Edit tour

Windows Analysis Report
47879282.EXE.exe

Overview

General Information

Sample name:	47879282.EXE.exe
Analysis ID:	1522589
MD5:	bdc14e906213d80c6fcab22665329f9c
SHA1:	afcd74d3ad99ede80adb8574278c344ea6bf9147
SHA256:	5db9bae3849011553274c1149e83d594e9c3cb6adb3480f92ae1239ad26c4171
Tags:	exeuser-adam_zbadam
Infos:

Detection

DarkTortilla, FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected FormBook

AI detected suspicious sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

47879282.EXE.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\47879282.EXE.exe" MD5: BDC14E906213D80C6FCAB22665329F9C)

47879282.EXE.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\47879282.EXE.exe" MD5: BDC14E906213D80C6FCAB22665329F9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f113:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17182:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c010:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1407f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.1969277153.0000000002481000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: 47879282.EXE.exe PID: 5260	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: 47879282.EXE.exe PID: 5260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.47879282.EXE.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
11.2.47879282.EXE.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f113:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17182:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
11.2.47879282.EXE.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
11.2.47879282.EXE.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e313:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16382:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
6.2.47879282.EXE.exe.66d0000.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
6.2.47879282.EXE.exe.66d0000.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 47879282.EXE.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 47879282.EXE.exe

ReversingLabs: Detection: 18%

Yara detected FormBook

Source: Yara match	File source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 47879282.EXE.exe

Joe Sandbox ML: detected

Source: 47879282.EXE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 47879282.EXE.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 47879282.EXE.exe, 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0042C3C3 NtClose,	11_2_0042C3C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_01822DF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_01822C70
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018235C0 NtCreateMutant,LdrInitializeThunk,	11_2_018235C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01824340 NtSetContextThread,	11_2_01824340
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01824650 NtSuspendThread,	11_2_01824650
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822B80 NtQueryInformationFile,	11_2_01822B80
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822BA0 NtEnumerateValueKey,	11_2_01822BA0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822BE0 NtQueryValueKey,	11_2_01822BE0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822BF0 NtAllocateVirtualMemory,	11_2_01822BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822B60 NtClose,	11_2_01822B60
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822AB0 NtWaitForSingleObject,	11_2_01822AB0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822AD0 NtReadFile,	11_2_01822AD0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822AF0 NtWriteFile,	11_2_01822AF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822DB0 NtEnumerateKey,	11_2_01822DB0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822DD0 NtDelayExecution,	11_2_01822DD0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822D00 NtSetInformationFile,	11_2_01822D00
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822D10 NtMapViewOfSection,	11_2_01822D10
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822D30 NtUnmapViewOfSection,	11_2_01822D30
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822CA0 NtQueryInformationToken,	11_2_01822CA0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822CC0 NtQueryVirtualMemory,	11_2_01822CC0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822CF0 NtOpenProcess,	11_2_01822CF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822C00 NtQueryInformationProcess,	11_2_01822C00
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822C60 NtCreateKey,	11_2_01822C60
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822F90 NtProtectVirtualMemory,	11_2_01822F90
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822FA0 NtQuerySection,	11_2_01822FA0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822FB0 NtResumeThread,	11_2_01822FB0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822FE0 NtCreateFile,	11_2_01822FE0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822F30 NtCreateSection,	11_2_01822F30
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822F60 NtCreateProcessEx,	11_2_01822F60
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822E80 NtReadVirtualMemory,	11_2_01822E80
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822EA0 NtAdjustPrivilegesToken,	11_2_01822EA0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822EE0 NtQueueApcThread,	11_2_01822EE0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822E30 NtWriteVirtualMemory,	11_2_01822E30
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01823090 NtSetValueKey,	11_2_01823090
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01823010 NtOpenDirectoryObject,	11_2_01823010
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018239B0 NtGetContextThread,	11_2_018239B0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01823D10 NtOpenProcessToken,	11_2_01823D10
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01823D70 NtOpenThread,	11_2_01823D70

