information: section name: petite
Source: 7kiolb.exe.36.dr	Static PE information: section name:
Source: 7kiolb.exe.36.dr	Static PE information: section name: petite
Source: pf753.exe.38.dr	Static PE information: section name:
Source: pf753.exe.38.dr	Static PE information: section name: petite
Source: 1wk599.exe.39.dr	Static PE information: section name:
Source: 1wk599.exe.39.dr	Static PE information: section name: petite

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B4C69 push ss; retf	0_3_006B4C6C
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B5A3E push dword ptr [edi+4025C623h]; retf	0_3_006B5A47
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B2A1F push ds; iretd	0_3_006B2A30
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B08E0 push ebp; iretd	0_3_006B08E6
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B20C4 push ebp; retf	0_3_006B20CC
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B18DA push ebp; ret	0_3_006B18EB
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B0AD4 push eax; ret	0_3_006B0AD7
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B5F62 push ss; retf	0_3_006B5F63
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B5958 push eax; retf	0_3_006B5959
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Code function: 0_3_006B4D8C push ebx; iretd	0_3_006B4D8D
Source: C:\m2mwu.exe	Code function: 1_3_00524C69 push ss; retf	1_3_00524C6C
Source: C:\m2mwu.exe	Code function: 1_3_00522A1F push ds; iretd	1_3_00522A30
Source: C:\m2mwu.exe	Code function: 1_3_00525A3E push dword ptr [edi+4025C623h]; retf	1_3_00525A47
Source: C:\m2mwu.exe	Code function: 1_3_00520AD4 push eax; ret	1_3_00520AD7
Source: C:\m2mwu.exe	Code function: 1_3_005218DA push ebp; ret	1_3_005218EB
Source: C:\m2mwu.exe	Code function: 1_3_005220C4 push ebp; retf	1_3_005220CC
Source: C:\m2mwu.exe	Code function: 1_3_005208E0 push ebp; iretd	1_3_005208E6
Source: C:\m2mwu.exe	Code function: 1_3_00525958 push eax; retf	1_3_00525959
Source: C:\m2mwu.exe	Code function: 1_3_00525F62 push ss; retf	1_3_00525F63
Source: C:\m2mwu.exe	Code function: 1_3_00524D8C push ebx; iretd	1_3_00524D8D
Source: C:\re8eo.exe	Code function: 2_3_004D4C69 push ss; retf	2_3_004D4C6C
Source: C:\re8eo.exe	Code function: 2_3_004D2A1F push ds; iretd	2_3_004D2A30
Source: C:\re8eo.exe	Code function: 2_3_004D5A3E push dword ptr [edi+4025C623h]; retf	2_3_004D5A47
Source: C:\re8eo.exe	Code function: 2_3_004D20C4 push ebp; retf	2_3_004D20CC
Source: C:\re8eo.exe	Code function: 2_3_004D18DA push ebp; ret	2_3_004D18EB
Source: C:\re8eo.exe	Code function: 2_3_004D0AD4 push eax; ret	2_3_004D0AD7
Source: C:\re8eo.exe	Code function: 2_3_004D08E0 push ebp; iretd	2_3_004D08E6
Source: C:\re8eo.exe	Code function: 2_3_004D5958 push eax; retf	2_3_004D5959
Source: C:\re8eo.exe	Code function: 2_3_004D5F62 push ss; retf	2_3_004D5F63
Source: C:\re8eo.exe	Code function: 2_3_004D4D8C push ebx; iretd	2_3_004D4D8D
Source: C:\4vd771.exe	Code function: 3_3_006B4C69 push ss; retf	3_3_006B4C6C

Source: Fm9MoDgH7O.exe	Static PE information: section name: entropy: 7.663081984917489
Source: m2mwu.exe.0.dr	Static PE information: section name: entropy: 7.663081984917489
Source: re8eo.exe.1.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 4vd771.exe.2.dr	Static PE information: section name: entropy: 7.663081984917489
Source: qnd197.exe.3.dr	Static PE information: section name: entropy: 7.663081984917489
Source: oaweb.exe.4.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 36hmq.exe.5.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 4uoic.exe.6.dr	Static PE information: section name: entropy: 7.663081984917489
Source: w7711.exe.7.dr	Static PE information: section name: entropy: 7.663081984917489
Source: isqwt.exe.8.dr	Static PE information: section name: entropy: 7.663081984917489
Source: s1oaw.exe.9.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 559900.exe.10.dr	Static PE information: section name: entropy: 7.663081984917489
Source: spf19.exe.11.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 93344.exe.12.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 6r61155.exe.13.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 7788uoi.exe.14.dr	Static PE information: section name: entropy: 7.663081984917489
Source: rh53197.exe.15.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 5787leo.exe.16.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 88oxxqc.exe.17.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 83377.exe.18.dr	Static PE information: section name: entropy: 7.663081984917489
Source: w3790i.exe.19.dr	Static PE information: section name: entropy: 7.663081984917489
Source: bp1975.exe.20.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 90omsp.exe.21.dr	Static PE information: section name: entropy: 7.663081984917489
Source: lb31975.exe.22.dr	Static PE information: section name: entropy: 7.663081984917489
Source: hb5kc8c.exe.23.dr	Static PE information: section name: entropy: 7.663081984917489
Source: webp1.exe.24.dr	Static PE information: section name: entropy: 7.663081984917489
Source: e81f5.exe.25.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 281l59.exe.26.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 71122as.exe.27.dr	Static PE information: section name: entropy: 7.663081984917489
Source: urh7531.exe.28.dr	Static PE information: section name: entropy: 7.663081984917489
Source: fx2dr.exe.29.dr	Static PE information: section name: entropy: 7.663081984917489
Source: mkqnd97.exe.30.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 78d5dr1.exe.31.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 2qkewqk.exe.32.dr	Static PE information: section name: entropy: 7.663081984917489
Source: ourh31.exe.33.dr	Static PE information: section name: entropy: 7.663081984917489
Source: g7112.exe.34.dr	Static PE information: section name: entropy: 7.663081984917489
Source: hk977.exe.35.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 7kiolb.exe.36.dr	Static PE information: section name: entropy: 7.663081984917489
Source: pf753.exe.38.dr	Static PE information: section name: entropy: 7.663081984917489
Source: 1wk599.exe.39.dr	Static PE information: section name: entropy: 7.663081984917489

Source: C:\m2mwu.exe	File created: C:\re8eo.exe	Jump to dropped file
Source: C:\oaweb.exe	File created: C:\36hmq.exe	Jump to dropped file
Source: C:\93344.exe	File created: C:\6r61155.exe	Jump to dropped file
Source: C:\88oxxqc.exe	File created: C:\83377.exe	Jump to dropped file
Source: C:\36hmq.exe	File created: C:\4uoic.exe	Jump to dropped file
Source: C:\bp1975.exe	File created: C:\90omsp.exe	Jump to dropped file
Source: C:\5787leo.exe	File created: C:\88oxxqc.exe	Jump to dropped file
Source: C:\g7112.exe	File created: C:\hk977.exe	Jump to dropped file
Source: C:\rh53197.exe	File created: C:\5787leo.exe	Jump to dropped file
Source: C:\hb5kc8c.exe	File created: C:\webp1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	File created: C:\m2mwu.exe	Jump to dropped file
Source: C:\w7711.exe	File created: C:\isqwt.exe	Jump to dropped file
Source: C:\4uoic.exe	File created: C:\w7711.exe	Jump to dropped file
Source: C:\7kiolb.exe	File created: C:\pf753.exe	Jump to dropped file
Source: C:\webp1.exe	File created: C:\e81f5.exe	Jump to dropped file
Source: C:\78d5dr1.exe	File created: C:\2qkewqk.exe	Jump to dropped file
Source: C:\w3790i.exe	File created: C:\bp1975.exe	Jump to dropped file
Source: C:\lb31975.exe	File created: C:\hb5kc8c.exe	Jump to dropped file
Source: C:\7788uoi.exe	File created: C:\rh53197.exe	Jump to dropped file
Source: C:\spf19.exe	File created: C:\93344.exe	Jump to dropped file
Source: C:\e81f5.exe	File created: C:\281l59.exe	Jump to dropped file
Source: C:\ourh31.exe	File created: C:\g7112.exe	Jump to dropped file
Source: C:\4vd771.exe	File created: C:\qnd197.exe	Jump to dropped file
Source: C:\90omsp.exe	File created: C:\lb31975.exe	Jump to dropped file
Source: C:\pf753.exe	File created: C:\1wk599.exe	Jump to dropped file
Source: C:\281l59.exe	File created: C:\71122as.exe	Jump to dropped file
Source: C:\83377.exe	File created: C:\w3790i.exe	Jump to dropped file
Source: C:\s1oaw.exe	File created: C:\559900.exe	Jump to dropped file
Source: C:\fx2dr.exe	File created: C:\mkqnd97.exe	Jump to dropped file
Source: C:\hk977.exe	File created: C:\7kiolb.exe	Jump to dropped file
Source: C:\qnd197.exe	File created: C:\oaweb.exe	Jump to dropped file
Source: C:\isqwt.exe	File created: C:\s1oaw.exe	Jump to dropped file
Source: C:\urh7531.exe	File created: C:\fx2dr.exe	Jump to dropped file
Source: C:\mkqnd97.exe	File created: C:\78d5dr1.exe	Jump to dropped file
Source: C:\71122as.exe	File created: C:\urh7531.exe	Jump to dropped file
Source: C:\2qkewqk.exe	File created: C:\ourh31.exe	Jump to dropped file
Source: C:\559900.exe	File created: C:\spf19.exe	Jump to dropped file
Source: C:\re8eo.exe	File created: C:\4vd771.exe	Jump to dropped file
Source: C:\6r61155.exe	File created: C:\7788uoi.exe	Jump to dropped file

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\m2mwu.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\re8eo.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\4vd771.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\qnd197.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\oaweb.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\36hmq.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\4uoic.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\w7711.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\isqwt.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\s1oaw.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\559900.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\spf19.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\93344.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\6r61155.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\7788uoi.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\rh53197.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\5787leo.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\88oxxqc.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\83377.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\w3790i.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\bp1975.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\90omsp.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\lb31975.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\hb5kc8c.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\webp1.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\e81f5.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\281l59.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\71122as.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\urh7531.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\fx2dr.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\mkqnd97.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\78d5dr1.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\2qkewqk.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\ourh31.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\g7112.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\hk977.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\7kiolb.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\7kiolb.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4ED0B69h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4ED097Ah 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4ED097Ah 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4ED0A5Ch 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4ED0B19h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4ED0910h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc
Source: C:\pf753.exe	RDTSC instruction interceptor: First address: 402165 second address: 402165 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 00000017h 0x00000007 mul ecx 0x00000009 add eax, 07h 0x0000000c mov ecx, dword ptr [ebp+0Ch] 0x0000000f sub ecx, dword ptr [ebp+08h] 0x00000012 inc ecx 0x00000013 xor edx, edx 0x00000015 div ecx 0x00000017 add edx, dword ptr [ebp+08h] 0x0000001a mov eax, edx 0x0000001c pop edx 0x0000001d pop ecx 0x0000001e leave 0x0000001f retn 0008h 0x00000022 mov dword ptr [ebp-0Ch], eax 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 xor ecx, ecx 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c push eax 0x0000002d cmp ecx, eax 0x0000002f jg 00007EFCC4B886C9h 0x00000035 cmp dword ptr [ebp+10h], 01h 0x00000039 jne 00007EFCC4B884DAh 0x0000003f cmp dword ptr [ebp+10h], 02h 0x00000043 jne 00007EFCC4B884DAh 0x00000049 cmp dword ptr [ebp+10h], 03h 0x0000004d jne 00007EFCC4B885BCh 0x00000053 push 000003E8h 0x00000058 push 00000001h 0x0000005d call 00007EFCC4B88679h 0x00000062 push ebp 0x00000063 mov ebp, esp 0x00000065 sub esp, 00000004h 0x0000006b mov eax, dword ptr [ebp+08h] 0x0000006e cmp dword ptr [ebp+0Ch], eax 0x00000071 jnl 00007EFCC4B88470h 0x00000077 push ecx 0x00000078 push edx 0x00000079 rdtsc

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe

Code function: 0_2_00402144 rdtsc

0_2_00402144

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe

Code function: 0_2_0041C26F sldt word ptr [eax]

0_2_0041C26F

Source: C:\pf753.exe

Dropped PE file which has not been started: C:\1wk599.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	API call chain: ExitProcess graph end node	graph_0-10799
Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	API call chain: ExitProcess graph end node	graph_0-10796
Source: C:\m2mwu.exe	API call chain: ExitProcess graph end node	graph_1-10799
Source: C:\m2mwu.exe	API call chain: ExitProcess graph end node	graph_1-10796
Source: C:\re8eo.exe	API call chain: ExitProcess graph end node	graph_2-10799
Source: C:\re8eo.exe	API call chain: ExitProcess graph end node	graph_2-10796
Source: C:\4vd771.exe	API call chain: ExitProcess graph end node	graph_3-10799
Source: C:\4vd771.exe	API call chain: ExitProcess graph end node	graph_3-10796
Source: C:\qnd197.exe	API call chain: ExitProcess graph end node	graph_4-10799
Source: C:\qnd197.exe	API call chain: ExitProcess graph end node	graph_4-10796
Source: C:\oaweb.exe	API call chain: ExitProcess graph end node	graph_5-10799
Source: C:\oaweb.exe	API call chain: ExitProcess graph end node	graph_5-10796
Source: C:\w7711.exe	API call chain: ExitProcess graph end node	graph_8-10799
Source: C:\w7711.exe	API call chain: ExitProcess graph end node	graph_8-10796
Source: C:\isqwt.exe	API call chain: ExitProcess graph end node	graph_9-10799
Source: C:\isqwt.exe	API call chain: ExitProcess graph end node	graph_9-10796
Source: C:\s1oaw.exe	API call chain: ExitProcess graph end node	graph_10-10799
Source: C:\s1oaw.exe	API call chain: ExitProcess graph end node	graph_10-10796
Source: C:\559900.exe	API call chain: ExitProcess graph end node	graph_11-10799
Source: C:\559900.exe	API call chain: ExitProcess graph end node	graph_11-10796
Source: C:\spf19.exe	API call chain: ExitProcess graph end node	graph_12-10799
Source: C:\spf19.exe	API call chain: ExitProcess graph end node	graph_12-10796
Source: C:\93344.exe	API call chain: ExitProcess graph end node	graph_13-10799
Source: C:\93344.exe	API call chain: ExitProcess graph end node	graph_13-10796
Source: C:\6r61155.exe	API call chain: ExitProcess graph end node	graph_14-10799
Source: C:\6r61155.exe	API call chain: ExitProcess graph end node	graph_14-10796
Source: C:\7788uoi.exe	API call chain: ExitProcess graph end node
Source: C:\7788uoi.exe	API call chain: ExitProcess graph end node
Source: C:\rh53197.exe	API call chain: ExitProcess graph end node
Source: C:\rh53197.exe	API call chain: ExitProcess graph end node
Source: C:\5787leo.exe	API call chain: ExitProcess graph end node
Source: C:\5787leo.exe	API call chain: ExitProcess graph end node
Source: C:\88oxxqc.exe	API call chain: ExitProcess graph end node
Source: C:\88oxxqc.exe	API call chain: ExitProcess graph end node
Source: C:\w3790i.exe	API call chain: ExitProcess graph end node
Source: C:\w3790i.exe	API call chain: ExitProcess graph end node
Source: C:\bp1975.exe	API call chain: ExitProcess graph end node
Source: C:\bp1975.exe	API call chain: ExitProcess graph end node
Source: C:\90omsp.exe	API call chain: ExitProcess graph end node
Source: C:\90omsp.exe	API call chain: ExitProcess graph end node
Source: C:\webp1.exe	API call chain: ExitProcess graph end node
Source: C:\webp1.exe	API call chain: ExitProcess graph end node
Source: C:\281l59.exe	API call chain: ExitProcess graph end node
Source: C:\281l59.exe	API call chain: ExitProcess graph end node
Source: C:\71122as.exe	API call chain: ExitProcess graph end node
Source: C:\71122as.exe	API call chain: ExitProcess graph end node
Source: C:\urh7531.exe	API call chain: ExitProcess graph end node
Source: C:\urh7531.exe	API call chain: ExitProcess graph end node
Source: C:\fx2dr.exe	API call chain: ExitProcess graph end node
Source: C:\fx2dr.exe	API call chain: ExitProcess graph end node
Source: C:\mkqnd97.exe	API call chain: ExitProcess graph end node
Source: C:\mkqnd97.exe	API call chain: ExitProcess graph end node
Source: C:\78d5dr1.exe	API call chain: ExitProcess graph end node
Source: C:\78d5dr1.exe	API call chain: ExitProcess graph end node
Source: C:\ourh31.exe	API call chain: ExitProcess graph end node
Source: C:\ourh31.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe

Code function: 0_2_00402144 rdtsc

0_2_00402144

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe

Code function: 0_2_004023A0 GetProcessHeap,RtlAllocateHeap,MessageBoxA,

0_2_004023A0

Source: C:\Users\user\Desktop\Fm9MoDgH7O.exe	Process created: C:\m2mwu.exe c:\m2mwu.exe	Jump to behavior
Source: C:\m2mwu.exe	Process created: C:\re8eo.exe c:\re8eo.exe	Jump to behavior
Source: C:\re8eo.exe	Process created: C:\4vd771.exe c:\4vd771.exe	Jump to behavior
Source: C:\4vd771.exe	Process created: C:\qnd197.exe c:\qnd197.exe	Jump to behavior
Source: C:\qnd197.exe	Process created: C:\oaweb.exe c:\oaweb.exe	Jump to behavior
Source: C:\oaweb.exe	Process created: C:\36hmq.exe c:\36hmq.exe	Jump to behavior
Source: C:\36hmq.exe	Process created: C:\4uoic.exe c:\4uoic.exe	Jump to behavior
Source: C:\4uoic.exe	Process created: C:\w7711.exe c:\w7711.exe	Jump to behavior
Source: C:\w7711.exe	Process created: C:\isqwt.exe c:\isqwt.exe	Jump to behavior
Source: C:\isqwt.exe	Process created: C:\s1oaw.exe c:\s1oaw.exe	Jump to behavior
Source: C:\s1oaw.exe	Process created: C:\559900.exe c:\559900.exe	Jump to behavior
Source: C:\559900.exe	Process created: C:\spf19.exe c:\spf19.exe	Jump to behavior
Source: C:\spf19.exe	Process created: C:\93344.exe c:\93344.exe	Jump to behavior
Source: C:\93344.exe	Process created: C:\6r61155.exe c:\6r61155.exe	Jump to behavior
Source: C:\6r61155.exe	Process created: C:\7788uoi.exe c:\7788uoi.exe	Jump to behavior
Source: C:\7788uoi.exe	Process created: C:\rh53197.exe c:\rh53197.exe	Jump to behavior
Source: C:\rh53197.exe	Process created: C:\5787leo.exe c:\5787leo.exe	Jump to behavior
Source: C:\5787leo.exe	Process created: C:\88oxxqc.exe c:\88oxxqc.exe	Jump to behavior
Source: C:\88oxxqc.exe	Process created: C:\83377.exe c:\83377.exe	Jump to behavior
Source: C:\83377.exe	Process created: C:\w3790i.exe c:\w3790i.exe	Jump to behavior
Source: C:\w3790i.exe	Process created: C:\bp1975.exe c:\bp1975.exe	Jump to behavior
Source: C:\bp1975.exe	Process created: C:\90omsp.exe c:\90omsp.exe	Jump to behavior
Source: C:\90omsp.exe	Process created: C:\lb31975.exe c:\lb31975.exe	Jump to behavior
Source: C:\lb31975.exe	Process created: C:\hb5kc8c.exe c:\hb5kc8c.exe	Jump to behavior
Source: C:\hb5kc8c.exe	Process created: C:\webp1.exe c:\webp1.exe	Jump to behavior
Source: C:\webp1.exe	Process created: C:\e81f5.exe c:\e81f5.exe	Jump to behavior
Source: C:\e81f5.exe	Process created: C:\281l59.exe c:\281l59.exe	Jump to behavior
Source: C:\281l59.exe	Process created: C:\71122as.exe c:\71122as.exe	Jump to behavior
Source: C:\71122as.exe	Process created: C:\urh7531.exe c:\urh7531.exe	Jump to behavior
Source: C:\urh7531.exe	Process created: C:\fx2dr.exe c:\fx2dr.exe	Jump to behavior
Source: C:\fx2dr.exe	Process created: C:\mkqnd97.exe c:\mkqnd97.exe	Jump to behavior
Source: C:\mkqnd97.exe	Process created: C:\78d5dr1.exe c:\78d5dr1.exe	Jump to behavior
Source: C:\78d5dr1.exe	Process created: C:\2qkewqk.exe c:\2qkewqk.exe
Source: C:\2qkewqk.exe	Process created: C:\ourh31.exe c:\ourh31.exe
Source: C:\ourh31.exe	Process created: C:\g7112.exe c:\g7112.exe
Source: C:\g7112.exe	Process created: C:\hk977.exe c:\hk977.exe
Source: C:\hk977.exe	Process created: C:\7kiolb.exe c:\7kiolb.exe
Source: C:\7kiolb.exe	Process created: C:\7kiolb.exe c:\7kiolb.exe
Source: C:\7kiolb.exe	Process created: C:\pf753.exe c:\pf753.exe
Source: C:\pf753.exe	Process created: unknown unknown