Source: C:\Users\user\Desktop\47879282.EXE.exe

Code function: 6_2_08A5B508 CreateProcessAsUserW,

6_2_08A5B508

Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_003726A8	6_2_003726A8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_00ACF6B8	6_2_00ACF6B8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_00ACCE34	6_2_00ACCE34
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06A38778	6_2_06A38778
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06A38758	6_2_06A38758
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06FD7538	6_2_06FD7538
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06FDFC88	6_2_06FDFC88
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06FDFC78	6_2_06FDFC78
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06FD3018	6_2_06FD3018
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06FD3008	6_2_06FD3008
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_07483348	6_2_07483348
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748F3E8	6_2_0748F3E8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748DB80	6_2_0748DB80
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748B650	6_2_0748B650
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748C6E8	6_2_0748C6E8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748D2F8	6_2_0748D2F8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_07487A98	6_2_07487A98
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748E548	6_2_0748E548
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748F369	6_2_0748F369
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748DB72	6_2_0748DB72
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748F3C0	6_2_0748F3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748F383	6_2_0748F383
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_07482248	6_2_07482248
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748B64A	6_2_0748B64A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_07482238	6_2_07482238
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748C6DA	6_2_0748C6DA
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_074832E6	6_2_074832E6
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748D2F2	6_2_0748D2F2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_0748E542	6_2_0748E542
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A5A408	6_2_08A5A408
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A511E0	6_2_08A511E0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A54510	6_2_08A54510
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A5C158	6_2_08A5C158
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A5F668	6_2_08A5F668
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A5BE50	6_2_08A5BE50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A5B770	6_2_08A5B770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A56778	6_2_08A56778
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A504E0	6_2_08A504E0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A504D0	6_2_08A504D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A51028	6_2_08A51028
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A51038	6_2_08A51038
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A58468	6_2_08A58468
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A50DB1	6_2_08A50DB1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A51D90	6_2_08A51D90
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A50DC0	6_2_08A50DC0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A59DC8	6_2_08A59DC8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A511D0	6_2_08A511D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A55528	6_2_08A55528
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A54501	6_2_08A54501
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A51D7D	6_2_08A51D7D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A59660	6_2_08A59660
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A50B88	6_2_08A50B88
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A507E0	6_2_08A507E0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A5C7F0	6_2_08A5C7F0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A507D0	6_2_08A507D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A56768	6_2_08A56768
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_08A50B7A	6_2_08A50B7A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06FD750D	6_2_06FD750D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0042EA03	11_2_0042EA03
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00402A0D	11_2_00402A0D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00402A10	11_2_00402A10
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0040FB4A	11_2_0040FB4A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0040FB53	11_2_0040FB53
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_004164F3	11_2_004164F3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0040FD73	11_2_0040FD73
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0040DDF3	11_2_0040DDF3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00402E60	11_2_00402E60
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0040DFCB	11_2_0040DFCB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B01AA	11_2_018B01AA
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A41A2	11_2_018A41A2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A81CC	11_2_018A81CC
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E0100	11_2_017E0100
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188A118	11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01878158	11_2_01878158
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01882000	11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B03E6	11_2_018B03E6
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FE3F0	11_2_017FE3F0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AA352	11_2_018AA352
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018702C0	11_2_018702C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B0591	11_2_018B0591
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0535	11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189E4F6	11_2_0189E4F6
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01894420	11_2_01894420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A2446	11_2_018A2446
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EC7C0	11_2_017EC7C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01814750	11_2_01814750
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180C6E0	11_2_0180C6E0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018BA9A6	11_2_018BA9A6
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01806962	11_2_01806962
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F2840	11_2_017F2840
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FA840	11_2_017FA840
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E8F0	11_2_0181E8F0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D68B8	11_2_017D68B8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A6BD7	11_2_018A6BD7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AAB40	11_2_018AAB40
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EEA80	11_2_017EEA80
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01808DBF	11_2_01808DBF
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FAD00	11_2_017FAD00
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188CD1F	11_2_0188CD1F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EADE0	11_2_017EADE0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890CB5	11_2_01890CB5
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0C00	11_2_017F0C00
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E0CF2	11_2_017E0CF2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186EFA0	11_2_0186EFA0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FCFE0	11_2_017FCFE0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01832F28	11_2_01832F28
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01810F30	11_2_01810F30
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E2FC8	11_2_017E2FC8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01892F30	11_2_01892F30
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01864F40	11_2_01864F40
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01802E90	11_2_01802E90
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018ACE93	11_2_018ACE93
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0E59	11_2_017F0E59
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AEEDB	11_2_018AEEDB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AEE26	11_2_018AEE26
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DF172	11_2_017DF172
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FB1B0	11_2_017FB1B0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018BB16B	11_2_018BB16B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0182516C	11_2_0182516C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189F0CC	11_2_0189F0CC
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A70E9	11_2_018A70E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AF0E0	11_2_018AF0E0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F70C0	11_2_017F70C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0183739A	11_2_0183739A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DD34C	11_2_017DD34C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A132D	11_2_018A132D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180B2C0	11_2_0180B2C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018912ED	11_2_018912ED
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F52A0	11_2_017F52A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188D5B0	11_2_0188D5B0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B95C3	11_2_018B95C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A7571	11_2_018A7571
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E1460	11_2_017E1460
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AF43F	11_2_018AF43F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AF7B0	11_2_018AF7B0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A16CC	11_2_018A16CC
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01835630	11_2_01835630
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F9950	11_2_017F9950
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01885910	11_2_01885910
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180B950	11_2_0180B950
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185D800	11_2_0185D800
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F38E0	11_2_017F38E0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180FB80	11_2_0180FB80
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01865BF0	11_2_01865BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0182DBF9	11_2_0182DBF9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AFB76	11_2_018AFB76
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01835AA0	11_2_01835AA0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188DAAC	11_2_0188DAAC
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01891AA3	11_2_01891AA3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189DAC6	11_2_0189DAC6
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AFA49	11_2_018AFA49
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A7A46	11_2_018A7A46
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01863A6C	11_2_01863A6C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F3D40	11_2_017F3D40
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180FDC0	11_2_0180FDC0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A1D5A	11_2_018A1D5A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A7D73	11_2_018A7D73
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AFCF2	11_2_018AFCF2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01869C32	11_2_01869C32
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AFFB1	11_2_018AFFB1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AFF09	11_2_018AFF09
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017B3FD2	11_2_017B3FD2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017B3FD5	11_2_017B3FD5
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F1F92	11_2_017F1F92
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F9EB0	11_2_017F9EB0

Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: String function: 01837E54 appears 111 times
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: String function: 01825130 appears 58 times
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: String function: 0185EA12 appears 86 times
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: String function: 0186F290 appears 105 times
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: String function: 017DB970 appears 277 times

Source: 47879282.EXE.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 47879282.EXE.exe, 00000006.00000000.1274404238.000000000026A000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilename4787928266362882.exeP vs 47879282.EXE.exe
Source: 47879282.EXE.exe, 00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTokenTableApp.dll> vs 47879282.EXE.exe
Source: 47879282.EXE.exe, 00000006.00000002.1968825704.000000000088E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 47879282.EXE.exe
Source: 47879282.EXE.exe, 00000006.00000002.1977997974.0000000007860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll6 vs 47879282.EXE.exe
Source: 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000018DD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 47879282.EXE.exe
Source: 47879282.EXE.exe	Binary or memory string: OriginalFilename4787928266362882.exeP vs 47879282.EXE.exe

Source: 47879282.EXE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\47879282.EXE.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\47879282.EXE.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

Mutant created: NULL

Source: 47879282.EXE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 47879282.EXE.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\47879282.EXE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 47879282.EXE.exe, 00000006.00000000.1274077759.000000000025C000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: SELECT * FROM Tasks WHERE DueDate = @Today OR RepeatedDays LIKE '%' + CAST(@TodayDay AS NVARCHAR) + '%' ORDER BY CASE WHEN ReminderDateTime IS NULL THEN 1 ELSE 0 END, ReminderDateTime, IsImportant DESC;
Source: 47879282.EXE.exe, 00000006.00000000.1274077759.000000000025C000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: Select TaskID, Task FROM Tasks WHERE DueDate = @Today Or RepeatedDays Like '%' + CAST(@TodayDay AS NVARCHAR) + '%';
Source: 47879282.EXE.exe, 00000006.00000000.1274077759.000000000025C000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: SELECT * FROM Tasks WHERE (DueDate = @Today OR RepeatedDays LIKE '%' + CAST(@TodayDay AS NVARCHAR) + '%') AND IsDone = 0 ORDER BY CASE WHEN ReminderDateTime IS NULL THEN 1 ELSE 0 END, ReminderDateTime, IsImportant DESC;
Source: 47879282.EXE.exe, 00000006.00000000.1274077759.000000000025C000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: SELECT * FROM Tasks WHERE DueDate = @Today OR RepeatedDays LIKE '%' + CAST(@TodayDay AS NVARCHAR) + '%' ORDER BY IsDone ASC, CASE WHEN ReminderDateTime IS NULL THEN 1 ELSE 0 END, ReminderDateTime, IsImportant DESC;