Stealing of Sensitive Information

Yara detected Petite Virus

Source: Yara match	File source: Fm9MoDgH7O.exe, type: SAMPLE
Source: Yara match	File source: 11.3.559900.exe.784800.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.6f3948.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.4f3910.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Fm9MoDgH7O.exe.75f020.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.52d868.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.75e470.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.52d868.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7de520.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.72f0d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.61d848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.7cd980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.53e3a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.763c18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.72f0d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.544918.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.67e4f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.6f3948.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.79dc60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.834998.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.54e530.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.834998.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4de350.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.7247b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.6ce390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.86e400.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.77d888.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.644918.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.624a98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.54e530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.72d8d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.4e47d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.5ce2b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.75e230.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.51e270.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7ed788.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.75e230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.73e4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.72f0d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.6ce1f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.72d8c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.65e330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5c3c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5c3c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.80e6d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.7be2c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.6ce390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7de520.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.79e310.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.71122as.exe.68eea0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.6ce390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6cf2e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.7d4ab8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4de350.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.5e3900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.53e3a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.624840.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7b38a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.72d8c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5848d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.7be2c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.56d718.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6fe1c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.71e390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Fm9MoDgH7O.exe.7255f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.57e4e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.56d718.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.75e470.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.71122as.exe.68eea0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.72d8d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.56d718.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.79e310.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.72d8c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.51e270.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.77d888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.71e390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.66e370.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6957b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.75e470.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.77d888.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.64dc00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.65e330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5de5e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6c4780.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.613be8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.71122as.exe.68eea0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.61d848.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.51e270.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.694908.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.61d848.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5de5e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5fdc58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.613be8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.75e470.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.7648c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.7d4ab8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6957b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.7be2c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.57e4e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.79dc60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.72f0d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7ed788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.53e3a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.7248d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.80e6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7de520.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.743920.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.793aa8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.79dc60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.79dc60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.65e698.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.66e370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4a4850.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Fm9MoDgH7O.exe.75f020.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.763c18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.65e698.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.694798.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.67e4f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7ed788.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.79e310.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.52d868.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.73e4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6c4780.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.743920.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.72d8d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.73e4a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5be460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.72d8c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5de5e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.57e4e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6fe1c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.514940.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.4e47d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.514940.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.694908.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5fdc58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.65e698.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.504878.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.6ce1f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.75e230.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.73e4a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.71122as.exe.654ee0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.7048f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.64dc00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.77d888.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5a4990.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.51e270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.64dc00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.594800.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.7be2c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.624a98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.54e530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.7cd980.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.7247b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.6ce1f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.52d868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5fdc58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.65e330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.634860.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.504878.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.56d718.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.67e4f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6cf2e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.71e390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7a4938.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.634860.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5be460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.5ce2b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7b38a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.67e4f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6cf2e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5de5e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6cf2e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.71e390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4de350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.86e400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.533868.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.5e3900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.594800.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.694798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.793aa8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.6e4870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.80e6d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.72d8d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.784800.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.61d848.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.80e6d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.53e3a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.7248d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6fe1c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.65e330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5be460.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.71122as.exe.654ee0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.6f3940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.544918.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.533868.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.6ce390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5be460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.624840.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.66e370.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.5ce2b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.71122as.exe.68eea0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.6f3940.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.79e310.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.6ce1f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.54e530.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5848d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.5ce2b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.64dc00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.86e400.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7ed788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Fm9MoDgH7O.exe.7255f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.7cd980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4a4850.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.4f3910.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.6f56a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7de520.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.57e4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.66e370.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.86e400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.644918.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.7cd980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7a4938.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.65e698.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.75e230.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.7648c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5fdc58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6fe1c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.6f56a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4de350.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5a4990.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.6e4870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.7048f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000003.1682894023.000000000064D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1674405309.000000000072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1650992588.000000000079E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1649664251.000000000072F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1652636895.000000000075E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1658140773.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1679325212.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1672593235.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1672194840.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1676742574.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1662285471.000000000065E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1686270671.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1659900086.000000000066E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1681701645.000000000065E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1653176448.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1680483421.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1683878267.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1676228317.000000000072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1649533860.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1658759497.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1661249438.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1655204393.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1657724335.000000000077A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1651511750.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1655122137.000000000055E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1680999606.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1652569745.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1679256809.000000000050E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1664173966.000000000061D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1666334231.000000000052D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1651445469.000000000065D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1658830039.000000000065E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1659831613.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1676809616.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1662704858.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1677285923.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1649054171.000000000075F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1656767045.000000000075A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1679047841.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1659290404.000000000046D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1653108519.000000000065D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1686156392.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1683526760.000000000079C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1681609636.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1648983516.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1682379177.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1675808868.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1661172441.00000000004CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1677849478.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1660367415.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1659360069.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1656182067.000000000074D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1657090623.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1679812641.000000000060E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1684376837.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1653699442.000000000051E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1652036346.000000000086E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1683629674.000000000080E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1681072661.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1650924033.000000000072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1677356804.000000000075E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1660432963.000000000071E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1656294889.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1678680014.000000000061D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1677919754.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1684659208.000000000072A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1663138809.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1654532288.000000000056D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1651970984.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1650205146.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1679880197.000000000067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1684894752.000000000079D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1664978597.00000000004BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1653633605.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1667033564.000000000070A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1653947799.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1680414030.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1650138046.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fm9MoDgH7O.exe PID: 5596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m2mwu.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: re8eo.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4vd771.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qnd197.exe PID: 2680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oaweb.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 36hmq.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4uoic.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: w7711.exe PID: 1860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: isqwt.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s1oaw.exe PID: 6716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 559900.exe PID: 1732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: spf19.exe PID: 1260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 93344.exe PID: 3164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6r61155.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7788uoi.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rh53197.exe PID: 2472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5787leo.exe PID: 4092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 88oxxqc.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 83377.exe PID: 4600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: w3790i.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bp1975.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 90omsp.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lb31975.exe PID: 4604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hb5kc8c.exe PID: 4584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: webp1.exe PID: 2180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e81f5.exe PID: 5332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 281l59.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 71122as.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: urh7531.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fx2dr.exe PID: 5596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mkqnd97.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 78d5dr1.exe PID: 3552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2qkewqk.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ourh31.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: g7112.exe PID: 4908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hk977.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7kiolb.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7kiolb.exe PID: 6928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pf753.exe PID: 2188, type: MEMORYSTR
Source: Yara match	File source: C:\urh7531.exe, type: DROPPED
Source: Yara match	File source: C:\lb31975.exe, type: DROPPED
Source: Yara match	File source: C:\4uoic.exe, type: DROPPED
Source: Yara match	File source: C:\spf19.exe, type: DROPPED
Source: Yara match	File source: C:\hb5kc8c.exe, type: DROPPED
Source: Yara match	File source: C:\bp1975.exe, type: DROPPED
Source: Yara match	File source: C:\7788uoi.exe, type: DROPPED
Source: Yara match	File source: C:\83377.exe, type: DROPPED
Source: Yara match	File source: C:\pf753.exe, type: DROPPED
Source: Yara match	File source: C:\93344.exe, type: DROPPED
Source: Yara match	File source: C:\5787leo.exe, type: DROPPED
Source: Yara match	File source: C:\6r61155.exe, type: DROPPED
Source: Yara match	File source: C:\g7112.exe, type: DROPPED
Source: Yara match	File source: C:\90omsp.exe, type: DROPPED
Source: Yara match	File source: C:\hk977.exe, type: DROPPED
Source: Yara match	File source: C:\oaweb.exe, type: DROPPED
Source: Yara match	File source: C:\re8eo.exe, type: DROPPED
Source: Yara match	File source: C:\isqwt.exe, type: DROPPED
Source: Yara match	File source: C:\ourh31.exe, type: DROPPED
Source: Yara match	File source: C:\e81f5.exe, type: DROPPED
Source: Yara match	File source: C:\1wk599.exe, type: DROPPED
Source: Yara match	File source: C:\559900.exe, type: DROPPED
Source: Yara match	File source: C:\36hmq.exe, type: DROPPED
Source: Yara match	File source: C:\qnd197.exe, type: DROPPED
Source: Yara match	File source: C:\2qkewqk.exe, type: DROPPED
Source: Yara match	File source: C:\w3790i.exe, type: DROPPED
Source: Yara match	File source: C:\88oxxqc.exe, type: DROPPED
Source: Yara match	File source: C:\7kiolb.exe, type: DROPPED
Source: Yara match	File source: C:\fx2dr.exe, type: DROPPED
Source: Yara match	File source: C:\rh53197.exe, type: DROPPED
Source: Yara match	File source: C:\281l59.exe, type: DROPPED
Source: Yara match	File source: C:\s1oaw.exe, type: DROPPED
Source: Yara match	File source: C:\webp1.exe, type: DROPPED
Source: Yara match	File source: C:\m2mwu.exe, type: DROPPED
Source: Yara match	File source: C:\w7711.exe, type: DROPPED
Source: Yara match	File source: C:\78d5dr1.exe, type: DROPPED
Source: Yara match	File source: C:\4vd771.exe, type: DROPPED
Source: Yara match	File source: C:\mkqnd97.exe, type: DROPPED
Source: Yara match	File source: C:\71122as.exe, type: DROPPED

Remote Access Functionality

Yara detected Petite Virus

Source: Yara match	File source: Fm9MoDgH7O.exe, type: SAMPLE
Source: Yara match	File source: 11.3.559900.exe.784800.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.6f3948.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.4f3910.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Fm9MoDgH7O.exe.75f020.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.52d868.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.75e470.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.52d868.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7de520.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.72f0d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.61d848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.7cd980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.53e3a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.763c18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.72f0d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.544918.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.67e4f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.6f3948.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.79dc60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.834998.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.54e530.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.834998.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4de350.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.7247b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.6ce390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.86e400.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.77d888.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.644918.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.624a98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.54e530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.72d8d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.4e47d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.5ce2b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.75e230.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.51e270.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7ed788.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.75e230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.73e4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.72f0d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.6ce1f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.72d8c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.65e330.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5c3c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5c3c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.80e6d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.7be2c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.6ce390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7de520.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.79e310.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.71122as.exe.68eea0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.6ce390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6cf2e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.7d4ab8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4de350.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.5e3900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.53e3a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.624840.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7b38a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.72d8c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5848d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.7be2c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.56d718.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6fe1c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.71e390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Fm9MoDgH7O.exe.7255f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.57e4e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.56d718.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.75e470.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.71122as.exe.68eea0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.72d8d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.56d718.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.79e310.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.72d8c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.51e270.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.77d888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.71e390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.66e370.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6957b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.75e470.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.77d888.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.64dc00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.65e330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5de5e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6c4780.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.613be8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.71122as.exe.68eea0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.61d848.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.51e270.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.694908.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.61d848.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5de5e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5fdc58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.613be8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.75e470.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.7648c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.7d4ab8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6957b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.7be2c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.57e4e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.79dc60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.72f0d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7ed788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.53e3a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.7248d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.80e6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7de520.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.743920.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.793aa8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.79dc60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.79dc60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.65e698.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.66e370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4a4850.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Fm9MoDgH7O.exe.75f020.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.7kiolb.exe.763c18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.65e698.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.694798.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.67e4f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7ed788.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.79e310.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.52d868.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.73e4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6c4780.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.743920.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.72d8d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.73e4a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5be460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.72d8c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5de5e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.57e4e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6fe1c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.514940.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.4e47d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.514940.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.694908.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5fdc58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.65e698.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.504878.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.6ce1f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.75e230.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.73e4a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.71122as.exe.654ee0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.7048f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.64dc00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.90omsp.exe.77d888.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5a4990.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.w7711.exe.51e270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.64dc00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.594800.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.7be2c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.624a98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.54e530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.7cd980.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.7247b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.6ce1f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.52d868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5fdc58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.65e330.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.634860.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.504878.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.56d718.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.67e4f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6cf2e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.71e390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7a4938.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.634860.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5be460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.5ce2b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7b38a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.67e4f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6cf2e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5de5e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.83377.exe.6cf2e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.71e390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4de350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.86e400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.533868.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.5e3900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.594800.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.694798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.793aa8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.6e4870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.80e6d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.hb5kc8c.exe.72d8d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.559900.exe.784800.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.w3790i.exe.61d848.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.g7112.exe.80e6d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.88oxxqc.exe.53e3a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.e81f5.exe.7248d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6fe1c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.65e330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5be460.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.71122as.exe.654ee0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.6f3940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.544918.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.isqwt.exe.533868.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4uoic.exe.6ce390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5be460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.6r61155.exe.624840.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.66e370.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.5ce2b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.71122as.exe.68eea0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.lb31975.exe.6f3940.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.79e310.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.qnd197.exe.6ce1f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.78d5dr1.exe.54e530.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.webp1.exe.5848d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.s1oaw.exe.5ce2b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ourh31.exe.64dc00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.86e400.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.93344.exe.7ed788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Fm9MoDgH7O.exe.7255f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.7cd980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4a4850.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.bp1975.exe.4f3910.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.6f56a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7de520.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.urh7531.exe.57e4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.rh53197.exe.66e370.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.oaweb.exe.86e400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.fx2dr.exe.644918.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.spf19.exe.7cd980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.mkqnd97.exe.7a4938.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.2qkewqk.exe.65e698.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.36hmq.exe.75e230.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.4vd771.exe.7648c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.hk977.exe.5fdc58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.re8eo.exe.6fe1c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.m2mwu.exe.6f56a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.7788uoi.exe.4de350.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.pf753.exe.5a4990.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.5787leo.exe.6e4870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.281l59.exe.7048f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000003.1682894023.000000000064D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1674405309.000000000072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1650992588.000000000079E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1649664251.000000000072F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1652636895.000000000075E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1658140773.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1679325212.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1672593235.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1672194840.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1676742574.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1662285471.000000000065E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1686270671.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1659900086.000000000066E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1681701645.000000000065E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1653176448.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1680483421.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1683878267.000000000058A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1676228317.000000000072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1649533860.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1658759497.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1661249438.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1655204393.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1657724335.000000000077A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1651511750.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1655122137.000000000055E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1680999606.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1652569745.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1679256809.000000000050E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1664173966.000000000061D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1666334231.000000000052D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1651445469.000000000065D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1658830039.000000000065E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1659831613.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1676809616.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.1662704858.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1677285923.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1649054171.000000000075F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1656767045.000000000075A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1679047841.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1659290404.000000000046D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1653108519.000000000065D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1686156392.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1683526760.000000000079C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1681609636.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1648983516.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1682379177.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1675808868.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1661172441.00000000004CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1677849478.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1660367415.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1659360069.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1656182067.000000000074D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1657090623.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1679812641.000000000060E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.1684376837.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1653699442.000000000051E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1652036346.000000000086E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1683629674.000000000080E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1681072661.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1650924033.000000000072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1677356804.000000000075E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1660432963.000000000071E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1656294889.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.1678680014.000000000061D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1677919754.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1684659208.000000000072A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1663138809.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1654532288.000000000056D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1651970984.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1650205146.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1679880197.000000000067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.1684894752.000000000079D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1664978597.00000000004BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1653633605.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.1667033564.000000000070A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1653947799.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1680414030.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1650138046.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fm9MoDgH7O.exe PID: 5596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m2mwu.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: re8eo.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4vd771.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qnd197.exe PID: 2680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oaweb.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 36hmq.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4uoic.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: w7711.exe PID: 1860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: isqwt.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s1oaw.exe PID: 6716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 559900.exe PID: 1732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: spf19.exe PID: 1260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 93344.exe PID: 3164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6r61155.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7788uoi.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rh53197.exe PID: 2472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5787leo.exe PID: 4092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 88oxxqc.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 83377.exe PID: 4600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: w3790i.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bp1975.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 90omsp.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lb31975.exe PID: 4604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hb5kc8c.exe PID: 4584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: webp1.exe PID: 2180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e81f5.exe PID: 5332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 281l59.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 71122as.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: urh7531.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fx2dr.exe PID: 5596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mkqnd97.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 78d5dr1.exe PID: 3552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2qkewqk.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ourh31.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: g7112.exe PID: 4908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hk977.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7kiolb.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7kiolb.exe PID: 6928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pf753.exe PID: 2188, type: MEMORYSTR
Source: Yara match	File source: C:\urh7531.exe, type: DROPPED
Source: Yara match	File source: C:\lb31975.exe, type: DROPPED
Source: Yara match	File source: C:\4uoic.exe, type: DROPPED
Source: Yara match	File source: C:\spf19.exe, type: DROPPED
Source: Yara match	File source: C:\hb5kc8c.exe, type: DROPPED
Source: Yara match	File source: C:\bp1975.exe, type: DROPPED
Source: Yara match	File source: C:\7788uoi.exe, type: DROPPED
Source: Yara match	File source: C:\83377.exe, type: DROPPED
Source: Yara match	File source: C:\pf753.exe, type: DROPPED
Source: Yara match	File source: C:\93344.exe, type: DROPPED
Source: Yara match	File source: C:\5787leo.exe, type: DROPPED
Source: Yara match	File source: C:\6r61155.exe, type: DROPPED
Source: Yara match	File source: C:\g7112.exe, type: DROPPED
Source: Yara match	File source: C:\90omsp.exe, type: DROPPED
Source: Yara match	File source: C:\hk977.exe, type: DROPPED
Source: Yara match	File source: C:\oaweb.exe, type: DROPPED
Source: Yara match	File source: C:\re8eo.exe, type: DROPPED
Source: Yara match	File source: C:\isqwt.exe, type: DROPPED
Source: Yara match	File source: C:\ourh31.exe, type: DROPPED
Source: Yara match	File source: C:\e81f5.exe, type: DROPPED
Source: Yara match	File source: C:\1wk599.exe, type: DROPPED
Source: Yara match	File source: C:\559900.exe, type: DROPPED
Source: Yara match	File source: C:\36hmq.exe, type: DROPPED
Source: Yara match	File source: C:\qnd197.exe, type: DROPPED
Source: Yara match	File source: C:\2qkewqk.exe, type: DROPPED
Source: Yara match	File source: C:\w3790i.exe, type: DROPPED
Source: Yara match	File source: C:\88oxxqc.exe, type: DROPPED
Source: Yara match	File source: C:\7kiolb.exe, type: DROPPED
Source: Yara match	File source: C:\fx2dr.exe, type: DROPPED
Source: Yara match	File source: C:\rh53197.exe, type: DROPPED
Source: Yara match	File source: C:\281l59.exe, type: DROPPED
Source: Yara match	File source: C:\s1oaw.exe, type: DROPPED
Source: Yara match	File source: C:\webp1.exe, type: DROPPED
Source: Yara match	File source: C:\m2mwu.exe, type: DROPPED
Source: Yara match	File source: C:\w7711.exe, type: DROPPED
Source: Yara match	File source: C:\78d5dr1.exe, type: DROPPED
Source: Yara match	File source: C:\4vd771.exe, type: DROPPED
Source: Yara match	File source: C:\mkqnd97.exe, type: DROPPED
Source: Yara match	File source: C:\71122as.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	12 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Fm9MoDgH7O.exe	100%	ReversingLabs	Win32.Trojan.Amadey
Fm9MoDgH7O.exe	85%	Virustotal		Browse
Fm9MoDgH7O.exe	100%	Avira	TR/Crypt.XPACK.Gen
Fm9MoDgH7O.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\hb5kc8c.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\83377.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\bp1975.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\7788uoi.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\fx2dr.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\93344.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\hk977.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\5787leo.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\pf753.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\7kiolb.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\e81f5.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\1wk599.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\lb31975.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\281l59.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\4uoic.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\559900.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\oaweb.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\90omsp.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\36hmq.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\88oxxqc.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\qnd197.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\ourh31.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\g7112.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\6r61155.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\isqwt.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\2qkewqk.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\m2mwu.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\4vd771.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\78d5dr1.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\mkqnd97.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\71122as.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\hb5kc8c.exe	100%	Joe Sandbox ML
C:\83377.exe	100%	Joe Sandbox ML
C:\bp1975.exe	100%	Joe Sandbox ML
C:\7788uoi.exe	100%	Joe Sandbox ML
C:\fx2dr.exe	100%	Joe Sandbox ML
C:\93344.exe	100%	Joe Sandbox ML
C:\hk977.exe	100%	Joe Sandbox ML
C:\5787leo.exe	100%	Joe Sandbox ML
C:\pf753.exe	100%	Joe Sandbox ML
C:\7kiolb.exe	100%	Joe Sandbox ML
C:\e81f5.exe	100%	Joe Sandbox ML
C:\1wk599.exe	100%	Joe Sandbox ML
C:\lb31975.exe	100%	Joe Sandbox ML
C:\281l59.exe	100%	Joe Sandbox ML
C:\4uoic.exe	100%	Joe Sandbox ML
C:\559900.exe	100%	Joe Sandbox ML
C:\oaweb.exe	100%	Joe Sandbox ML
C:\90omsp.exe	100%	Joe Sandbox ML
C:\36hmq.exe	100%	Joe Sandbox ML
C:\88oxxqc.exe	100%	Joe Sandbox ML
C:\qnd197.exe	100%	Joe Sandbox ML
C:\ourh31.exe	100%	Joe Sandbox ML
C:\g7112.exe	100%	Joe Sandbox ML
C:\6r61155.exe	100%	Joe Sandbox ML
C:\isqwt.exe	100%	Joe Sandbox ML
C:\2qkewqk.exe	100%	Joe Sandbox ML
C:\m2mwu.exe	100%	Joe Sandbox ML
C:\4vd771.exe	100%	Joe Sandbox ML
C:\78d5dr1.exe	100%	Joe Sandbox ML
C:\mkqnd97.exe	100%	Joe Sandbox ML
C:\71122as.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://bank.gametea.com:444/nbbanklockpc/moneyout.php?nickname=	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/czbanklockpc/chadou.php?nickname=	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/lsbanklockpc/moneyout.php?nickname=	0%	Avira URL Cloud	safe
http://www.eyuyan.com)DVarFileInfo$	0%	Avira URL Cloud	safe
http://14.18.141.27:33355/lcy.asp?s11=nc&s12=nc&s13=%POSTGETWinHttp.WinHttpRequest.5.1	0%	Avira URL Cloud	safe
http://14.18.141.27:33355/lcy.asp?s11=nc&s12=nc&s13=	0%	Avira URL Cloud	safe
http://www.eyuyan.com)	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/lsbanklockpc/moneyout.php?nickname=msg_gamemoney	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/nbbanklockpc/moneyout.php?nickname=	0%	Virustotal		Browse
https://bank.gametea.com:444/czbanklockpc/chadou.php?nickname=	0%	Virustotal		Browse
http://14.18.141.27:33355/mcy.asp?at=upm&s13=	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/lsbanklockpc/moneyout.php?nickname=	0%	Virustotal		Browse
https://bank.gametea.com:444/banklockpc/moneyout.php?nickname=msg_showmoney_sh	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/czbanklockpc/moneyout.php?nickname=	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/lsbanklockpc/moneyout.php?nickname=msg_gamemoney	0%	Virustotal		Browse
http://14.18.141.27:33355/mcy.asp?at=upm&s13=	0%	Virustotal		Browse
http://14.18.141.27:33355/mcy.asp?at=getmb&s13=	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/banklockpc/moneyout.php?nickname=	0%	Avira URL Cloud	safe
http://14.18.141.27:33355/mcy.asp?at=upm&s13=http://14.18.141.27:33355/mcy.asp?at=getmb&s13=okno%E-&	0%	Avira URL Cloud	safe
http://14.18.141.27:33355/lcy.asp?s11=nc&s12=nc&s13=%POSTGETWinHttp.WinHttpRequest.5.1	0%	Virustotal		Browse
https://bank.gametea.com:444/bank/domoneyshow.php	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/banklockpc/moneyout.php?nickname=msg_showmoney_sh	0%	Virustotal		Browse
http://14.18.141.27:33355/mcy.asp?at=getmb&s13=	1%	Virustotal		Browse
https://bank.gametea.com:444/czbanklockpc/chadou.php?nickname=msg_chadou	0%	Avira URL Cloud	safe
https://bank.gametea.com:444/banklockpc/moneyout.php?nickname=	0%	Virustotal		Browse
https://bank.gametea.com:444/bank/domoneyshow.php	0%	Virustotal		Browse
https://bank.gametea.com:444/czbanklockpc/moneyout.php?nickname=	0%	Virustotal		Browse
http://14.18.141.27:33355/mcy.asp?at=upm&s13=http://14.18.141.27:33355/mcy.asp?at=getmb&s13=okno%E-&	0%	Virustotal		Browse
https://bank.gametea.com:444/czbanklockpc/chadou.php?nickname=msg_chadou	0%	Virustotal		Browse
http://14.18.141.27:33355/lcy.asp?s11=nc&s12=nc&s13=	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.eyuyan.com)DVarFileInfo$	Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	unknown
https://bank.gametea.com:444/nbbanklockpc/moneyout.php?nickname=	Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://14.18.141.27:33355/lcy.asp?s11=nc&s12=nc&s13=%POSTGETWinHttp.WinHttpRequest.5.1	Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bank.gametea.com:444/czbanklockpc/chadou.php?nickname=	Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bank.gametea.com:444/lsbanklockpc/moneyout.php?nickname=	Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://14.18.141.27:33355/lcy.asp?s11=nc&s12=nc&s13=	Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.eyuyan.com)	Fm9MoDgH7O.exe, m2mwu.exe, re8eo.exe, 4vd771.exe, qnd197.exe, oaweb.exe, w7711.exe, isqwt.exe, s1oaw.exe, 559900.exe, spf19.exe, 93344.exe, 6r61155.exe, 7788uoi.exe, rh53197.exe, 5787leo.exe, 88oxxqc.exe, w3790i.exe, bp1975.exe, 90omsp.exe, webp1.exe	false	Avira URL Cloud: safe	unknown
https://bank.gametea.com:444/lsbanklockpc/moneyout.php?nickname=msg_gamemoney	Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://14.18.141.27:33355/mcy.asp?at=upm&s13=	Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bank.gametea.com:444/banklockpc/moneyout.php?nickname=msg_showmoney_sh	Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bank.gametea.com:444/czbanklockpc/moneyout.php?nickname=	Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://14.18.141.27:33355/mcy.asp?at=getmb&s13=	Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bank.gametea.com:444/banklockpc/moneyout.php?nickname=	Fm9MoDgH7O.exe, Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://14.18.141.27:33355/mcy.asp?at=upm&s13=http://14.18.141.27:33355/mcy.asp?at=getmb&s13=okno%E-&	Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bank.gametea.com:444/bank/domoneyshow.php	pf753.exe, 00000027.00000002.1686485658.0000000000401000.00000040.00000001.01000000.00000029.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bank.gametea.com:444/czbanklockpc/chadou.php?nickname=msg_chadou	Fm9MoDgH7O.exe, 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, m2mwu.exe, 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, re8eo.exe, 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, 4vd771.exe, 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, qnd197.exe, 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, oaweb.exe, 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, 36hmq.exe, 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, 4uoic.exe, 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, w7711.exe, 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, isqwt.exe, 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, s1oaw.exe, 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, 559900.exe, 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, spf19.exe, 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, 93344.exe, 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, 6r61155.exe, 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, 7788uoi.exe, 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, rh53197.exe, 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, 5787leo.exe, 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, 88oxxqc.exe, 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, 83377.exe, 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, w3790i.exe, 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502473
Start date and time:	2024-09-01 18:19:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Fm9MoDgH7O.exe renamed because original name is a hash value
Original Sample Name:	d36ab0bd58ada2d5fb9f6560c8d8bf30N.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@80/39@0/0
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 86% Number of executed functions: 258 Number of non-executed functions: 145
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target 2qkewqk.exe, PID 2016 because there are no executed function
Execution Graph export aborted for target 36hmq.exe, PID 1612 because there are no executed function
Execution Graph export aborted for target 4uoic.exe, PID 5408 because there are no executed function
Execution Graph export aborted for target 83377.exe, PID 4600 because there are no executed function
Execution Graph export aborted for target e81f5.exe, PID 5332 because there are no executed function
Execution Graph export aborted for target hb5kc8c.exe, PID 4584 because there are no executed function
Execution Graph export aborted for target lb31975.exe, PID 4604 because there are no executed function
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\1wk599.exe

Download File

Process:	C:\pf753.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236617
Entropy (8bit):	5.817870866298016
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feh:n3C9BRo7MlrWKo+lxKk1feh
MD5:	0D5AE55E9A3F10006D5A4CC11E081A35
SHA1:	CA30D3B810146A2AE31D4F711E182657D6EF97EE
SHA-256:	5D781F1753D3E95A6213B0F510B64BBD6EA350C0200DC3D96E86FB851042C7AE
SHA-512:	6932D6A6012C7EF079CA5081979EC2E3ABEF9B0261DE5389744F54579A74EE22CE332B1E8E22459DF97968EFC8C7116D11DE1613FAA95F08CBB0B0D9AB3F12D6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\1wk599.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\281l59.exe

Download File

Process:	C:\e81f5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236436
Entropy (8bit):	5.817974800119423
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feY:n3C9BRo7MlrWKo+lxKk1feY
MD5:	CD950356D8E33513421D8074824D865A
SHA1:	E6256F4A4AC6AA7A77182C807B38D509F794531C
SHA-256:	4FC7B5A59E6BAED75620E5C4D4C4B50A010979AE9BE7CC95BB4C12C219266E69
SHA-512:	F149F0EDF202BF640B482593E086F648F0DFF6D0DC7722E50318A129DC43687FC7CA2E580B8B842B21013E9FEF5CD89BF6CDBE0FD42B1A12E0D8D6F3E76F1CC9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\281l59.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\2qkewqk.exe

Download File

Process:	C:\78d5dr1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236527
Entropy (8bit):	5.817909094774711
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feJ:n3C9BRo7MlrWKo+lxKk1feJ
MD5:	DB13E0DACF9B4068F064388BF65331F7
SHA1:	B9350F1B3482B9144A629F358A3B72887BC2BDAE
SHA-256:	B781E8DA02754A6583A0547C379476A5CE3CD785A113196DAEA1B1A2FD22B22A
SHA-512:	955BDEE3170D41B2432F5229999A24BDC0617E04AA59895593D12F6E6AA8338E3EA152E98AF47D8016CD106B42637B12550E27F495B13E06669211B937E672D4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\2qkewqk.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\36hmq.exe

Download File

Process:	C:\oaweb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236129
Entropy (8bit):	5.818059679447192
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1f3:n3C9BRo7MlrWKo+lxKk1f3
MD5:	DA8DE9AE678FE5F5DA23AD1426CA4F01
SHA1:	EEC2A99A6785A3FF3367D205052F6D9C90AEA35C
SHA-256:	9E7CD8258247F9955CB7343AEC126810B2722648A1D1B91DDCA15C733FCDEA37
SHA-512:	17CA500E996EE53828550F84D4197A85875BA414BA2806BDC5233996574C3240D8E59F1F6767B8EB432644B1BA66A14346AB421CC76898D5BA6801D203C3F962
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\36hmq.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\4uoic.exe

Download File

Process:	C:\36hmq.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236149
Entropy (8bit):	5.818068983473709
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fm:n3C9BRo7MlrWKo+lxKk1fm
MD5:	681A984C6E80FCBCBD03EDD8DEDBA853
SHA1:	C06DF833AF6198B82A8D3D937627F6A6B44E9CB5
SHA-256:	1805BCDBB3515878B532679489925EE103B7EFED7207204BCD6BA3B9420655E5
SHA-512:	091FCB9165A589227BE733125354F250B7EF0E6688F7B752191351673638D28CC5568096396D3F2A66A6134367C761A114FB7C2D4CBF32E1BACCDBAAF22394CE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\4uoic.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\4vd771.exe

Download File

Process:	C:\re8eo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236086
Entropy (8bit):	5.818055114715947
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1f/:n3C9BRo7MlrWKo+lxKk1f/
MD5:	8CA128B45B8C3C2B4ACA30C66BA6179B
SHA1:	660E7531B688AF08F14F00F807CC500190D3E617
SHA-256:	3AD524668C21F74C99C917F2837ADF564723406AC4A92ECAEEC96CD0D46FB70D
SHA-512:	80AA43709D00684003BCB6EE6A31456A5543002474E84E2319F089C345C7DDC364B2B4A5DE31B91EB6D4EA69BF709A8158A7D7B2D93690959AA625AC6F01E3E0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\4vd771.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\559900.exe

Download File

Process:	C:\s1oaw.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236206
Entropy (8bit):	5.818037623304359
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1f+:n3C9BRo7MlrWKo+lxKk1f+
MD5:	A0F307EFB8E960701E12A429D4B7DEB0
SHA1:	EDA7CCA27A66493BB1E8AB0A115E31FBE03B0C07
SHA-256:	61D5AF886E299F00D341214D3E606CB42182511AA00979B8C54AEBA8804CDB14
SHA-512:	16DC0AA09C9238884D35DC7302DEB45CDD17179A8A5F047F20A4D6D9D5667FF3C058BBF1A1D892595B90F09AD634F951473FD761FAD4B42F131F0F2E93AB5E9C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\559900.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\5787leo.exe

Download File

Process:	C:\rh53197.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236298
Entropy (8bit):	5.81804918268857
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fn:n3C9BRo7MlrWKo+lxKk1fn
MD5:	153E207ECFEEBDB9E7F018399E5C1627
SHA1:	FA679DC4274E0FAC9EFE97DFC0988BE2C2583394
SHA-256:	F087B97D8E7C44709ED1549B76C5B6CFC5D0E8320AC62422DCA24A6CC3A62EFA
SHA-512:	2A3C3DC88650DE4674D236FEE96B18760250C1AF7DC709127EDD9C8D9D6899E6E51B8C088E4594BE62CCB40CC45293131361749599FAEF2AB7B00054B7A14C8F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\5787leo.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\6r61155.exe

Download File

Process:	C:\93344.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236252
Entropy (8bit):	5.818028423371953
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1f4:n3C9BRo7MlrWKo+lxKk1f4
MD5:	F24AB32918FA49E5019915D255A577F9
SHA1:	4C42CE5E5EE78CF8DC49F398F35AD6FD46AAA4F2
SHA-256:	7666DA01613CA896B9256EA21941EFAEEB0E7EE626223E2F1F02CB257DEF3480
SHA-512:	C06FFDB9AE6DA435180F453996E88FE95B138C4406859C08FB022D646102EAB32FE8FADE92D82183644D9DCC43F4487C858009A9C17E13E76837425F068B6AED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\6r61155.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\71122as.exe

Download File

Process:	C:\281l59.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236452
Entropy (8bit):	5.817939218695719
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feG:n3C9BRo7MlrWKo+lxKk1feG
MD5:	E2070B8B4080AA1C0ACD754F87D44A58
SHA1:	37998415C0F34DDE8515D8ACEBD56A9F54EA1953
SHA-256:	201DF4F58DFE4BDBF6A4B191C56A5AFCEA26C54DA5E583738F44B3740DAAFE4A
SHA-512:	ABD6B1BFDEEE5E18BD14AE4D61910858A2F1BA03FC22F02E6132FCAB4D7ED858F6D5764E33279ACB242ECE42BA07334F1C4D0473894987265112E6BD017E9E2C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\71122as.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\7788uoi.exe

Download File

Process:	C:\6r61155.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236269
Entropy (8bit):	5.818033517973776
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fa:n3C9BRo7MlrWKo+lxKk1fa
MD5:	A673EA56D20763F3D043EF0003BA4A1D
SHA1:	BE4E4D8F35AD59549F9C7FCCF2C45D6B6FA959FE
SHA-256:	B3A935E090AA215DAE15095EF7B6EB813B508A4A38C4EE1523AB157EB2C4D63E
SHA-512:	99E02C374E9FD588E92A7D5BDCCC27E2AA8A8C75025147672C86E38549B97F68CFF6AF8055314152A04082EDBDF9DADA8300C9D4DFB2C918ECD3562378AB6371
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\7788uoi.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\78d5dr1.exe

Download File

Process:	C:\mkqnd97.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236507
Entropy (8bit):	5.817893895880328
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feJ:n3C9BRo7MlrWKo+lxKk1feJ
MD5:	F91CB1621D2BA56DB6F9EAFC940ED3B6
SHA1:	2BDB111EBA90F0B79782EC7B70A8A6E719251AF6
SHA-256:	138D1340A9744247D17BDFEAB01CC2E018B24F43896AFB6D39C49DCF451EADE6
SHA-512:	40403A69F3783EAB95755F81BE8A4ADF084FD2B643B1FAA9C5D6E4DD3642572254EE4F2FC144ADE7EF5F234AECACCAA653F85CF2A6428E505BD26C82472FD813
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\78d5dr1.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\7kiolb.exe

Download File

Process:	C:\hk977.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236585
Entropy (8bit):	5.817864679602142
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feV:n3C9BRo7MlrWKo+lxKk1feV
MD5:	6B3840F7493601C05D957471E3BD0833
SHA1:	196BC59CC2B6D9DD0F7A263992D5292EC521EAC2
SHA-256:	8ACB3D4939C090A197188ADF1777A0482492A82DC7B1B898C370D17A1153CA24
SHA-512:	359D48A719A05F87AF9E056437E3DAF28720F62C8D207279C3D3C753C7F9F1D801F51FE3A5243B953D797D7967BED3B7628730D029E55BAE91772CC375DEB71D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\7kiolb.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\83377.exe