Source: 47879282.EXE.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\47879282.EXE.exe "C:\Users\user\Desktop\47879282.EXE.exe"
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process created: C:\Users\user\Desktop\47879282.EXE.exe "C:\Users\user\Desktop\47879282.EXE.exe"
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process created: C:\Users\user\Desktop\47879282.EXE.exe "C:\Users\user\Desktop\47879282.EXE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 47879282.EXE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 47879282.EXE.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 47879282.EXE.exe

Static file information: File size 1278976 > 1048576

Source: 47879282.EXE.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x137a00

Source: 47879282.EXE.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 47879282.EXE.exe, 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 6.2.47879282.EXE.exe.66d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.47879282.EXE.exe.66d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1969277153.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 47879282.EXE.exe PID: 5260, type: MEMORYSTR

Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_00AC4519 push edx; retf 0000h	6_2_00AC451A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_00AC7D38 push 8C00CAFEh; retf	6_2_00AC7D3D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06A325C9 push esp; retf	6_2_06A325CA
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06FDEAA0 pushad ; ret	6_2_06FDEAB3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06FD0DD7 push ecx; retf EFCDh	6_2_06FD0F42
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_06FDD181 push ecx; retf 0046h	6_2_06FDD1A2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_074869FB push edi; ret	6_2_07486BF6
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_07486C04 push eax; ret	6_2_07486C35
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 6_2_074890CD push ds; retf 0040h	6_2_0748911E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00402072 push ecx; retf	11_2_0040207D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00403100 push eax; ret	11_2_00403102
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_004049CC pushfd ; retf	11_2_004049D4
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00404A79 push eax; iretd	11_2_00404A85
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0041F2F7 push ebx; iretd	11_2_0041F2FC
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00426AB3 push ebp; ret	11_2_00426B3B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0041A4BA push ebx; retf	11_2_0041A4BB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0041A509 push ebp; iretd	11_2_0041A50A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0040DDEE push 00000015h; iretd	11_2_0040DDF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00414701 push ebp; ret	11_2_00414707
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00401F2C push ecx; retf	11_2_00401FAE
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00406FCF push esp; retf	11_2_00406FFE
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00406FEA push esp; retf	11_2_00406FFE
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00401FF0 push ecx; retf	11_2_00401FF3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_00413798 push AA78ECC2h; ret	11_2_0041379D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017B225F pushad ; ret	11_2_017B27F9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017B27FA pushad ; ret	11_2_017B27F9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E09AD push ecx; mov dword ptr [esp], ecx	11_2_017E09B6
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017B283D push eax; iretd	11_2_017B2858

Source: 47879282.EXE.exe, z8.cs

High entropy of concatenated method names: 'x6Q8Nd', 'MoveNext', 'Yp0s4A', 'SetStateMachine', 'w5WZm2', 'd7', 'Ro', 'z8', 'x4', 'g2'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\47879282.EXE.exe

File opened: C:\Users\user\Desktop\47879282.EXE.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 47879282.EXE.exe PID: 5260, type: MEMORYSTR

Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: 2480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: 4480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: 7880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: 8880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: 8A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: 9A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: 9E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: AE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Memory allocated: BE00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

Code function: 11_2_0182096E rdtsc

11_2_0182096E

Source: C:\Users\user\Desktop\47879282.EXE.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe	Window / User API: threadDelayed 8306			Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Window / User API: threadDelayed 1552			Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

API coverage: 0.6 %

Source: C:\Users\user\Desktop\47879282.EXE.exe TID: 7180	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe TID: 7180	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe TID: 7540	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: 47879282.EXE.exe, 00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: 47879282.EXE.exe, 00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth

Source: C:\Users\user\Desktop\47879282.EXE.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