Download File

Process:	C:\88oxxqc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236322
Entropy (8bit):	5.818008354773504
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fe+:n3C9BRo7MlrWKo+lxKk1fe+
MD5:	B0024685B8EAF3030AB9E3209EC142FF
SHA1:	C5B0CA225E0B6EA3BB214112263E465E5BFBEAB3
SHA-256:	E1763F306765F6E9E3142E6752FA8D7F13342C64FA6A55FF099F50F26DA8E01C
SHA-512:	6474A167FFAB5EBC69595DECDE949E7D696D05E9DD736FB5A0BB87E6F607B68AF534F6BD217C404DFD10BBA0C15BB5E6F537519AFC147CE2B0469478C9ADF70C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\83377.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\88oxxqc.exe

Download File

Process:	C:\5787leo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236308
Entropy (8bit):	5.81802768052043
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fek:n3C9BRo7MlrWKo+lxKk1fek
MD5:	5BCD3436C64915143B7EE185AC8F5F67
SHA1:	A7D0E9F59B3776BE94FC88614B6D55A61B44C92B
SHA-256:	9F25548311B6C0796F40F2A533A63C357591906A58DA620AAAC5347FA6337424
SHA-512:	CD19F3B0CF32A25094B53587D984D73E543A65E4002C67F9BC1E74182B962866F741A0419EC3A57D40A8FB3FBDD7E1BF860D75AC82DCC92EC750BE048C20AA71
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\88oxxqc.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\90omsp.exe

Download File

Process:	C:\bp1975.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236366
Entropy (8bit):	5.81803108809492
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fei:n3C9BRo7MlrWKo+lxKk1fei
MD5:	40C99EB36453A97292F39E06122BE2BB
SHA1:	55705624614018251135D3C81B023C19F01D6A22
SHA-256:	63CD23AF458027FC0F7F5B99D4A6290973E07984C7915E4E6BF8EE4446824F5C
SHA-512:	F19BA9521FF000D8E5CBE3E4D190BA4169781626D88C26D24C9FAAD669C250D42FCCE9BADD8A01B9C961761E6FF51A4AA44A17E26E9C7DFF09F6CB8A11E068FA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\90omsp.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\93344.exe

Download File

Process:	C:\spf19.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236240
Entropy (8bit):	5.818013120301222
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fM:n3C9BRo7MlrWKo+lxKk1fM
MD5:	0E2CAD1FD4DE2E62B83C30E9B8E563E4
SHA1:	E979EBE704A9694617E8DE2A46072980AFC77057
SHA-256:	1F27D9F3848CE7A3CD13D6ED4E51EB1B64A027E9DC66FDA234841BB16D91A310
SHA-512:	FFB38021DC042AA9AE383D9632C4B05B1BF398CA608B6229681FBBDBED4BE947B490A39B5FE4EF7D57C4B070260D1A8E9764D38167B97A07E5906C4F14BC9A0E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\93344.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\bp1975.exe

Download File

Process:	C:\w3790i.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236352
Entropy (8bit):	5.818059533048474
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fep:n3C9BRo7MlrWKo+lxKk1fep
MD5:	B2A3693ED42E3BC17ACE26DD6C65B83A
SHA1:	C7AEEC053E503D55C578FA7772602368039FA61D
SHA-256:	6BF3B7CEC608E37C0492F8DDB60DC591A453E2238D2DD6FCA600A733C9F5CD9F
SHA-512:	F0864B6E74E15BD587340F19C4A21F4F45CAB7DEA54BA53D02378BA7FD8B5491F87433F45CBF82C2231B988EA99F5F51E1E42C4CAF1476BD46AF81A1892D12BC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\bp1975.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\e81f5.exe

Download File

Process:	C:\webp1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236424
Entropy (8bit):	5.817989098747629
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feK:n3C9BRo7MlrWKo+lxKk1feK
MD5:	C2C439CF8A79D875F09E1C37D3DB36E1
SHA1:	31AE68340C2A4D6A83A262CDE0275D143AB533A2
SHA-256:	D42FEC2671BF118267CF6A6738EF5CEBC99AF7E65D99239D07E7E74FC048FF0A
SHA-512:	4409F7F8D8FC510A315D25308BF3CF5E9E0525B2BE36A9DD444C5066743EEBD0C07F204E6B5A8D4315011B8C8971360BC96D948BAE383E4135EAC9BFA4877423
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\e81f5.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\fx2dr.exe

Download File

Process:	C:\urh7531.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236481
Entropy (8bit):	5.81793025475339
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fee:n3C9BRo7MlrWKo+lxKk1fee
MD5:	C7B5C78FFABE9046E9219CA302D74903
SHA1:	06B63083115A8ABEEDD5547B6E491FBCCE9D51F2
SHA-256:	7697CF7BBC43985967FB2B457AE1E3ACA4FE0E351FA5DC0F364FE045F40FEC7A
SHA-512:	21D2DD898FD76AA447E697D67198E1F056685272B7E0FAE4A54D09E222634682495B271A2F371DB3BCB8E55AFE4082492C43EDF1E106BBA02F991D023A448884
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\fx2dr.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\g7112.exe

Download File

Process:	C:\ourh31.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236559
Entropy (8bit):	5.817888117540934
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fee:n3C9BRo7MlrWKo+lxKk1fee
MD5:	040B9D0493FA77F472C5BB7456187303
SHA1:	618631D39BE2AC7B11EAFCA262D4C175B1FC052D
SHA-256:	BB26D1ED94A069A8AC713529DFD2675CAB99FBB836CBC561F3B1AE27DA425495
SHA-512:	3E388144A36DCD60A91A18299DC0A74CC669B58AA2A23E1C170D0B035F1774C3A72BCBEA7EDB38AC827C790DAB7203CF570F84FF61A87F1E95D36A35E2B4C5C7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\g7112.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\hb5kc8c.exe

Download File

Process:	C:\lb31975.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236395
Entropy (8bit):	5.818021922081389
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feF:n3C9BRo7MlrWKo+lxKk1feF
MD5:	75CE63BF185F462ED7F9E6365CD7AF89
SHA1:	CD5CA9630FCDEDB59FC90BD6E46B633780142680
SHA-256:	6F427DDE9D4FDE6B159BDC8F9F8A56A1F045D413270AABBED24445F4FCE9D4CC
SHA-512:	A895D8CB049C728E6A9DEC7AEB324D4CC31740D07F529EAD8829A64A8649DB378FBEED163F2B4D822657A9053FDBCEAB1F85A683719776D81844C3E7AEDEA5AF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\hb5kc8c.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\hk977.exe

Download File

Process:	C:\g7112.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236570
Entropy (8bit):	5.817873457178078
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feQ:n3C9BRo7MlrWKo+lxKk1feQ
MD5:	D22790FF53C7EDA2CE00F0FA1A363887
SHA1:	B83E71A5AE06897B03DD1E4C9026E94EC117498D
SHA-256:	CC653A44E789E2887A650573C9D5F903E3BB5620AB61A89C83D00611AD1BBEE9
SHA-512:	49EC73DE46E670CAB4C66DE0295DFBA8844F998AA51D832A2556CF23946292732CDA752300751A3868B58693185E6B10E0E85A39EC5F58459F84935FA1612B14
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\hk977.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\isqwt.exe

Download File

Process:	C:\w7711.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236178
Entropy (8bit):	5.818076604182836
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1ff:n3C9BRo7MlrWKo+lxKk1ff
MD5:	2DEC8CCF9A6F8E1CEFD741ECDD527A14
SHA1:	2F3B13EC529A216D83B8FD27E68940CD972671A6
SHA-256:	21A27057CC644EC39E7BAAE69BDF4704E19BA67944CEB4BD3A49A1A52573CD21
SHA-512:	4681B2C674079AD84FFBAD5F44C2A9278A50F2671AD91B55A717F3D85DB0B77E962FC15AF3C258D73C05A969BFE486FFE43AB8E6B8DF5790AFD0DE135419B91F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\isqwt.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\lb31975.exe

Download File

Process:	C:\90omsp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236385
Entropy (8bit):	5.81802891140216
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fek:n3C9BRo7MlrWKo+lxKk1fek
MD5:	B1335D9EB52CB97D7543FABACBF3D09E
SHA1:	515C67C32B4D239F4CB38F6EE8747A03FEA654E3
SHA-256:	F26D4A918FB2D2B2FD26CF4D4839A8DFBC2F7FAB60C59225C0F502C97E759549
SHA-512:	00A1691DB2BE07B3E2953ABE50ADBF9A2B8975EDDEA89D5AB7B6CA21040F1847D48A53AA78417C5901DA74CD725550554D0FDAAD7BBDE382F8F1675521B0BD46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\lb31975.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\m2mwu.exe

Download File

Process:	C:\Users\user\Desktop\Fm9MoDgH7O.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236062
Entropy (8bit):	5.818065619698784
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fY:n3C9BRo7MlrWKo+lxKk1fY
MD5:	3E788A1E5AFDF4021F750BA94AB81F8F
SHA1:	3FCBE8BAF02066D0A9632D290E6166F2CF939E5D
SHA-256:	8603D9B11B248541D6518B42E1724D663B6060978E920BBA35426F90AD320D91
SHA-512:	AF84E1C53D6F5CA010ADA3231CA7C80C52D4FD0A09916CBF9C44DD80896C655D51FA52A677EB87840881098B66E20FB97DF0EE34E24E1B89A28A8A9E7310142A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\m2mwu.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\mkqnd97.exe

Download File

Process:	C:\fx2dr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236497
Entropy (8bit):	5.81791100327283
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fek:n3C9BRo7MlrWKo+lxKk1fek
MD5:	DBB7FE60E5210C359C1C2C5620C8C0FE
SHA1:	F7D7E51907D586386810C3BF4C27DC473B0EFE2A
SHA-256:	32BADD42DB3E023F1AB309467A67E5E78AD9D69D5C7E06B1432D9463E5BCBDE8
SHA-512:	264F7877C50455377E801B41F6540C9E31F9339BE5741E57DED7CE6C6752DB0ED02F9B1E5777B07CE0F1BCF39A3CEFE8D5C12509F51D2BFCA12DFD8A7ABA7B43
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\mkqnd97.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\oaweb.exe

Download File

Process:	C:\qnd197.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236119
Entropy (8bit):	5.81806631680788
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fG:n3C9BRo7MlrWKo+lxKk1fG
MD5:	6AE0C9D019D7C2D712A7EEEDD811C257
SHA1:	4F437CCEAD74DB45F324188CD1470F57FEFD4BD4
SHA-256:	F948C2C872D0445E7961516ABBFFD00E24C6E6576884D5E6AA4ADDB57B95E865
SHA-512:	99629AE1907562D38553A343F39153E968EC49A0CB7627CE0DF4355EC2D653B1E41FB34D3F171B3348809B4E741036B077A5D488AA5CB4A344AC55EAEE505048
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\oaweb.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\ourh31.exe

Download File

Process:	C:\2qkewqk.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236544
Entropy (8bit):	5.817885883251589
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feW:n3C9BRo7MlrWKo+lxKk1feW
MD5:	828AC17EAE23DA7778400A135C65442B
SHA1:	70563BB4F5ADE0409FD11BA3F97B185147EE63FA
SHA-256:	902721CCA355F4CE91FFCE8755D0913EA271907576D1148E4C9B86FF0A8D1713
SHA-512:	65AD95CF55A91BF778DA693256BE64C5A61801322B63708575FE9831A557212910A61EFAFAA2E74453C7A8405CF9B73DBCCFD56BE6BF5D210D9971F8D58F65FD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\ourh31.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\pf753.exe

Download File

Process:	C:\7kiolb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236604
Entropy (8bit):	5.817858706671444
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fet:n3C9BRo7MlrWKo+lxKk1fet
MD5:	1E017F50B0CA791ABFF13DAC87F12B32
SHA1:	0AF954E53FD3AC8275928D2B35F45C8C1F8A43FE
SHA-256:	C2A23BB4F86956EC6BA188C6C8C8C97F2D38CB21B944965F04714424244339B2
SHA-512:	540FCF89D594DA426E8D8FAA7D2466FC2BCBBD7710C83F0DEA0521B254FD06C862242E6A9A9E210E6C3A5822110B1430BE47B1D4D11ADEDD389F34DEAE9E6EBB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\pf753.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\qnd197.exe

Download File

Process:	C:\4vd771.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236104
Entropy (8bit):	5.818051704104037
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fR:n3C9BRo7MlrWKo+lxKk1fR
MD5:	900DAA7A88FB5B3C0AA6AE5968FA0D99
SHA1:	A2D0A7D9A10E3F931DA2496CA152F77F63C84228
SHA-256:	3EC473A075E6582E678A172AC0A63AA0A6E9D832D3E643B1E853BC675C7BEA9D
SHA-512:	E80B4B25C6B6952C2EA6AF6AC0DD1A04AD4BBD975FD058CC88A083F8EF62EFA729972A28B2DDF95867B8E72A141DEE159AC0471410957A757A181B475CB9ACF4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\qnd197.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\re8eo.exe

Download File

Process:	C:\m2mwu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236074
Entropy (8bit):	5.8180622201348084
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fF:n3C9BRo7MlrWKo+lxKk1fF
MD5:	2774E1DF05B90D037936F23A60ACA218
SHA1:	BBB16D7E806DD231FA398F9E23D9BD9F321AB41B
SHA-256:	9FB37F330B918F88DA1F2C018811B902E84E7C85D010F44F979B4630E0C9DFD6
SHA-512:	3F4C8EA6AC16D704C7BDF5FD308E0D47FC5AD8E6FDD256CB43969813FC192469A12AC546907729D97FD0A2852AF0C27FE6F0B91BBB15E932B6B4397F5E808906
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\re8eo.exe, Author: Joe Security
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\rh53197.exe

Download File

Process:	C:\7788uoi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236288
Entropy (8bit):	5.818027820974271
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fz:n3C9BRo7MlrWKo+lxKk1fz
MD5:	D6388AC92017740EDE162A7936D9C108
SHA1:	F5D3C11914637AAA09560F9B4067D8240AD3F41F
SHA-256:	8A114882529AA91B88FE61B2B2EB603DD2DE849A4EBD0236B7D4DD35FEC1B67A
SHA-512:	CBFB173A2E73905523AFEE23640E518AE56A63F766C6DD6DCD99071D24BB1C6DF7E7488DB27688CF6D4E90E6FAD8AD448B20A3BBB27F8D5A3AF5C137669A7403
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\rh53197.exe, Author: Joe Security
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\s1oaw.exe

Download File

Process:	C:\isqwt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236191
Entropy (8bit):	5.8180598923114815
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fJ:n3C9BRo7MlrWKo+lxKk1fJ
MD5:	B916674C0CCC23124E9A9510B6E8AABB
SHA1:	C88AC1159B6F6CD648DF3DCE2A32F85FF1290F67
SHA-256:	B062BF01B5F2F15779260171CE6DA2DCAE5DBF576655017312C1AFD17C4A06FC
SHA-512:	E5209FA353FB1BCDF2F889E2CA3FEA4EC4E4EFC34EF9FA88AB1332F25CD0337451E654A82D8DD13F96B89ACD341BE6898C39B0E5834208BCA38C4443CB8B8867
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\s1oaw.exe, Author: Joe Security
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\spf19.exe

Download File

Process:	C:\559900.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236224
Entropy (8bit):	5.818030012851406
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fU:n3C9BRo7MlrWKo+lxKk1fU
MD5:	1BD31A93D44DC461A7A61DCF3E4FEB0A
SHA1:	2DAD01B9AA4FDAA0CA6EFB6F92A7AD915A9BC03D
SHA-256:	8885E42D2ED455F7312E1E911688B389806360FC404DB3EE3163A6B037A3C3DA
SHA-512:	C3807C2DE297440D74711B2E6442D18B221A9171654BC80879D9D9BF6F41326038DD7E7F58BF8B522D1248AE6278B83F2222644D743A6E43A7CF31ACF775BA80
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\spf19.exe, Author: Joe Security
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\urh7531.exe

Download File

Process:	C:\71122as.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236470
Entropy (8bit):	5.8179413185233555
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fe1:n3C9BRo7MlrWKo+lxKk1fe1
MD5:	A2F0CC47EF04D78F74C482B83B0D6071
SHA1:	5A3364DA9FF41F7B1BC28EFC1C08FD4DF28AF753
SHA-256:	CDE4F46843BC4AB920B245D8D00EC6D4714EF6CEF8E8D9FB81C2C02370FA8FCB
SHA-512:	796539235A333EF2AA55E07E63C8032B0830DD985A4EDEC9398B384C00EB717083F06BEC5633A387C0CA3BF42523B5B614FBDC0A8671B36D6F1D0004996A419B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\urh7531.exe, Author: Joe Security
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\w3790i.exe

Download File

Process:	C:\83377.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236333
Entropy (8bit):	5.818027423701761
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fep:n3C9BRo7MlrWKo+lxKk1fep
MD5:	5920096D3CA89F622BF6540E7D9F1AAB
SHA1:	AC523F18C65E7C14021FB5443DB98E0B08FA9DB2
SHA-256:	CE0378699272CB8F425897C78997B753E021B3453A99C3D9733EA4188481B33D
SHA-512:	D7A6C2A524857A7E52633936F498625E1262485742642916DB68086195EE3FB724D500D4350C09268E2AA88C7D786F7F748E0A7658C09C40E79CC91786AA79DF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\w3790i.exe, Author: Joe Security
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\w7711.exe

Download File

Process:	C:\4uoic.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236163
Entropy (8bit):	5.818069852658273
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fk:n3C9BRo7MlrWKo+lxKk1fk
MD5:	A3A8E703FEE41784385625A8AB8B718A
SHA1:	78A8AD07B43E5CE2A32886162B55B2F361C071DD
SHA-256:	7C87F678A182016CB73A6CD6AEE02B2FBCE6A94E9DA94D652D14ACC581DD1418
SHA-512:	3638303204A24AC83358DD49601D6367F937DBD492280B20029ABE544821C357339C5116B3C2AEA9BF929BA5D65560EB8421CBD1653934398B72F4069D8CAE38
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\w7711.exe, Author: Joe Security
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

C:\webp1.exe

Download File

Process:	C:\hb5kc8c.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236412
Entropy (8bit):	5.818002214650689
Encrypted:	false
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1feE:n3C9BRo7MlrWKo+lxKk1feE
MD5:	298240B6E90AC68FBEB9A7BE56EDA3A5
SHA1:	D5AC7D28C29094CB41D34083C16F6AD0B5BC1AEA
SHA-256:	293FF129DC4FE8E4E2C7D8181CD93AC922C6A659F43D786772360576F43D2AEA
SHA-512:	96FB9E84B8971F6C5FB667B25E282F785F5C2400CAFCBF22B8EA83CAD7A3BA254486D6989E0782F2FF086E4F0A04BE8359179BBA4702604EAFBC51A77E3FA49B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\webp1.exe, Author: Joe Security
Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<......................................................................................,....................................p..........................`..`petite..............................@..@..........................................................................................................................................................................0..........d....F.z^...R4.Lb.\|<8?V.QNH..^YQ..?.q..`.r.-@.7....v."....r1:..[6.........v....)B.j..2.F.....z..1..........u.`..p.wk...i..*S.F..."...A...R>...U.~.k..d..{1..B.LZ....N_.f^.@....)..."=.A.>0.V....a6\.......;....!.p..$.#...4W.B.............. r.`...1......7.B.....vyBB.......qk..k....2...].Q.....G.p.........A...P....t2....s.\x.t...$.,.L.........Y.zS....K....>..h....f25......w..r9..d...7>...x.uR...C.`..x......4$....PdJA....c..t..Yh..kWgpVT;.........Z..1.+

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.818100777839407
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	Fm9MoDgH7O.exe
File size:	236'049 bytes
MD5:	d36ab0bd58ada2d5fb9f6560c8d8bf30
SHA1:	4a5bba862c57082a57dbc212d5ea77bc8052e2c3
SHA256:	5f21ac1f06ad83af166db002e2c7a8cd0bd3473f996599ee20c081f8a781a1ed
SHA512:	7bfa5722700e4d1b02c93d19efdf9b5e7aaa8ca26c89e177fa2bf6dcfe66c5446e584087bd83ae7b5349c7af8d047b702a34dd4a8a5c7fff734529825cbb6d9b
SSDEEP:	3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1f7:n3C9BRo7MlrWKo+lxKk1f7
TLSH:	82341AF61FACE5F6E6B0B83146B59468045AB2771E821DE850F913850F7D8C26AC2C7F
File Content Preview:	MZ..............PE..L...k..T.....................................`....@.............................................................................<.......................................................................................,..................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40c9d0
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x54C70C6B [Tue Jan 27 03:56:27 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cdf5bbb8693f29ef22aef04d2a161dd7

Entrypoint Preview

Instruction
mov eax, 00428000h
pushad
lea ebp, dword ptr [eax-00028000h]
push 84F13DE9h
push 00000040h
push 00003000h
push 0000B545h
push 00000000h
call dword ptr [eax+000000EAh]
mov dword ptr [esp+1Ch], eax
mov ebx, 00000339h
lea esi, dword ptr [ebp+0000C6D2h]
mov edi, eax
push eax
call 00007EFCC5142D4Fh
je 00007EFCC5142D49h
mov eax, dword ptr [esp+24h]
call dword ptr [eax+10h]
ret
push ebp
cmp ebx, 00010000h
jnc 00007EFCC5142D50h
push 00000005h
push FFFFC060h
push FFFFFC60h
jmp 00007EFCC5142D4Eh
push 00000008h
push FFFF8300h
push FFFFFB00h
push FFFFFFFFh
xor edx, edx
xor ecx, ecx
lodsb
xor al, bl
stosb
dec ebx
jle 00007EFCC5142DA4h
call 00007EFCC5142DA8h
jnc 00007EFCC5142D34h
xor ebp, ebp
call 00007EFCC5142DABh
sub ecx, 03h
jnc 00007EFCC5142D48h
mov eax, dword ptr [esp]
inc ecx
jmp 00007EFCC5142D64h
mov eax, ecx
mov ecx, dword ptr [esp+0Ch]
call 00007EFCC5142D89h
adc eax, eax
loop 00007EFCC5142D39h
not eax
cmp eax, dword ptr [esp+04h]
adc ebp, 01h
cmp eax, dword ptr [esp+08h]
adc ebp, 00000000h
mov dword ptr [esp], eax
call 00007EFCC5142D6Dh
adc ecx, ecx
call 00007EFCC5142D66h
adc ecx, ecx
jne 00007EFCC5142D4Ah
call 00007EFCC5142D69h
add ecx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28092	0x3c	petite
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x280ce	0x2c	petite
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x27000	0xbc00	490de77b6adbbb1c2bf1eb705a9914e1	False	0.9602310505319149	data	7.663081984917489	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
petite	0x28000	0x112	0x112	f6626e4becf07559b386265f0ceb1a75	False	0.6277372262773723	data	3.9970132554243403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
user32.dll	MessageBoxA, wsprintfA
kernel32.dll	ExitProcess, GetModuleHandleA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, LoadLibraryA

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: Fm9MoDgH7O.exePID: 5596, Parent PID: 2580

General

Target ID:	0
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\Users\user\Desktop\Fm9MoDgH7O.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Fm9MoDgH7O.exe"
Imagebase:	0x400000
File size:	236'049 bytes
MD5 hash:	D36AB0BD58ADA2D5FB9F6560C8D8BF30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000000.00000003.1649054171.000000000075F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000000.00000003.1648983516.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: m2mwu.exePID: 5672, Parent PID: 5596

General

Target ID:	1
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\m2mwu.exe
Wow64 process (32bit):	true
Commandline:	c:\m2mwu.exe
Imagebase:	0x400000
File size:	236'062 bytes
MD5 hash:	3E788A1E5AFDF4021F750BA94AB81F8F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000001.00000003.1649664251.000000000072F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000001.00000003.1649533860.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\m2mwu.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: re8eo.exePID: 4268, Parent PID: 5672

General

Target ID:	2
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\re8eo.exe
Wow64 process (32bit):	true
Commandline:	c:\re8eo.exe
Imagebase:	0x400000
File size:	236'074 bytes
MD5 hash:	2774E1DF05B90D037936F23A60ACA218
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000002.00000003.1650205146.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000002.00000003.1650138046.000000000068D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\re8eo.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 4vd771.exePID: 2016, Parent PID: 4268

General

Target ID:	3
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\4vd771.exe
Wow64 process (32bit):	true
Commandline:	c:\4vd771.exe
Imagebase:	0x400000
File size:	236'086 bytes
MD5 hash:	8CA128B45B8C3C2B4ACA30C66BA6179B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000003.00000003.1650992588.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000003.00000003.1650924033.000000000072D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\4vd771.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: qnd197.exePID: 2680, Parent PID: 2016

General

Target ID:	4
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\qnd197.exe
Wow64 process (32bit):	true
Commandline:	c:\qnd197.exe
Imagebase:	0x400000
File size:	236'104 bytes
MD5 hash:	900DAA7A88FB5B3C0AA6AE5968FA0D99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000004.00000003.1651511750.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000004.00000003.1651445469.000000000065D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\qnd197.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: oaweb.exePID: 5780, Parent PID: 2680

General

Target ID:	5
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\oaweb.exe
Wow64 process (32bit):	true
Commandline:	c:\oaweb.exe
Imagebase:	0x400000
File size:	236'119 bytes
MD5 hash:	6AE0C9D019D7C2D712A7EEEDD811C257
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000005.00000003.1652036346.000000000086E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000005.00000003.1651970984.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\oaweb.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 36hmq.exePID: 1612, Parent PID: 5780

General

Target ID:	6
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\36hmq.exe
Wow64 process (32bit):	true
Commandline:	c:\36hmq.exe
Imagebase:	0x400000
File size:	236'129 bytes
MD5 hash:	DA8DE9AE678FE5F5DA23AD1426CA4F01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000006.00000003.1652636895.000000000075E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000006.00000003.1652569745.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000006.00000002.1652758072.0000000000401000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\36hmq.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 4uoic.exePID: 5408, Parent PID: 1612

General

Target ID:	7
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\4uoic.exe
Wow64 process (32bit):	true
Commandline:	c:\4uoic.exe
Imagebase:	0x400000
File size:	236'149 bytes
MD5 hash:	681A984C6E80FCBCBD03EDD8DEDBA853
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000007.00000003.1653176448.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000007.00000003.1653108519.000000000065D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000007.00000002.1653297691.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\4uoic.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: w7711.exePID: 1860, Parent PID: 5408

General

Target ID:	8
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\w7711.exe
Wow64 process (32bit):	true
Commandline:	c:\w7711.exe
Imagebase:	0x7ff71e800000
File size:	236'163 bytes
MD5 hash:	A3A8E703FEE41784385625A8AB8B718A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000008.00000003.1653699442.000000000051E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000008.00000003.1653633605.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\w7711.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: isqwt.exePID: 4900, Parent PID: 1860

General

Target ID:	9
Start time:	12:19:55
Start date:	01/09/2024
Path:	C:\isqwt.exe
Wow64 process (32bit):	true
Commandline:	c:\isqwt.exe
Imagebase:	0x400000
File size:	236'178 bytes
MD5 hash:	2DEC8CCF9A6F8E1CEFD741ECDD527A14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000009.00000003.1654532288.000000000056D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000009.00000003.1653947799.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\isqwt.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: s1oaw.exePID: 6716, Parent PID: 4900

General

Target ID:	10
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\s1oaw.exe
Wow64 process (32bit):	true
Commandline:	c:\s1oaw.exe
Imagebase:	0x400000
File size:	236'191 bytes
MD5 hash:	B916674C0CCC23124E9A9510B6E8AABB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000A.00000003.1655204393.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000A.00000003.1655122137.000000000055E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\s1oaw.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 559900.exePID: 1732, Parent PID: 6716

General

Target ID:	11
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\559900.exe
Wow64 process (32bit):	true
Commandline:	c:\559900.exe
Imagebase:	0x400000
File size:	236'206 bytes
MD5 hash:	A0F307EFB8E960701E12A429D4B7DEB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000B.00000003.1656182067.000000000074D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000B.00000003.1656294889.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\559900.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: spf19.exePID: 1260, Parent PID: 1732

General

Target ID:	12
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\spf19.exe
Wow64 process (32bit):	true
Commandline:	c:\spf19.exe
Imagebase:	0x400000
File size:	236'224 bytes
MD5 hash:	1BD31A93D44DC461A7A61DCF3E4FEB0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000C.00000003.1656767045.000000000075A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000C.00000003.1657090623.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\spf19.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 93344.exePID: 3164, Parent PID: 1260

General

Target ID:	13
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\93344.exe
Wow64 process (32bit):	true
Commandline:	c:\93344.exe
Imagebase:	0x400000
File size:	236'240 bytes
MD5 hash:	0E2CAD1FD4DE2E62B83C30E9B8E563E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000D.00000003.1658140773.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000D.00000003.1657724335.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\93344.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 6r61155.exePID: 6952, Parent PID: 3164

General

Target ID:	14
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\6r61155.exe
Wow64 process (32bit):	true
Commandline:	c:\6r61155.exe
Imagebase:	0x400000
File size:	236'252 bytes
MD5 hash:	F24AB32918FA49E5019915D255A577F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000E.00000003.1658759497.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000E.00000003.1658830039.000000000065E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\6r61155.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 7788uoi.exePID: 6904, Parent PID: 6952

General

Target ID:	15
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\7788uoi.exe
Wow64 process (32bit):	true
Commandline:	c:\7788uoi.exe
Imagebase:	0x400000
File size:	236'269 bytes
MD5 hash:	A673EA56D20763F3D043EF0003BA4A1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000F.00000003.1659290404.000000000046D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000000F.00000003.1659360069.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\7788uoi.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rh53197.exePID: 2472, Parent PID: 6904

General

Target ID:	16
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\rh53197.exe
Wow64 process (32bit):	true
Commandline:	c:\rh53197.exe
Imagebase:	0x400000
File size:	236'288 bytes
MD5 hash:	D6388AC92017740EDE162A7936D9C108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000010.00000003.1659900086.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000010.00000003.1659831613.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\rh53197.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 5787leo.exePID: 4092, Parent PID: 2472

General

Target ID:	17
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\5787leo.exe
Wow64 process (32bit):	true
Commandline:	c:\5787leo.exe
Imagebase:	0x400000
File size:	236'298 bytes
MD5 hash:	153E207ECFEEBDB9E7F018399E5C1627
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000011.00000003.1660367415.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000011.00000003.1660432963.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\5787leo.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 88oxxqc.exePID: 5428, Parent PID: 4092

General

Target ID:	18
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\88oxxqc.exe
Wow64 process (32bit):	true
Commandline:	c:\88oxxqc.exe
Imagebase:	0x400000
File size:	236'308 bytes
MD5 hash:	5BCD3436C64915143B7EE185AC8F5F67
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000012.00000003.1661249438.000000000053E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000012.00000003.1661172441.00000000004CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\88oxxqc.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 83377.exePID: 4600, Parent PID: 5428

General

Target ID:	19
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\83377.exe
Wow64 process (32bit):	true
Commandline:	c:\83377.exe
Imagebase:	0x400000
File size:	236'322 bytes
MD5 hash:	B0024685B8EAF3030AB9E3209EC142FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000013.00000003.1662285471.000000000065E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000013.00000003.1662704858.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000013.00000002.1663269661.0000000000401000.00000040.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\83377.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: w3790i.exePID: 2996, Parent PID: 4600

General

Target ID:	20
Start time:	12:19:56
Start date:	01/09/2024
Path:	C:\w3790i.exe
Wow64 process (32bit):	true
Commandline:	c:\w3790i.exe
Imagebase:	0x400000
File size:	236'333 bytes
MD5 hash:	5920096D3CA89F622BF6540E7D9F1AAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000014.00000003.1664173966.000000000061D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000014.00000003.1663138809.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\w3790i.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: bp1975.exePID: 5780, Parent PID: 2996

General

Target ID:	21
Start time:	12:19:57
Start date:	01/09/2024
Path:	C:\bp1975.exe
Wow64 process (32bit):	true
Commandline:	c:\bp1975.exe
Imagebase:	0x400000
File size:	236'352 bytes
MD5 hash:	B2A3693ED42E3BC17ACE26DD6C65B83A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000015.00000003.1666334231.000000000052D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000015.00000003.1664978597.00000000004BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\bp1975.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 90omsp.exePID: 1612, Parent PID: 5780

General

Target ID:	22
Start time:	12:19:57
Start date:	01/09/2024
Path:	C:\90omsp.exe
Wow64 process (32bit):	true
Commandline:	c:\90omsp.exe
Imagebase:	0x400000
File size:	236'366 bytes
MD5 hash:	40C99EB36453A97292F39E06122BE2BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000016.00000003.1672194840.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000016.00000003.1667033564.000000000070A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\90omsp.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: lb31975.exePID: 4604, Parent PID: 1612

General

Target ID:	23
Start time:	12:19:57
Start date:	01/09/2024
Path:	C:\lb31975.exe
Wow64 process (32bit):	true
Commandline:	c:\lb31975.exe
Imagebase:	0x7ff7699e0000
File size:	236'385 bytes
MD5 hash:	B1335D9EB52CB97D7543FABACBF3D09E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000017.00000003.1674405309.000000000072D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000017.00000003.1672593235.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000017.00000002.1675872305.0000000000401000.00000040.00000001.01000000.0000001A.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\lb31975.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: hb5kc8c.exePID: 4584, Parent PID: 4604

General

Target ID:	24
Start time:	12:19:57
Start date:	01/09/2024
Path:	C:\hb5kc8c.exe
Wow64 process (32bit):	true
Commandline:	c:\hb5kc8c.exe
Imagebase:	0x400000
File size:	236'395 bytes
MD5 hash:	75CE63BF185F462ED7F9E6365CD7AF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000018.00000002.1676411975.0000000000401000.00000040.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000018.00000003.1676228317.000000000072D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000018.00000003.1675808868.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\hb5kc8c.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: webp1.exePID: 2180, Parent PID: 4584

General

Target ID:	25
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\webp1.exe
Wow64 process (32bit):	true
Commandline:	c:\webp1.exe
Imagebase:	0x400000
File size:	236'412 bytes
MD5 hash:	298240B6E90AC68FBEB9A7BE56EDA3A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000019.00000003.1676742574.000000000054E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000019.00000003.1676809616.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\webp1.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: e81f5.exePID: 5332, Parent PID: 2180

General

Target ID:	26
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\e81f5.exe
Wow64 process (32bit):	true
Commandline:	c:\e81f5.exe
Imagebase:	0x400000
File size:	236'424 bytes
MD5 hash:	C2C439CF8A79D875F09E1C37D3DB36E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001A.00000003.1677285923.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001A.00000002.1677502488.0000000000401000.00000040.00000001.01000000.0000001D.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001A.00000003.1677356804.000000000075E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\e81f5.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 281l59.exePID: 6760, Parent PID: 5332

General

Target ID:	27
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\281l59.exe
Wow64 process (32bit):	true
Commandline:	c:\281l59.exe
Imagebase:	0x400000
File size:	236'436 bytes
MD5 hash:	CD950356D8E33513421D8074824D865A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001B.00000003.1677849478.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001B.00000003.1677919754.000000000073E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\281l59.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 71122as.exePID: 7092, Parent PID: 6760

General

Target ID:	28
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\71122as.exe
Wow64 process (32bit):	true
Commandline:	c:\71122as.exe
Imagebase:	0x400000
File size:	236'452 bytes
MD5 hash:	E2070B8B4080AA1C0ACD754F87D44A58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001C.00000002.1679047841.000000000068E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001C.00000003.1678680014.000000000061D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\71122as.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: urh7531.exePID: 5664, Parent PID: 7092

General

Target ID:	29
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\urh7531.exe
Wow64 process (32bit):	true
Commandline:	c:\urh7531.exe
Imagebase:	0x400000
File size:	236'470 bytes
MD5 hash:	A2F0CC47EF04D78F74C482B83B0D6071
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001D.00000003.1679325212.000000000057E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001D.00000003.1679256809.000000000050E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\urh7531.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: fx2dr.exePID: 5596, Parent PID: 5664

General

Target ID:	30
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\fx2dr.exe
Wow64 process (32bit):	true
Commandline:	c:\fx2dr.exe
Imagebase:	0x400000
File size:	236'481 bytes
MD5 hash:	C7B5C78FFABE9046E9219CA302D74903
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001E.00000003.1679812641.000000000060E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001E.00000003.1679880197.000000000067E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\fx2dr.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: mkqnd97.exePID: 5672, Parent PID: 5596

General

Target ID:	31
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\mkqnd97.exe
Wow64 process (32bit):	true
Commandline:	c:\mkqnd97.exe
Imagebase:	0x400000
File size:	236'497 bytes
MD5 hash:	DBB7FE60E5210C359C1C2C5620C8C0FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001F.00000003.1680483421.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 0000001F.00000003.1680414030.000000000076E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\mkqnd97.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 78d5dr1.exePID: 3552, Parent PID: 5672

General

Target ID:	32
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\78d5dr1.exe
Wow64 process (32bit):	true
Commandline:	c:\78d5dr1.exe
Imagebase:	0x400000
File size:	236'507 bytes
MD5 hash:	F91CB1621D2BA56DB6F9EAFC940ED3B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000020.00000003.1680999606.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000020.00000003.1681072661.000000000054E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\78d5dr1.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 2qkewqk.exePID: 2016, Parent PID: 3552

General

Target ID:	33
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\2qkewqk.exe
Wow64 process (32bit):	true
Commandline:	c:\2qkewqk.exe
Imagebase:	0x400000
File size:	236'527 bytes
MD5 hash:	DB13E0DACF9B4068F064388BF65331F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000021.00000002.1682343006.0000000000401000.00000040.00000001.01000000.00000024.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000021.00000003.1681701645.000000000065E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000021.00000003.1681609636.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\2qkewqk.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: ourh31.exePID: 764, Parent PID: 2016

General

Target ID:	34
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\ourh31.exe
Wow64 process (32bit):	true
Commandline:	c:\ourh31.exe
Imagebase:	0x400000
File size:	236'544 bytes
MD5 hash:	828AC17EAE23DA7778400A135C65442B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000022.00000003.1682894023.000000000064D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000022.00000003.1682379177.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\ourh31.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: g7112.exePID: 4908, Parent PID: 764

General

Target ID:	35
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\g7112.exe
Wow64 process (32bit):	true
Commandline:	c:\g7112.exe
Imagebase:	0x400000
File size:	236'559 bytes
MD5 hash:	040B9D0493FA77F472C5BB7456187303
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000023.00000003.1683526760.000000000079C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000023.00000002.1683951621.0000000000401000.00000040.00000001.01000000.00000026.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000023.00000003.1683629674.000000000080E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\g7112.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: hk977.exePID: 6664, Parent PID: 4908

General

Target ID:	36
Start time:	12:19:58
Start date:	01/09/2024
Path:	C:\hk977.exe
Wow64 process (32bit):	true
Commandline:	c:\hk977.exe
Imagebase:	0x400000
File size:	236'570 bytes
MD5 hash:	D22790FF53C7EDA2CE00F0FA1A363887
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000024.00000003.1683878267.000000000058A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000024.00000002.1684692162.0000000000401000.00000040.00000001.01000000.00000027.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000024.00000003.1684376837.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\hk977.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 7kiolb.exePID: 5780, Parent PID: 6664