Code function: 11_2_0182096E rdtsc

11_2_0182096E

Source: C:\Users\user\Desktop\47879282.EXE.exe

Code function: 11_2_004174A3 LdrLoadDll,

11_2_004174A3

Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189C188 mov eax, dword ptr fs:[00000030h]	11_2_0189C188
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189C188 mov eax, dword ptr fs:[00000030h]	11_2_0189C188
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01820185 mov eax, dword ptr fs:[00000030h]	11_2_01820185
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01884180 mov eax, dword ptr fs:[00000030h]	11_2_01884180
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01884180 mov eax, dword ptr fs:[00000030h]	11_2_01884180
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186019F mov eax, dword ptr fs:[00000030h]	11_2_0186019F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186019F mov eax, dword ptr fs:[00000030h]	11_2_0186019F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186019F mov eax, dword ptr fs:[00000030h]	11_2_0186019F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186019F mov eax, dword ptr fs:[00000030h]	11_2_0186019F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6154 mov eax, dword ptr fs:[00000030h]	11_2_017E6154
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6154 mov eax, dword ptr fs:[00000030h]	11_2_017E6154
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DC156 mov eax, dword ptr fs:[00000030h]	11_2_017DC156
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A61C3 mov eax, dword ptr fs:[00000030h]	11_2_018A61C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A61C3 mov eax, dword ptr fs:[00000030h]	11_2_018A61C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E1D0 mov ecx, dword ptr fs:[00000030h]	11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B61E5 mov eax, dword ptr fs:[00000030h]	11_2_018B61E5
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018101F8 mov eax, dword ptr fs:[00000030h]	11_2_018101F8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov ecx, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov ecx, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov ecx, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E10E mov ecx, dword ptr fs:[00000030h]	11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188A118 mov ecx, dword ptr fs:[00000030h]	11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188A118 mov eax, dword ptr fs:[00000030h]	11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188A118 mov eax, dword ptr fs:[00000030h]	11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188A118 mov eax, dword ptr fs:[00000030h]	11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A0115 mov eax, dword ptr fs:[00000030h]	11_2_018A0115
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01810124 mov eax, dword ptr fs:[00000030h]	11_2_01810124
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01874144 mov eax, dword ptr fs:[00000030h]	11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01874144 mov eax, dword ptr fs:[00000030h]	11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01874144 mov ecx, dword ptr fs:[00000030h]	11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01874144 mov eax, dword ptr fs:[00000030h]	11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01874144 mov eax, dword ptr fs:[00000030h]	11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01878158 mov eax, dword ptr fs:[00000030h]	11_2_01878158
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DA197 mov eax, dword ptr fs:[00000030h]	11_2_017DA197
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DA197 mov eax, dword ptr fs:[00000030h]	11_2_017DA197
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DA197 mov eax, dword ptr fs:[00000030h]	11_2_017DA197
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4164 mov eax, dword ptr fs:[00000030h]	11_2_018B4164
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4164 mov eax, dword ptr fs:[00000030h]	11_2_018B4164
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E2050 mov eax, dword ptr fs:[00000030h]	11_2_017E2050
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018780A8 mov eax, dword ptr fs:[00000030h]	11_2_018780A8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A60B8 mov eax, dword ptr fs:[00000030h]	11_2_018A60B8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A60B8 mov ecx, dword ptr fs:[00000030h]	11_2_018A60B8
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018620DE mov eax, dword ptr fs:[00000030h]	11_2_018620DE
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DA020 mov eax, dword ptr fs:[00000030h]	11_2_017DA020
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DC020 mov eax, dword ptr fs:[00000030h]	11_2_017DC020
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018660E0 mov eax, dword ptr fs:[00000030h]	11_2_018660E0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FE016 mov eax, dword ptr fs:[00000030h]	11_2_017FE016
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FE016 mov eax, dword ptr fs:[00000030h]	11_2_017FE016
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FE016 mov eax, dword ptr fs:[00000030h]	11_2_017FE016
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FE016 mov eax, dword ptr fs:[00000030h]	11_2_017FE016
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018220F0 mov ecx, dword ptr fs:[00000030h]	11_2_018220F0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01864000 mov ecx, dword ptr fs:[00000030h]	11_2_01864000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h]	11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h]	11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h]	11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h]	11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h]	11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h]	11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h]	11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h]	11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DC0F0 mov eax, dword ptr fs:[00000030h]	11_2_017DC0F0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E80E9 mov eax, dword ptr fs:[00000030h]	11_2_017E80E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DA0E3 mov ecx, dword ptr fs:[00000030h]	11_2_017DA0E3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01876030 mov eax, dword ptr fs:[00000030h]	11_2_01876030
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01866050 mov eax, dword ptr fs:[00000030h]	11_2_01866050
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D80A0 mov eax, dword ptr fs:[00000030h]	11_2_017D80A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180C073 mov eax, dword ptr fs:[00000030h]	11_2_0180C073
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E208A mov eax, dword ptr fs:[00000030h]	11_2_017E208A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180438F mov eax, dword ptr fs:[00000030h]	11_2_0180438F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180438F mov eax, dword ptr fs:[00000030h]	11_2_0180438F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189C3CD mov eax, dword ptr fs:[00000030h]	11_2_0189C3CD
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018663C0 mov eax, dword ptr fs:[00000030h]	11_2_018663C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E3DB mov eax, dword ptr fs:[00000030h]	11_2_0188E3DB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E3DB mov eax, dword ptr fs:[00000030h]	11_2_0188E3DB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E3DB mov ecx, dword ptr fs:[00000030h]	11_2_0188E3DB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188E3DB mov eax, dword ptr fs:[00000030h]	11_2_0188E3DB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018843D4 mov eax, dword ptr fs:[00000030h]	11_2_018843D4
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018843D4 mov eax, dword ptr fs:[00000030h]	11_2_018843D4
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DC310 mov ecx, dword ptr fs:[00000030h]	11_2_017DC310
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018163FF mov eax, dword ptr fs:[00000030h]	11_2_018163FF
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A30B mov eax, dword ptr fs:[00000030h]	11_2_0181A30B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A30B mov eax, dword ptr fs:[00000030h]	11_2_0181A30B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A30B mov eax, dword ptr fs:[00000030h]	11_2_0181A30B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FE3F0 mov eax, dword ptr fs:[00000030h]	11_2_017FE3F0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FE3F0 mov eax, dword ptr fs:[00000030h]	11_2_017FE3F0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FE3F0 mov eax, dword ptr fs:[00000030h]	11_2_017FE3F0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01800310 mov ecx, dword ptr fs:[00000030h]	11_2_01800310
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h]	11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h]	11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h]	11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h]	11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h]	11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h]	11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h]	11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h]	11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B8324 mov eax, dword ptr fs:[00000030h]	11_2_018B8324
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B8324 mov ecx, dword ptr fs:[00000030h]	11_2_018B8324
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B8324 mov eax, dword ptr fs:[00000030h]	11_2_018B8324
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B8324 mov eax, dword ptr fs:[00000030h]	11_2_018B8324
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h]	11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h]	11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h]	11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h]	11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h]	11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h]	11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E83C0 mov eax, dword ptr fs:[00000030h]	11_2_017E83C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E83C0 mov eax, dword ptr fs:[00000030h]	11_2_017E83C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E83C0 mov eax, dword ptr fs:[00000030h]	11_2_017E83C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E83C0 mov eax, dword ptr fs:[00000030h]	11_2_017E83C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B634F mov eax, dword ptr fs:[00000030h]	11_2_018B634F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h]	11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AA352 mov eax, dword ptr fs:[00000030h]	11_2_018AA352
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01888350 mov ecx, dword ptr fs:[00000030h]	11_2_01888350
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h]	11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h]	11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h]	11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186035C mov ecx, dword ptr fs:[00000030h]	11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h]	11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h]	11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D8397 mov eax, dword ptr fs:[00000030h]	11_2_017D8397
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D8397 mov eax, dword ptr fs:[00000030h]	11_2_017D8397
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D8397 mov eax, dword ptr fs:[00000030h]	11_2_017D8397
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188437C mov eax, dword ptr fs:[00000030h]	11_2_0188437C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DE388 mov eax, dword ptr fs:[00000030h]	11_2_017DE388
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DE388 mov eax, dword ptr fs:[00000030h]	11_2_017DE388
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DE388 mov eax, dword ptr fs:[00000030h]	11_2_017DE388
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01860283 mov eax, dword ptr fs:[00000030h]	11_2_01860283
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01860283 mov eax, dword ptr fs:[00000030h]	11_2_01860283
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01860283 mov eax, dword ptr fs:[00000030h]	11_2_01860283
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E284 mov eax, dword ptr fs:[00000030h]	11_2_0181E284
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E284 mov eax, dword ptr fs:[00000030h]	11_2_0181E284
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D826B mov eax, dword ptr fs:[00000030h]	11_2_017D826B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E4260 mov eax, dword ptr fs:[00000030h]	11_2_017E4260
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E4260 mov eax, dword ptr fs:[00000030h]	11_2_017E4260