General

Target ID:	37
Start time:	12:19:59
Start date:	01/09/2024
Path:	C:\7kiolb.exe
Wow64 process (32bit):	true
Commandline:	c:\7kiolb.exe
Imagebase:	0x400000
File size:	236'585 bytes
MD5 hash:	6B3840F7493601C05D957471E3BD0833
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000025.00000002.1685279755.0000000000401000.00000040.00000001.01000000.00000028.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000025.00000003.1684659208.000000000072A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000025.00000003.1684894752.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\7kiolb.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 7kiolb.exePID: 6928, Parent PID: 5780

General

Target ID:	38
Start time:	12:19:59
Start date:	01/09/2024
Path:	C:\7kiolb.exe
Wow64 process (32bit):	true
Commandline:	c:\7kiolb.exe
Imagebase:	0x400000
File size:	236'585 bytes
MD5 hash:	6B3840F7493601C05D957471E3BD0833
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000026.00000002.1686085936.0000000000401000.00000040.00000001.01000000.00000028.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: pf753.exePID: 2188, Parent PID: 6928

General

Target ID:	39
Start time:	12:19:59
Start date:	01/09/2024
Path:	C:\pf753.exe
Wow64 process (32bit):	true
Commandline:	c:\pf753.exe
Imagebase:	0x400000
File size:	236'604 bytes
MD5 hash:	1E017F50B0CA791ABFF13DAC87F12B32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000027.00000003.1686270671.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: 00000027.00000003.1686156392.000000000056E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000027.00000002.1686485658.0000000000401000.00000040.00000001.01000000.00000029.sdmp, Author: Joe Security Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\pf753.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Fm9MoDgH7O.exePID: 5596, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	10.2%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(006D0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(006D0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 006B00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 006B02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 006B02EF

Memory Dump Source

Source File: 00000000.00000003.1648662020.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6b0000_Fm9MoDgH7O.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 76da2ca91381a697dc1456e397aa946cd0e4c7c254f69260bee7e00f19efe3cd
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 35218AF100C395AFE7258F208C59BEB7F76EF92710F09459DE5C146083D270958ACB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(006D0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

x"@, xrefs: 004018F2, 00401914
LoadLibraryA, xrefs: 00401815
b"@, xrefs: 0040185C
Kernel32, xrefs: 004017EE
L"@, xrefs: 0040181D
6"@, xrefs: 004017F3

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 004109A0 Relevance: 2.8, Strings: 1, Instructions: 1576COMMON

Download Yara Rule

Strings

/A, xrefs: 00410ECE

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID: /A
API String ID: 0-474550912
Opcode ID: e7d6c3062bf89a87239490cc8256365af276a0a85b20a3650f3c51898a51c153
Instruction ID: ed6b0ad3e4aa6758d114523f798a7e1e6b899768bd4744d9adb5ae0400959923
Opcode Fuzzy Hash: e7d6c3062bf89a87239490cc8256365af276a0a85b20a3650f3c51898a51c153
Instruction Fuzzy Hash: D5B222B1E50304ABEB10DF95DCC2FDE76B4EF18314F14012AFB05BA291E779A9908B59

Function 004151A7 Relevance: 1.9, Strings: 1, Instructions: 646COMMON

Download Yara Rule

Strings

4QA, xrefs: 00415249, 004155EE, 004156DE, 004153DC, 0041545A, 004153DF, 004155F1

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID: 4QA
API String ID: 0-2119731533
Opcode ID: a5554e411315ab9f2dd9d59b6452faca28f52011f813cb73ebc86b09c60d3259
Instruction ID: c4819f2f88b947da9c0b9b40353a2ed3abc0252ec668f841145db7ac5fea62e9
Opcode Fuzzy Hash: a5554e411315ab9f2dd9d59b6452faca28f52011f813cb73ebc86b09c60d3259
Instruction Fuzzy Hash: BD222AB1A402569BFB00DF98DCC179AB7B1EF59324F290475E506AB340D378F9A0DB62

Function 00401632 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(0040114C,00000000), ref: 0040164C

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: ProcessThreadWindow
String ID:
API String ID: 1653199695-0
Opcode ID: 5a8bb4a2beea2ffc80c3dfb99b2562a25f6d803b01454b489bf57ff5e5eacfd6
Instruction ID: 5ce29f864b5632cb21bca88a9303d9ddafc7e6b8d2c6b8a2efbf356dee57b640
Opcode Fuzzy Hash: 5a8bb4a2beea2ffc80c3dfb99b2562a25f6d803b01454b489bf57ff5e5eacfd6
Instruction Fuzzy Hash: 78E04FB1C01208EBDB00EF90D946B6EFB38AB02301F1040B6E90577190D6369B54D79A

Function 00408CAE Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

h_@, xrefs: 00408CD0, 00408D19, 00408CD3

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID: h_@
API String ID: 0-4068098945
Opcode ID: 7bb401a85ba49694190c6afb9008aba6aecd7edf99d9aa7ae3404acbe623c307
Instruction ID: 9aa1f0c59ec4ee57096a6d7c0512e183bf9100fc68c98d2070a570dbcafd3919
Opcode Fuzzy Hash: 7bb401a85ba49694190c6afb9008aba6aecd7edf99d9aa7ae3404acbe623c307
Instruction Fuzzy Hash: 021172B1E00208FFEB10DF95DD81BAE7778EF14304F10417AE948B6281EB799A549B59

Function 004015EF Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

"@, xrefs: 0040160B

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID: "@
API String ID: 0-375560258
Opcode ID: af4027635b1e9e4918259f59763fc82954f727a1d8fca95bf35d4eb1f8200667
Instruction ID: a679c29e1f67bef4458af7bcc88de06c050d6facbc0b4e9f9b1da0d6a36f36cb
Opcode Fuzzy Hash: af4027635b1e9e4918259f59763fc82954f727a1d8fca95bf35d4eb1f8200667
Instruction Fuzzy Hash: 13E01A71911208EBCB00AF90DD82AAD7B35BB1A301F04516AFA04262A1D637D935EB9B

Function 00407E43 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd86524d575a636a5e1f1c2991e0d685da851dd302065e6eb85d0625e0307fa
Instruction ID: 4c96a40134b933977c43a5db26a9385604a3b9338d386221a844ef4532c4f668
Opcode Fuzzy Hash: 5bd86524d575a636a5e1f1c2991e0d685da851dd302065e6eb85d0625e0307fa
Instruction Fuzzy Hash: FC0283F2A402469BFB00CF58DCC179AB7A5EF99324F290039E906AB341D779F951C762

Function 0040BD2B Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e50d66830d1fc13a4e9c5b5ec7b0c49c928c6bfbf6096dfa7f1f17281a85dec
Instruction ID: cf016e54d16bffdc1a7742a4dc0f60e9f1bfed34a2a8e4d4e9f8c508f13a6f35
Opcode Fuzzy Hash: 2e50d66830d1fc13a4e9c5b5ec7b0c49c928c6bfbf6096dfa7f1f17281a85dec
Instruction Fuzzy Hash: 26125FB1D50218EBEB00EF91ECC6BEEB774EF18314F14412AF604B6281E7799A54CB59

Function 00413815 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26158d7a517d7aaa3e3bcad7411dd4476f34187302a1527cfe6a5cefd5fabd6
Instruction ID: f1583476206579e77ecf2709b540782e3877570167507816f644c51df0cab547
Opcode Fuzzy Hash: c26158d7a517d7aaa3e3bcad7411dd4476f34187302a1527cfe6a5cefd5fabd6
Instruction Fuzzy Hash: B8D135B1E40309ABEF10DF95DCC2BEF7674EF04705F144029FA44BA282E7799A908B59

Function 00413D17 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6211ed5a1d13dd3a40bedd832836813a5570b451487376cb72b8c84ed399553f
Instruction ID: 671202d48077b0ccd84b6b1584ea43ddf6b28fbee3c138f2bc1c4133929d8fed
Opcode Fuzzy Hash: 6211ed5a1d13dd3a40bedd832836813a5570b451487376cb72b8c84ed399553f
Instruction Fuzzy Hash: B48186B1E40309ABFB10DF95DC82BEFB6B4EF14701F144055F904BA281E779EA508769

Function 004115AF Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e995308dad21aea86d78d23bcd93d44cf48cbe2c59c2a50f4353ffc34d6746
Instruction ID: 2f4c2cd0a47eab2a13a46146e18007ebe8d618e5f86e3394aaac0b29a55be50a
Opcode Fuzzy Hash: 07e995308dad21aea86d78d23bcd93d44cf48cbe2c59c2a50f4353ffc34d6746
Instruction Fuzzy Hash: 30516DB1E50314BBEB50DF95ECC2FEE72B4AF09304F14102AFB05BA291D7759990875A

Function 0041C26F Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bce23c48586c6d58cf87feaf4106edc36e2130159d61c350351fdcb09284b36
Instruction ID: 7dfe49612018f3310e0a88aefb1aa3a6f1a52ed87d092281c3b83769e3d74744
Opcode Fuzzy Hash: 6bce23c48586c6d58cf87feaf4106edc36e2130159d61c350351fdcb09284b36
Instruction Fuzzy Hash: 8C81BA7244E3C18FC7539B7488256907FB0AF17228B1A45EFC4D1CF1A3E66E185ADB62

Function 0041D7A0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe3b784468f2cad95849ac7977f1efc624bf31eca387d775d2ac06796d080a2
Instruction ID: 890ce36563e83e77dc7d416e1846635b220f7188b4a1bb37cbc7a245fe7b1d7b
Opcode Fuzzy Hash: 0fe3b784468f2cad95849ac7977f1efc624bf31eca387d775d2ac06796d080a2
Instruction Fuzzy Hash: C571106144E3C19FC7038B7488A52917FB1AE17218B1E85DBC4C5CF0B3D2AE585ADB63

Function 0040B403 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a541b5c4e76c6b00140a5d11467e596eb287d4c5ff27a5ff95eac06c704b1998
Instruction ID: 4342146a36ef684379a4331edf1158d34fab0661a230bc978bcee7e3bdb04237
Opcode Fuzzy Hash: a541b5c4e76c6b00140a5d11467e596eb287d4c5ff27a5ff95eac06c704b1998
Instruction Fuzzy Hash: 5B3180B1D40308FBEB10AF91DC86BAEBB78EF04314F148165F514B62C1D779D6608B99

Function 0040B2CE Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199df5355cac3ff44867256c80e16a6e3981976ba13e59299c8b42365e5b9e30
Instruction ID: 346fe090cb3e43d92051742ee0258fffadb2f33cf6761425130d7a63b6e53aea
Opcode Fuzzy Hash: 199df5355cac3ff44867256c80e16a6e3981976ba13e59299c8b42365e5b9e30
Instruction Fuzzy Hash: 053142B1D40208ABEB00EF95DC82BAE7BB4EF14310F144166F914BA2C1D779D664DB99

Function 0041D857 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae42ac3bf12852f2c0ab980fbe42e84615a7af7a8985693d21d047c28d22d5f
Instruction ID: 7e6a911b90e5a217722ed821f64ec3f03170f0b0cc58b19066a4a311c70ea61c
Opcode Fuzzy Hash: bae42ac3bf12852f2c0ab980fbe42e84615a7af7a8985693d21d047c28d22d5f
Instruction Fuzzy Hash: 6F4159A240E3D09FC7134B7488AA2917FB0AF17214B0A45DBC4D1CF0B3D6A91C5ADB63

Function 00408428 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2ba289fe8e1c9030019632f9f7e81eaa88d4ec1cd5442caf8eae0b93d7b04f
Instruction ID: de28bc461511fe5dd5bb737ef18ecac606c9eb08ebedba84eeb5957a3bff7759
Opcode Fuzzy Hash: 0d2ba289fe8e1c9030019632f9f7e81eaa88d4ec1cd5442caf8eae0b93d7b04f
Instruction Fuzzy Hash: 491142B2E00208EBEB10DF95DD81BDE77BCAB18310F14406AF908E7241E639DA509755

Function 004150E3 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd3f9066b67c595370465cc3e491d4a21242243e37d2b8b16927e8cd8a46687
Instruction ID: c2d388792c6978553c01cf4a149dad24701526105f2e64079760d34259e1273a
Opcode Fuzzy Hash: 1cd3f9066b67c595370465cc3e491d4a21242243e37d2b8b16927e8cd8a46687
Instruction Fuzzy Hash: D5115EB5D40308FBEB01DF91D882BEE7B70AF49350F104166F9086A281D3799794DB9A

Function 0040A0B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d293d500e2446950863131b1f5493e5c8897ad750251d770aa9c6dd2441181
Instruction ID: 60e9356b49d9e187dc651bf52815db93126dbe6141a9bb3697aa50620c12bd33
Opcode Fuzzy Hash: b5d293d500e2446950863131b1f5493e5c8897ad750251d770aa9c6dd2441181
Instruction Fuzzy Hash: 0301DE70C0530DEBDF10DF50D5497AE7A74AB01355F10806AE5153A281D3B98BA9EB9B

Function 004097EE Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0e1388be627e4a51f8f20ee277881418076103ed3676ceabc5099ad297ee94
Instruction ID: 936c4502fbc963c99d3cdb0141a428568f17714d8a46d8674ec14850f77805ce
Opcode Fuzzy Hash: ed0e1388be627e4a51f8f20ee277881418076103ed3676ceabc5099ad297ee94
Instruction Fuzzy Hash: 4BF044B5940308BBEF50AE50DC82B6A7B74EB15301F108065FD046A382E675DD548B65

Function 00402144 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff77b86e5d776f4dfc0d7eae4d8be07b065dc12aa89e2666b0af314177f1acc
Instruction ID: 39e3e8ab463636a10ed941d82d2b3dfbbcad72ba0b4d607547e580856db93677
Opcode Fuzzy Hash: 6ff77b86e5d776f4dfc0d7eae4d8be07b065dc12aa89e2666b0af314177f1acc
Instruction Fuzzy Hash: 56E09272204008ABE70CDD15D946BA93756D3D0354F00C12EED494A684D6799D558795

Function 004079BA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178353b423c6dce841d5bde73991e9fb4e600d5b903eeb06f7dd84c6daefefcd
Instruction ID: 773a56f1b48bc027027731b88c8982b67bddcf956edbee728bbbd25ea3796cb4
Opcode Fuzzy Hash: 178353b423c6dce841d5bde73991e9fb4e600d5b903eeb06f7dd84c6daefefcd
Instruction Fuzzy Hash: 5FE092B0D44208F7E7019E509C42BAEBA349B05340F104162F6043A1C0D676AB509BDE

Function 00408A11 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a0a44f53d3b3a548709bd0f53b185338005aad8e91befa8db869c1ec69a608
Instruction ID: 3fe2d7b00ae64ea35fb2ca5bb99dcca9414b6d10fbef37768a203124d9e9469e
Opcode Fuzzy Hash: a7a0a44f53d3b3a548709bd0f53b185338005aad8e91befa8db869c1ec69a608
Instruction Fuzzy Hash: EFE012B1D4020CFBEB40EF90D942BADBB74AB05311F109066FA487A190D7769B58DB9A

Function 00420283 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50750979ad97b0ebe72a3e0c7c4e47d525a23e004f2cbe320b171b349cc6d94
Instruction ID: e30cf94b9758c0fc62c0dca9b7b675c23407953af182793f0f24bcbcab0b683c
Opcode Fuzzy Hash: f50750979ad97b0ebe72a3e0c7c4e47d525a23e004f2cbe320b171b349cc6d94
Instruction Fuzzy Hash: 79E09233008791ABDBA6AF32A4902C3BBE2AFCB3403977599C4854B546CE206003DA41

Function 00405A86 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16a745e9521817b1ff3fb7f7d652c2e9054b4e5ece03de00ad208790ff7c14b
Instruction ID: 50d4da3a46c13b99047629f9812836b12aa1f8991cbf26997934dd0217009c07
Opcode Fuzzy Hash: d16a745e9521817b1ff3fb7f7d652c2e9054b4e5ece03de00ad208790ff7c14b
Instruction Fuzzy Hash: 5DE02631D4030CF7DB10AE80AC43BAE7E30DB06310F008112FA083A0D0D233C624ABAB

Function 00413768 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1bee0f6ca94acdbca77ce56503c8291f3fcebf5016d847ef34b4bd87648e34
Instruction ID: ece6c17bc7a81befb18a70672f4c1e3f5a8db26d6902fadca0d7bf5bc800f8da
Opcode Fuzzy Hash: 3a1bee0f6ca94acdbca77ce56503c8291f3fcebf5016d847ef34b4bd87648e34
Instruction Fuzzy Hash: 5FE012B5810208EBDB019F80DC82AA97B35AB0A311F044155F90827151D736DA75EB9A

Function 00405B50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe5b67d7a75b4fcfd9fd10a355e91b7898278872e8a18dba5a67545297865db
Instruction ID: f6a3acb31ae5d63461dac0181133c97458596743384f060e49f8f60ccb8321b8
Opcode Fuzzy Hash: 9fe5b67d7a75b4fcfd9fd10a355e91b7898278872e8a18dba5a67545297865db
Instruction Fuzzy Hash: 14D0C271D40208BBD210AE80A803B7ABA34DB06321F009126F904361C0E636A6299BDF

Function 00407982 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0436820364166747da4f9c877807c356569d34489c8640e478ae8c2dbf47ad
Instruction ID: 044335dde11e79e59214e53d02a5a6524dd3e408c334aab2e79b0e2b8edd8181
Opcode Fuzzy Hash: fa0436820364166747da4f9c877807c356569d34489c8640e478ae8c2dbf47ad
Instruction Fuzzy Hash: 9ED0C270C05208EBD700EE40E982679B774AB07310F0041A6A80437240D636E928E7DB

Function 00414008 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a8ee107a70480c1d877c61f2066b5b38ab90ceff3a4996011ae90c49741735
Instruction ID: a09bd41c9a5dd5a0648d7534af2029fb70fdc68149c45f549a617b5925530e48
Opcode Fuzzy Hash: 42a8ee107a70480c1d877c61f2066b5b38ab90ceff3a4996011ae90c49741735
Instruction Fuzzy Hash: 91D02B70C00108E7C2006E41EA421BDBE349B17340F004067E90432100D637CB6593DF

Function 004137DF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8677361d0a5388edf777282084abe99deb8603873cb6d3698a75a94c78e52d13
Instruction ID: db3fbff974d23dd782b999d30ccc5775dd3b8b76eeecf7e6f7689c4e16401a05
Opcode Fuzzy Hash: 8677361d0a5388edf777282084abe99deb8603873cb6d3698a75a94c78e52d13
Instruction Fuzzy Hash: 56D05E70C05208E7D700BF51E9466BDFE75AB17312F109166F80526140E63ACB69A7EF

Function 004137AB Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e574f39affb7cb611fd7431472aee9f4a24401c0e28da86ad0d02ef3f62dd6d5
Instruction ID: 9b00a30e00223701f5b2f9f2d553b7bc1cb7a354dc0c208ce76175f0fa513de4
Opcode Fuzzy Hash: e574f39affb7cb611fd7431472aee9f4a24401c0e28da86ad0d02ef3f62dd6d5
Instruction Fuzzy Hash: 09D017B5C01208E7DB00AE91E8426A9BA35AB16321F009166F90826150E636DA64E7DA

Function 0040D64A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f33cd6c4ee7185f7905b089cf6bec71ab477f5c46f9470cdb8b14b02a871d5
Instruction ID: 5f98138b66ba2d925d8ac9b4ac985dcc3a76ce0faebfd03b0abdf7bbf5cf15b8
Opcode Fuzzy Hash: a3f33cd6c4ee7185f7905b089cf6bec71ab477f5c46f9470cdb8b14b02a871d5
Instruction Fuzzy Hash: 21D0A7F0C45208E3D600BF916943779B6388B02311F005165E90C37180E537C61482DF

Function 00405B1F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e98c76d63229306f818737a538976d6c2c20004dfb0c3691f1285fc6f66468
Instruction ID: c8f867fdd15fdaf12b81347efb5f8ce7dafc03da2b8ad894d3b41e55d46c787e
Opcode Fuzzy Hash: 23e98c76d63229306f818737a538976d6c2c20004dfb0c3691f1285fc6f66468
Instruction Fuzzy Hash: F4D0A770C05608D7D2507F50654327EF634DB03301F005166A90833180EA3AEB159FDF

Function 0040E896 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1a8925813a803b358d4ff8bd2f3b7554a434a260a819f36f5b0a6c8bd742e1
Instruction ID: cb1156148096204b87e415e8ca81241034d845144954640108d49534f760dc2f
Opcode Fuzzy Hash: 2b1a8925813a803b358d4ff8bd2f3b7554a434a260a819f36f5b0a6c8bd742e1
Instruction Fuzzy Hash: CDD0C7B1C4524CDBE650BF516947279B6385B02311F005165E90837180E535D62496DF

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 00000000.00000002.1649223990.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1649204954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649223990.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649279465.0000000000428000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fm9MoDgH7O.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: m2mwu.exePID: 5672, Parent PID: 5596COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(006A0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(006A0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005200F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005202DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005202EF

Memory Dump Source

Source File: 00000001.00000003.1649169750.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_520000_m2mwu.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 2f380ed8453db7fdbc81faa3e787db12f739aeef9e23a6856f34093545122cd7
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 952178B100D3A5AFD7258F20DC59BAA7F64FF93710F09499EE5C1464C3D2709405CB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(006A0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

LoadLibraryA, xrefs: 00401815
x"@, xrefs: 004018F2, 00401914
Kernel32, xrefs: 004017EE
6"@, xrefs: 004017F3
b"@, xrefs: 0040185C
L"@, xrefs: 0040181D

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000001.00000002.1649866604.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1649818471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649866604.0000000000422000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1649905307.0000000000428000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_m2mwu.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: re8eo.exePID: 4268, Parent PID: 5672COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00670000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00670000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004D00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004D02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004D02EF

Memory Dump Source

Source File: 00000002.00000003.1649779818.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_4d0000_re8eo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: a3ba6a3a09b1664a8b28c1aa18f6540e51850b2597163994c94760247f3c87f5
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 3A2198B100D394AFD7228F208C69BAB7F64EF92700F0945DFE5C147283D2689802CB6A

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00670000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

6"@, xrefs: 004017F3
L"@, xrefs: 0040181D
x"@, xrefs: 004018F2, 00401914
b"@, xrefs: 0040185C
Kernel32, xrefs: 004017EE
LoadLibraryA, xrefs: 00401815

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000002.00000002.1650337010.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1650317220.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650337010.0000000000422000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1650454323.0000000000428000.00000020.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_re8eo.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 4vd771.exePID: 2016, Parent PID: 4268COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00710000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00710000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 006B00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 006B02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 006B02EF

Memory Dump Source

Source File: 00000003.00000003.1650323159.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_6b0000_4vd771.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 76da2ca91381a697dc1456e397aa946cd0e4c7c254f69260bee7e00f19efe3cd
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 35218AF100C395AFE7258F208C59BEB7F76EF92710F09459DE5C146083D270958ACB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00710000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

b"@, xrefs: 0040185C
L"@, xrefs: 0040181D
LoadLibraryA, xrefs: 00401815
6"@, xrefs: 004017F3
x"@, xrefs: 004018F2, 00401914
Kernel32, xrefs: 004017EE

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000003.00000002.1651110298.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1651098760.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651110298.0000000000422000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1651151219.0000000000428000.00000020.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_4vd771.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: qnd197.exePID: 2680, Parent PID: 2016COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00640000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00640000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004D00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004D02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004D02EF

Memory Dump Source

Source File: 00000004.00000003.1651119751.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_4d0000_qnd197.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: a3ba6a3a09b1664a8b28c1aa18f6540e51850b2597163994c94760247f3c87f5
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 3A2198B100D394AFD7228F208C69BAB7F64EF92700F0945DFE5C147283D2689802CB6A

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00640000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

x"@, xrefs: 004018F2, 00401914
LoadLibraryA, xrefs: 00401815
L"@, xrefs: 0040181D
Kernel32, xrefs: 004017EE
6"@, xrefs: 004017F3
b"@, xrefs: 0040185C

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000004.00000002.1651635634.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1651623876.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651635634.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.1651682992.0000000000428000.00000020.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qnd197.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: oaweb.exePID: 5780, Parent PID: 2680COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(007E0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(007E0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005E00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005E02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005E02EF

Memory Dump Source

Source File: 00000005.00000003.1651640792.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_5e0000_oaweb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 6dc9d95d3a5f0a591e0f4ca6a0318d00ae4bcac8bc3c557697dff35d20782865
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 44217BB100C3E5AFDB298F21CC59BA67FA5FF92710F09499DE6C1460C3D1A09485CB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(007E0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

L"@, xrefs: 0040181D
x"@, xrefs: 004018F2, 00401914
6"@, xrefs: 004017F3
Kernel32, xrefs: 004017EE
b"@, xrefs: 0040185C
LoadLibraryA, xrefs: 00401815

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000005.00000002.1652213307.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1652200850.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652213307.0000000000422000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1652255848.0000000000428000.00000020.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_oaweb.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 36hmq.exePID: 1612, Parent PID: 5780COMMON

Executed Functions

Function 006B00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 006B02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 006B02EF

Memory Dump Source

Source File: 00000006.00000003.1652212682.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_6b0000_36hmq.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 76da2ca91381a697dc1456e397aa946cd0e4c7c254f69260bee7e00f19efe3cd
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 35218AF100C395AFE7258F208C59BEB7F76EF92710F09459DE5C146083D270958ACB62

Analysis Process: 4uoic.exePID: 5408, Parent PID: 1612COMMON

Executed Functions

Function 005B00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005B02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005B02EF

Memory Dump Source

Source File: 00000007.00000003.1652758567.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_5b0000_4uoic.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 11d3efc5d6e9c56b0e9a267bdc796803d3ca3d94064f514e0393afb021cf6604
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: B82156B100C395AFDB259F20CC59BEBBF64FF92710F09499DE5C1460C3D260A409CB62

Analysis Process: w7711.exePID: 1860, Parent PID: 5408COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00490000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00490000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 020500F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 020502DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 020502EF

Memory Dump Source

Source File: 00000008.00000003.1653296991.0000000002050000.00000040.00001000.00020000.00000000.sdmp, Offset: 02050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_2050000_w7711.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 2634e97479a885efb722ac2fee0b13510c9310e87f7de065da8d72826cd03382
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: AC218AB100C3A5AFD7268F208C95BBF7FB6EF86714F09499DE9C14A483D2719405DB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00490000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

LoadLibraryA, xrefs: 00401815
b"@, xrefs: 0040185C
L"@, xrefs: 0040181D
x"@, xrefs: 004018F2, 00401914
Kernel32, xrefs: 004017EE
6"@, xrefs: 004017F3

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 00000008.00000002.1653907513.0000000000401000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1653850479.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653907513.0000000000422000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.1653945141.0000000000428000.00000020.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_w7711.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: isqwt.exePID: 4900, Parent PID: 1860COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(004E0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(004E0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004900F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004902DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004902EF

Memory Dump Source

Source File: 00000009.00000003.1653814972.0000000000490000.00000040.00001000.00020000.00000000.sdmp, Offset: 00490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_490000_isqwt.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 7c032199fa5daab7dac6fb1efdf46e5e5eceb37306ca8e886549a816e60ddafc
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 652178B100C394AFDB258F208C59BAB7F74EF92714F0945EEE5C146083D2689846CB6A

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(004E0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

x"@, xrefs: 004018F2, 00401914
LoadLibraryA, xrefs: 00401815
b"@, xrefs: 0040185C
Kernel32, xrefs: 004017EE
L"@, xrefs: 0040181D
6"@, xrefs: 004017F3

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000009.00000002.1654699468.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1654679976.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654699468.0000000000422000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.1654792808.0000000000428000.00000020.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_isqwt.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: s1oaw.exePID: 6716, Parent PID: 4900COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00540000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00540000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004900F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004902DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004902EF

Memory Dump Source

Source File: 0000000A.00000003.1654661215.0000000000490000.00000040.00001000.00020000.00000000.sdmp, Offset: 00490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_490000_s1oaw.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 7c032199fa5daab7dac6fb1efdf46e5e5eceb37306ca8e886549a816e60ddafc
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 652178B100C394AFDB258F208C59BAB7F74EF92714F0945EEE5C146083D2689846CB6A

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00540000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

6"@, xrefs: 004017F3
LoadLibraryA, xrefs: 00401815
b"@, xrefs: 0040185C
x"@, xrefs: 004018F2, 00401914
L"@, xrefs: 0040181D
Kernel32, xrefs: 004017EE

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 0000000A.00000002.1655695145.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1655662807.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655695145.0000000000422000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000A.00000002.1655834494.0000000000428000.00000020.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_s1oaw.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 559900.exePID: 1732, Parent PID: 6716COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00730000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00730000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005A00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005A02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005A02EF

Memory Dump Source

Source File: 0000000B.00000003.1655367277.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_3_5a0000_559900.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 51a06e737ed57f7a073916832ccc42f11c1839c133ec32a7896dfe2bc6454c24
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 3A2156B102C395AFDB258F20CC59BAA7F64FF93710F09499DE5C1460C3D2619405CB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00730000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

LoadLibraryA, xrefs: 00401815
b"@, xrefs: 0040185C
6"@, xrefs: 004017F3
x"@, xrefs: 004018F2, 00401914
Kernel32, xrefs: 004017EE
L"@, xrefs: 0040181D

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 0000000B.00000002.1656528746.0000000000401000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1656510562.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656528746.0000000000422000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000B.00000002.1656576439.0000000000428000.00000020.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_559900.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: spf19.exePID: 1260, Parent PID: 1732COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00740000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00740000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005A00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005A02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005A02EF

Memory Dump Source

Source File: 0000000C.00000003.1656586864.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_5a0000_spf19.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 51a06e737ed57f7a073916832ccc42f11c1839c133ec32a7896dfe2bc6454c24
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 3A2156B102C395AFDB258F20CC59BAA7F64FF93710F09499DE5C1460C3D2619405CB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00740000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

b"@, xrefs: 0040185C
LoadLibraryA, xrefs: 00401815
L"@, xrefs: 0040181D
x"@, xrefs: 004018F2, 00401914
Kernel32, xrefs: 004017EE
6"@, xrefs: 004017F3

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 0000000C.00000002.1657766835.0000000000401000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1657745786.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657766835.0000000000422000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000C.00000002.1657815844.0000000000428000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_spf19.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 93344.exePID: 3164, Parent PID: 1260COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00760000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00760000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005600F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005602DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005602EF

Memory Dump Source

Source File: 0000000D.00000003.1657609009.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_560000_93344.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 4cac9309fbca980694eb01cbd008d2aafa2927e8ce31bfa76aba8d3f4bb50745
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 0A2176B501C395AFDB268F20CC69BAB7F64FF92710F094A9DE5C14B0C3D2609446CBA2

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00760000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

6"@, xrefs: 004017F3
LoadLibraryA, xrefs: 00401815
L"@, xrefs: 0040181D
x"@, xrefs: 004018F2, 00401914
Kernel32, xrefs: 004017EE
b"@, xrefs: 0040185C

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 0000000D.00000002.1658393545.0000000000401000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1658346928.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658393545.0000000000422000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000D.00000002.1658429544.0000000000428000.00000020.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_93344.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 6r61155.exePID: 6952, Parent PID: 3164COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(005D0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(005D0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005B00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005B02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005B02EF

Memory Dump Source

Source File: 0000000E.00000003.1658316564.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_5b0000_6r61155.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 11d3efc5d6e9c56b0e9a267bdc796803d3ca3d94064f514e0393afb021cf6604
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: B82156B100C395AFDB259F20CC59BEBBF64FF92710F09499DE5C1460C3D260A409CB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(005D0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

Kernel32, xrefs: 004017EE
LoadLibraryA, xrefs: 00401815
x"@, xrefs: 004018F2, 00401914
6"@, xrefs: 004017F3
b"@, xrefs: 0040185C
L"@, xrefs: 0040181D

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 0000000E.00000002.1658951892.0000000000401000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.1658934864.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658951892.0000000000422000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 0000000E.00000002.1658991507.0000000000428000.00000020.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_6r61155.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 7788uoi.exePID: 6904, Parent PID: 6952COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00450000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00450000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 020500F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 020502DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 020502EF

Memory Dump Source

Source File: 0000000F.00000003.1658943782.0000000002050000.00000040.00001000.00020000.00000000.sdmp, Offset: 02050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_2050000_7788uoi.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 2634e97479a885efb722ac2fee0b13510c9310e87f7de065da8d72826cd03382
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: AC218AB100C3A5AFD7268F208C95BBF7FB6EF86714F09499DE9C14A483D2719405DB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00450000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

L"@, xrefs: 0040181D
b"@, xrefs: 0040185C
Kernel32, xrefs: 004017EE
LoadLibraryA, xrefs: 00401815
x"@, xrefs: 004018F2, 00401914
6"@, xrefs: 004017F3

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 0000000F.00000002.1659501704.0000000000401000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.1659477565.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659501704.0000000000422000.00000040.00000001.01000000.00000012.sdmpDownload File
Associated: 0000000F.00000002.1659543008.0000000000428000.00000020.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_7788uoi.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: rh53197.exePID: 2472, Parent PID: 6904COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(005E0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(005E0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004D00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004D02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004D02EF

Memory Dump Source

Source File: 00000010.00000003.1659477625.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_4d0000_rh53197.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: a3ba6a3a09b1664a8b28c1aa18f6540e51850b2597163994c94760247f3c87f5
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 3A2198B100D394AFD7228F208C69BAB7F64EF92700F0945DFE5C147283D2689802CB6A

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(005E0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

b"@, xrefs: 0040185C
6"@, xrefs: 004017F3
Kernel32, xrefs: 004017EE
x"@, xrefs: 004018F2, 00401914
L"@, xrefs: 0040181D
LoadLibraryA, xrefs: 00401815

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 00000010.00000002.1660031002.0000000000401000.00000040.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.1660012448.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660031002.0000000000422000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000010.00000002.1660067174.0000000000428000.00000020.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_rh53197.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 5787leo.exePID: 4092, Parent PID: 2472COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00690000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00690000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005200F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005202DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005202EF

Memory Dump Source

Source File: 00000011.00000003.1660011290.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_520000_5787leo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 2f380ed8453db7fdbc81faa3e787db12f739aeef9e23a6856f34093545122cd7
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 952178B100D3A5AFD7258F20DC59BAA7F64FF93710F09499EE5C1464C3D2709405CB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00690000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

Kernel32, xrefs: 004017EE
6"@, xrefs: 004017F3
LoadLibraryA, xrefs: 00401815
x"@, xrefs: 004018F2, 00401914
L"@, xrefs: 0040181D
b"@, xrefs: 0040185C

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000011.00000002.1660593969.0000000000401000.00000040.00000001.01000000.00000014.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.1660580665.0000000000400000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660593969.0000000000422000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.1660626873.0000000000428000.00000020.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_5787leo.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 88oxxqc.exePID: 5428, Parent PID: 4092COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(004B0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(004B0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004A00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004A02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004A02EF

Memory Dump Source

Source File: 00000012.00000003.1660542784.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_4a0000_88oxxqc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 99b6b75690b88cc1390752eca6660d8b81aa4fad901a87fada7a97873694fd4e
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 66219CB200C394AFD7258F208C59BAB7F74EFA3714F0945DEE5C146083D2799846CB6A

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(004B0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

L"@, xrefs: 0040181D
b"@, xrefs: 0040185C
x"@, xrefs: 004018F2, 00401914
LoadLibraryA, xrefs: 00401815
Kernel32, xrefs: 004017EE
6"@, xrefs: 004017F3

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000012.00000002.1661915790.0000000000401000.00000040.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1661895869.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661915790.0000000000422000.00000040.00000001.01000000.00000015.sdmpDownload File
Associated: 00000012.00000002.1661958660.0000000000428000.00000020.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_88oxxqc.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 83377.exePID: 4600, Parent PID: 5428COMMON

Executed Functions

Function 004900F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004902DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004902EF

Memory Dump Source

Source File: 00000013.00000003.1661365361.0000000000490000.00000040.00001000.00020000.00000000.sdmp, Offset: 00490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_490000_83377.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 7c032199fa5daab7dac6fb1efdf46e5e5eceb37306ca8e886549a816e60ddafc
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 652178B100C394AFDB258F208C59BAB7F74EF92714F0945EEE5C146083D2689846CB6A

Analysis Process: w3790i.exePID: 2996, Parent PID: 4600COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00590000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00590000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004900F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004902DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004902EF

Memory Dump Source

Source File: 00000014.00000003.1662883972.0000000000490000.00000040.00001000.00020000.00000000.sdmp, Offset: 00490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_490000_w3790i.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 7c032199fa5daab7dac6fb1efdf46e5e5eceb37306ca8e886549a816e60ddafc
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 652178B100C394AFDB258F208C59BAB7F74EF92714F0945EEE5C146083D2689846CB6A

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00590000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

Kernel32, xrefs: 004017EE
LoadLibraryA, xrefs: 00401815
b"@, xrefs: 0040185C
6"@, xrefs: 004017F3
L"@, xrefs: 0040181D
x"@, xrefs: 004018F2, 00401914

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 00000014.00000002.1665457534.0000000000401000.00000040.00000001.01000000.00000017.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.1665339672.0000000000400000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665457534.0000000000422000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000014.00000002.1665704367.0000000000428000.00000020.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_w3790i.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: bp1975.exePID: 5780, Parent PID: 2996COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(004A0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(004A0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004900F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004902DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004902EF

Memory Dump Source

Source File: 00000015.00000003.1664595374.0000000000490000.00000040.00001000.00020000.00000000.sdmp, Offset: 00490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_490000_bp1975.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 7c032199fa5daab7dac6fb1efdf46e5e5eceb37306ca8e886549a816e60ddafc
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 652178B100C394AFDB258F208C59BAB7F74EF92714F0945EEE5C146083D2689846CB6A

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(004A0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

6"@, xrefs: 004017F3
x"@, xrefs: 004018F2, 00401914
L"@, xrefs: 0040181D
LoadLibraryA, xrefs: 00401815
Kernel32, xrefs: 004017EE
b"@, xrefs: 0040185C

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 00000015.00000002.1667791053.0000000000401000.00000040.00000001.01000000.00000018.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1667227370.0000000000400000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1667791053.0000000000422000.00000040.00000001.01000000.00000018.sdmpDownload File
Associated: 00000015.00000002.1668461229.0000000000428000.00000020.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_bp1975.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 90omsp.exePID: 1612, Parent PID: 5780COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(006F0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(006F0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005600F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005602DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005602EF

Memory Dump Source

Source File: 00000016.00000003.1666508141.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_3_560000_90omsp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 4cac9309fbca980694eb01cbd008d2aafa2927e8ce31bfa76aba8d3f4bb50745
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 0A2176B501C395AFDB268F20CC69BAB7F64FF92710F094A9DE5C14B0C3D2609446CBA2

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(006F0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

L"@, xrefs: 0040181D
Kernel32, xrefs: 004017EE
x"@, xrefs: 004018F2, 00401914
6"@, xrefs: 004017F3
b"@, xrefs: 0040185C
LoadLibraryA, xrefs: 00401815

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000016.00000002.1672680801.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1672648454.0000000000400000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672680801.0000000000422000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000016.00000002.1672728456.0000000000428000.00000020.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_90omsp.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: lb31975.exePID: 4604, Parent PID: 1612COMMON

Executed Functions

Function 005600F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005602DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005602EF

Memory Dump Source

Source File: 00000017.00000003.1672472425.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_3_560000_lb31975.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 4cac9309fbca980694eb01cbd008d2aafa2927e8ce31bfa76aba8d3f4bb50745
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 0A2176B501C395AFDB268F20CC69BAB7F64FF92710F094A9DE5C14B0C3D2609446CBA2

Analysis Process: hb5kc8c.exePID: 4584, Parent PID: 4604COMMON

Executed Functions

Function 004900F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004902DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004902EF

Memory Dump Source

Source File: 00000018.00000003.1674797038.0000000000490000.00000040.00001000.00020000.00000000.sdmp, Offset: 00490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_3_490000_hb5kc8c.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 7c032199fa5daab7dac6fb1efdf46e5e5eceb37306ca8e886549a816e60ddafc
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 652178B100C394AFDB258F208C59BAB7F74EF92714F0945EEE5C146083D2689846CB6A

Analysis Process: webp1.exePID: 2180, Parent PID: 4584COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00530000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00530000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 020500F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 020502DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 020502EF

Memory Dump Source

Source File: 00000019.00000003.1676358266.0000000002050000.00000040.00001000.00020000.00000000.sdmp, Offset: 02050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_3_2050000_webp1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 2634e97479a885efb722ac2fee0b13510c9310e87f7de065da8d72826cd03382
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: AC218AB100C3A5AFD7268F208C95BBF7FB6EF86714F09499DE9C14A483D2719405DB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00530000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

b"@, xrefs: 0040185C
Kernel32, xrefs: 004017EE
6"@, xrefs: 004017F3
LoadLibraryA, xrefs: 00401815
x"@, xrefs: 004018F2, 00401914
L"@, xrefs: 0040181D

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 00000019.00000002.1676959458.0000000000401000.00000040.00000001.01000000.0000001C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.1676938087.0000000000400000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676959458.0000000000422000.00000040.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000019.00000002.1676993743.0000000000428000.00000020.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_webp1.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: e81f5.exePID: 5332, Parent PID: 2180COMMON

Executed Functions

Function 006B00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 006B02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 006B02EF

Memory Dump Source

Source File: 0000001A.00000003.1676921232.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_3_6b0000_e81f5.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 76da2ca91381a697dc1456e397aa946cd0e4c7c254f69260bee7e00f19efe3cd
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 35218AF100C395AFE7258F208C59BEB7F76EF92710F09459DE5C146083D270958ACB62

Analysis Process: 281l59.exePID: 6760, Parent PID: 5332COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(006B0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(006B0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 020500F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 020502DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 020502EF

Memory Dump Source

Source File: 0000001B.00000003.1677467757.0000000002050000.00000040.00001000.00020000.00000000.sdmp, Offset: 02050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_3_2050000_281l59.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 2634e97479a885efb722ac2fee0b13510c9310e87f7de065da8d72826cd03382
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: AC218AB100C3A5AFD7268F208C95BBF7FB6EF86714F09499DE9C14A483D2719405DB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(006B0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

6"@, xrefs: 004017F3
L"@, xrefs: 0040181D
x"@, xrefs: 004018F2, 00401914
b"@, xrefs: 0040185C
Kernel32, xrefs: 004017EE
LoadLibraryA, xrefs: 00401815

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 0000001B.00000002.1678078088.0000000000401000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001B.00000002.1678056067.0000000000400000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678078088.0000000000422000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 0000001B.00000002.1678118604.0000000000428000.00000020.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_400000_281l59.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 71122as.exePID: 7092, Parent PID: 6760COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00600000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00600000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005B00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005B02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005B02EF

Memory Dump Source

Source File: 0000001C.00000003.1678034830.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_3_5b0000_71122as.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 11d3efc5d6e9c56b0e9a267bdc796803d3ca3d94064f514e0393afb021cf6604
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: B82156B100C395AFDB259F20CC59BEBBF64FF92710F09499DE5C1460C3D260A409CB62

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

6"@, xrefs: 004017F3
L"@, xrefs: 0040181D
b"@, xrefs: 0040185C
LoadLibraryA, xrefs: 00401815
Kernel32, xrefs: 004017EE
x"@, xrefs: 004018F2, 00401914

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 0000001C.00000002.1678885393.0000000000401000.00000040.00000001.01000000.0000001F.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001C.00000002.1678864577.0000000000400000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678885393.0000000000422000.00000040.00000001.01000000.0000001F.sdmpDownload File
Associated: 0000001C.00000002.1678934426.0000000000428000.00000020.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_400000_71122as.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: urh7531.exePID: 5664, Parent PID: 7092COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(004F0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(004F0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004E00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004E02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004E02EF

Memory Dump Source

Source File: 0000001D.00000003.1678872878.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_3_4e0000_urh7531.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 560c6e9fbce9c43f969d3b87eae30aa49f7861fa1e05f5c95d4cd716fdf2e047
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 1321ACB100C3D5AFD7218F218C59BA77FB4EF52701F0949DEE6C146083D1B89881CB66

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(004F0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

6"@, xrefs: 004017F3
b"@, xrefs: 0040185C
LoadLibraryA, xrefs: 00401815
Kernel32, xrefs: 004017EE
x"@, xrefs: 004018F2, 00401914
L"@, xrefs: 0040181D

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 0000001D.00000002.1679466682.0000000000401000.00000040.00000001.01000000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001D.00000002.1679445742.0000000000400000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679466682.0000000000422000.00000040.00000001.01000000.00000020.sdmpDownload File
Associated: 0000001D.00000002.1679504492.0000000000428000.00000020.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_400000_urh7531.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: fx2dr.exePID: 5596, Parent PID: 5664COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(005F0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(005F0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005200F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005202DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005202EF

Memory Dump Source

Source File: 0000001E.00000003.1679428399.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_3_520000_fx2dr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 2f380ed8453db7fdbc81faa3e787db12f739aeef9e23a6856f34093545122cd7
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 952178B100D3A5AFD7258F20DC59BAA7F64FF93710F09499EE5C1464C3D2709405CB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(005F0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

6"@, xrefs: 004017F3
Kernel32, xrefs: 004017EE
b"@, xrefs: 0040185C
L"@, xrefs: 0040181D
x"@, xrefs: 004018F2, 00401914
LoadLibraryA, xrefs: 00401815

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 0000001E.00000002.1680037648.0000000000401000.00000040.00000001.01000000.00000021.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.1680010486.0000000000400000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680037648.0000000000422000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 0000001E.00000002.1680079132.0000000000428000.00000020.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_fx2dr.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: mkqnd97.exePID: 5672, Parent PID: 5596COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(00750000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(00750000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 006B00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 006B02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 006B02EF

Memory Dump Source

Source File: 0000001F.00000003.1679997344.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_3_6b0000_mkqnd97.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 76da2ca91381a697dc1456e397aa946cd0e4c7c254f69260bee7e00f19efe3cd
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 35218AF100C395AFE7258F208C59BEB7F76EF92710F09459DE5C146083D270958ACB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(00750000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

b"@, xrefs: 0040185C
x"@, xrefs: 004018F2, 00401914
L"@, xrefs: 0040181D
6"@, xrefs: 004017F3
LoadLibraryA, xrefs: 00401815
Kernel32, xrefs: 004017EE

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 0000001F.00000002.1680626746.0000000000401000.00000040.00000001.01000000.00000022.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.1680606838.0000000000400000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680626746.0000000000422000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000001F.00000002.1680670502.0000000000428000.00000020.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_mkqnd97.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 78d5dr1.exePID: 3552, Parent PID: 5672COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

ct, xrefs: 00427120
kernel32.dll, xrefs: 004270B7, 004270BD

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(004C0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(004C0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 005D00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 005D02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 005D02EF

Memory Dump Source

Source File: 00000020.00000003.1680602002.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_3_5d0000_78d5dr1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: 3e95d192b4190bde29266edd7af91afe18c041bf6e29f39a19d5d60ad7ef89d4
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 0D2178B100D395AFD7358F28CC59BAA7F64FF92710F09499FE5C1465C3D2609445CB62

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(004C0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

Kernel32, xrefs: 004017EE
LoadLibraryA, xrefs: 00401815
b"@, xrefs: 0040185C
x"@, xrefs: 004018F2, 00401914
6"@, xrefs: 004017F3
L"@, xrefs: 0040181D

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

program internal error number is %d. %s, xrefs: 00402362
error, xrefs: 00402377

Memory Dump Source

Source File: 00000020.00000002.1681264914.0000000000401000.00000040.00000001.01000000.00000023.sdmp, Offset: 00400000, based on PE: true

Associated: 00000020.00000002.1681228435.0000000000400000.00000002.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681264914.0000000000422000.00000040.00000001.01000000.00000023.sdmpDownload File
Associated: 00000020.00000002.1681317088.0000000000428000.00000020.00000001.01000000.00000023.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_400000_78d5dr1.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Analysis Process: 2qkewqk.exePID: 2016, Parent PID: 3552COMMON

Executed Functions

Function 004D00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004D02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004D02EF

Memory Dump Source

Source File: 00000021.00000003.1681189448.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_3_4d0000_2qkewqk.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: a3ba6a3a09b1664a8b28c1aa18f6540e51850b2597163994c94760247f3c87f5
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 3A2198B100D394AFD7228F208C69BAB7F64EF92700F0945DFE5C147283D2689802CB6A

Analysis Process: ourh31.exePID: 764, Parent PID: 2016COMMON

Executed Functions

Function 00427035 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00427197

Strings

kernel32.dll, xrefs: 004270B7, 004270BD
ct, xrefs: 00427120

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ct$kernel32.dll
API String ID: 4275171209-363292717
Opcode ID: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction ID: 5c30d73c2fca2f6c49b7b15211564b2df8064affc6cd055fffe84703ef26bd38
Opcode Fuzzy Hash: 7cd72eef9418ffbfbdce1b204cd5f97ceeb5bb5c75a71c2bd2e18250db1bc581
Instruction Fuzzy Hash: 60329C75E04229DFDB64CF68C881BECBBB1AB08304F5480DAE959AB351D734AE84CF14

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 004029B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00402A31
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402A4A
CloseHandle.KERNEL32(?), ref: 00402A5B
CloseHandle.KERNEL32(?), ref: 00402A62

Strings

D, xrefs: 004029AA

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
String ID: D
API String ID: 2246201701-2746444292
Opcode ID: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction ID: ce151ebfa4a0404e6fff030850c4295f4ef425445b641edc27d884052adf5a99
Opcode Fuzzy Hash: 0eb6ceccf450ad97c7ea38916d47cfaf1d64bcdb24f2ffb22fffbb322bca246b
Instruction Fuzzy Hash: D6214C70208340DAC230DF19D98891BFBF8EFC5750F10492EF295A32A0DBB98945CB5B

Function 004023A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00402530), ref: 004023A9
RtlAllocateHeap.NTDLL(005C0000,00000008,?), ref: 004023BD
MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

Strings

error, xrefs: 004023CB

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction ID: 8dbac3b532781244b476b6ad661fdff57502a2dc62314a827bbfa46f88d17b33
Opcode Fuzzy Hash: e5467a064b851471bcec9ece27a26a526c1868191c1bc9ae87c20ce630c529e2
Instruction Fuzzy Hash: C4E092B1B452207BD6259F60BF2DB0B3A5C9B58742B000035F940F22D0D6F89800876D

Function 00402900 Relevance: 6.1, APIs: 4, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000,80000005,?,?,?,?), ref: 00402918
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402957
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 0040296A
CloseHandle.KERNEL32(00000000,?,?,0000026C,?,00000000,80000005,?,?,?,?), ref: 00402985

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction ID: 4ebd909edd7879c092fa7bd0dcb6a11c6e784d962224727359ea08ab9d0a16ae
Opcode Fuzzy Hash: 707287a35f56859e9f4809b173eb999e09ceef2790eac846c312d25942723ce5
Instruction Fuzzy Hash: 5D11C271301301AFD310CF18ED89F6AB7E8FB88715F14092AFA90A72C0D3B4E9098755

Function 00402610 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,004011D9,00000001,?,00000000,80000004), ref: 00402625
GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,004011D9,00000001,?,00000000,80000004,?,?,?,?,004224BA), ref: 0040263C

Part of subcall function 004023A0: GetProcessHeap.KERNEL32(00402530), ref: 004023A9
Part of subcall function 004023A0: RtlAllocateHeap.NTDLL(005C0000,00000008,?), ref: 004023BD
Part of subcall function 004023A0: MessageBoxA.USER32(00000000,00422720,error,00000010), ref: 004023D6

ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,80000004,?,?,?,?,004224BA), ref: 00402668
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,004224BA), ref: 0040266F

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
String ID:
API String ID: 4143106703-0
Opcode ID: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction ID: d5a4fee42a75d7cf7efa7c472d92f2c989261f3f6eda17f5063812b267ea2a4c
Opcode Fuzzy Hash: 789812afbe70d6534e4215d16b67d0813a3177b79c6f4436e57999b9d4c5699a
Instruction Fuzzy Hash: 58F0CD762013007BE3109F64ED89F97B7BCD744B51F10492DF602B61D0E6B4A5048764

Function 004D00F5 Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,C5598A45), ref: 004D02DF
VirtualProtect.KERNELBASE(?,00000001,00000020,?,?,C5598A45), ref: 004D02EF

Memory Dump Source

Source File: 00000022.00000003.1682118193.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_3_4d0000_ourh31.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction ID: a3ba6a3a09b1664a8b28c1aa18f6540e51850b2597163994c94760247f3c87f5
Opcode Fuzzy Hash: 113991d96b1fba3aed2b0f6b8a850206042d6cfb09521488a21e61a7d0f11099
Instruction Fuzzy Hash: 3A2198B100D394AFD7228F208C69BAB7F64EF92700F0945DFE5C147283D2689802CB6A

Function 004023F0 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0040241E
RtlFreeHeap.NTDLL(005C0000,00000000,?), ref: 00402430

Part of subcall function 004022D0: GetModuleHandleA.KERNEL32(00000000), ref: 004022DA

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: FreeHandleHeapHugeModuleRead
String ID:
API String ID: 3105250205-0
Opcode ID: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction ID: 411668351b1de0de4f677489f282557327d6c317a4b2caa0281027751fb1fbca
Opcode Fuzzy Hash: fb50fb8e2e1148085542fa4a9c9d5faad2ab8ff670c15adbf7e3b1213733fbdc
Instruction Fuzzy Hash: 6EE06D30E04221BBDA30AB15AF58A5B369CEB54355B814036F444B32E0D2B89C818B9C

Function 00401489 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00401117,?,?,00401117,004224BA), ref: 0040149A

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction ID: b9c4c04c01e56bddec2c6830c0cb3dd3264e11a3f71cc633c00655352f8af668
Opcode Fuzzy Hash: 6c1ba71d11aa5c0dbc0d963c6646d407519633e3fbea1b70874f49ca3fe0b494
Instruction Fuzzy Hash: C3E04F75C05208EBCB00EFA5D5467ADBB749B05301F0085B6E905372A1D2799A54DB9A

Function 00402300 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00402315

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction ID: 37eb5729f7fee98c32e3d2cb1c3c8c766b2b01c305d742dc5381645a99d74359
Opcode Fuzzy Hash: 7f7df8b87416d557e0e2c7a3966ce1c3b11dbd6ab145854a8437a646bf489de3
Instruction Fuzzy Hash: 63D05E34204308ABDB10EFA8EA0950A37A8F794300BC04034AC0897350E6B8E9118B9D

Non-executed Functions

Function 0040169D Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 211
memorysynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,0040114C,?,00000000,00000000,00000000), ref: 004016D9
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000004), ref: 00401759
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017BF
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0040189A
VirtualFreeEx.KERNEL32(00000000,00000000,?,00008000), ref: 004018D0

Strings

x"@, xrefs: 004018F2, 00401914
L"@, xrefs: 0040181D
6"@, xrefs: 004017F3
LoadLibraryA, xrefs: 00401815
Kernel32, xrefs: 004017EE
b"@, xrefs: 0040185C

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocFreeMemoryObjectOpenSingleWaitWrite
String ID: 6"@$Kernel32$L"@$LoadLibraryA$b"@$x"@
API String ID: 2157985455-1736852442
Opcode ID: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction ID: 67d02ac38e31916859b5ea923e580c0682e1923e4db5d4750020a368161121c5
Opcode Fuzzy Hash: 67ca54bde723397de798f9c8818007ef3932908765ca0b0a042cea351f0e2526
Instruction Fuzzy Hash: A86150B1D00209EBEB10AF91DD87BBEBE34EB06305F10507AF615762D1D77A8650CB9A

Function 00402DD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113
librarywindowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00402DE2
LoadLibraryA.KERNEL32(?), ref: 00402DEF
wsprintfA.USER32 ref: 00402E06
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402E1C

Part of subcall function 00402300: ExitProcess.KERNEL32 ref: 00402315

atoi.MSVCRT ref: 00402E5B
strchr.MSVCRT ref: 00402E93
GetProcAddress.KERNEL32(00000000,00000040), ref: 00402EB1
wsprintfA.USER32 ref: 00402EC9
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00402EDF

Strings

DLL ERROR, xrefs: 00402E15, 00402ED8

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction ID: 39dc6dac89fb2e851e1faf58056b5542f338bb375b57e23f88ab7dd3e69453bc
Opcode Fuzzy Hash: 2e89d58c85272eba7d6b3893e3f4f0796517b6c955670e64b214e4c43ca9de0a
Instruction Fuzzy Hash: 5131E6B26043016BD320DF24ED49B5BBB98AB84315F40443EFB05A32C1D7B9A919C7AD

Function 00402AA0 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00402ABA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00402AE4
TranslateMessage.USER32(?), ref: 00402AEB
DispatchMessageA.USER32(?), ref: 00402AF2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00402B01

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction ID: 3a9811dbbaf29477508af4d72e61ec11f1cbba95cb695f837d5b2ab9c71f43a2
Opcode Fuzzy Hash: 823402bd54babd0f6b35bce6da25d6520a4d976ed5769d319aa34ba7124e347e
Instruction Fuzzy Hash: 98014472240305B6E230DF64AD46F67BB6CEB84B51F540829FB41BA1C4DAB4FA08C76D

Function 00402340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00402368
MessageBoxA.USER32(00000000,?,error,00000010), ref: 0040237F

Strings

error, xrefs: 00402377
program internal error number is %d. %s, xrefs: 00402362

Memory Dump Source

Source File: 00000022.00000002.1683247932.0000000000401000.00000040.00000001.01000000.00000025.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.1683224746.0000000000400000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683247932.0000000000422000.00000040.00000001.01000000.00000025.sdmpDownload File
Associated: 00000022.00000002.1683295641.0000000000428000.00000020.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_ourh31.jbxd

Yara matches

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction ID: 97d45c46b42dd4a39f61a96432b4dd78711591c3999d8e232755f59b76b4fa0d
Opcode Fuzzy Hash: 3f8255c08705e99dd0eeb421259309b511d164f41b7ea4f14f4200db058614f2
Instruction Fuzzy Hash: E0E092756402017BE718ABA4EE4BF6A366CA704705F80082EBA5AD11C1E9F89554866E

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fm9MoDgH7O.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\1wk599.exe

C:\281l59.exe

C:\2qkewqk.exe

C:\36hmq.exe

C:\4uoic.exe

C:\4vd771.exe

C:\559900.exe

C:\5787leo.exe

C:\6r61155.exe

C:\71122as.exe

C:\7788uoi.exe

C:\78d5dr1.exe

C:\7kiolb.exe

C:\83377.exe

C:\88oxxqc.exe

C:\90omsp.exe

C:\93344.exe

C:\bp1975.exe

Windows Analysis Report
Fm9MoDgH7O.exe