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E4260 mov eax, dword ptr fs:[00000030h]	11_2_017E4260
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h]	11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018762A0 mov ecx, dword ptr fs:[00000030h]	11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h]	11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h]	11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h]	11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h]	11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6259 mov eax, dword ptr fs:[00000030h]	11_2_017E6259
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DA250 mov eax, dword ptr fs:[00000030h]	11_2_017DA250
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D823B mov eax, dword ptr fs:[00000030h]	11_2_017D823B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B62D6 mov eax, dword ptr fs:[00000030h]	11_2_018B62D6
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F02E1 mov eax, dword ptr fs:[00000030h]	11_2_017F02E1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F02E1 mov eax, dword ptr fs:[00000030h]	11_2_017F02E1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F02E1 mov eax, dword ptr fs:[00000030h]	11_2_017F02E1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h]	11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h]	11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h]	11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h]	11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h]	11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01868243 mov eax, dword ptr fs:[00000030h]	11_2_01868243
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01868243 mov ecx, dword ptr fs:[00000030h]	11_2_01868243
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B625D mov eax, dword ptr fs:[00000030h]	11_2_018B625D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189A250 mov eax, dword ptr fs:[00000030h]	11_2_0189A250
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189A250 mov eax, dword ptr fs:[00000030h]	11_2_0189A250
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F02A0 mov eax, dword ptr fs:[00000030h]	11_2_017F02A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F02A0 mov eax, dword ptr fs:[00000030h]	11_2_017F02A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h]	11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01814588 mov eax, dword ptr fs:[00000030h]	11_2_01814588
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E59C mov eax, dword ptr fs:[00000030h]	11_2_0181E59C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018605A7 mov eax, dword ptr fs:[00000030h]	11_2_018605A7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018605A7 mov eax, dword ptr fs:[00000030h]	11_2_018605A7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018605A7 mov eax, dword ptr fs:[00000030h]	11_2_018605A7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E8550 mov eax, dword ptr fs:[00000030h]	11_2_017E8550
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E8550 mov eax, dword ptr fs:[00000030h]	11_2_017E8550
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018045B1 mov eax, dword ptr fs:[00000030h]	11_2_018045B1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018045B1 mov eax, dword ptr fs:[00000030h]	11_2_018045B1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h]	11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h]	11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h]	11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h]	11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h]	11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h]	11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E5CF mov eax, dword ptr fs:[00000030h]	11_2_0181E5CF
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E5CF mov eax, dword ptr fs:[00000030h]	11_2_0181E5CF
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A5D0 mov eax, dword ptr fs:[00000030h]	11_2_0181A5D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A5D0 mov eax, dword ptr fs:[00000030h]	11_2_0181A5D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181C5ED mov eax, dword ptr fs:[00000030h]	11_2_0181C5ED
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181C5ED mov eax, dword ptr fs:[00000030h]	11_2_0181C5ED
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01876500 mov eax, dword ptr fs:[00000030h]	11_2_01876500
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h]	11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h]	11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h]	11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h]	11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h]	11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h]	11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h]	11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E25E0 mov eax, dword ptr fs:[00000030h]	11_2_017E25E0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E65D0 mov eax, dword ptr fs:[00000030h]	11_2_017E65D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h]	11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h]	11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h]	11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h]	11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h]	11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181656A mov eax, dword ptr fs:[00000030h]	11_2_0181656A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181656A mov eax, dword ptr fs:[00000030h]	11_2_0181656A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181656A mov eax, dword ptr fs:[00000030h]	11_2_0181656A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E2582 mov eax, dword ptr fs:[00000030h]	11_2_017E2582
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E2582 mov ecx, dword ptr fs:[00000030h]	11_2_017E2582
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189A49A mov eax, dword ptr fs:[00000030h]	11_2_0189A49A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D645D mov eax, dword ptr fs:[00000030h]	11_2_017D645D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018144B0 mov ecx, dword ptr fs:[00000030h]	11_2_018144B0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186A4B0 mov eax, dword ptr fs:[00000030h]	11_2_0186A4B0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DC427 mov eax, dword ptr fs:[00000030h]	11_2_017DC427
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DE420 mov eax, dword ptr fs:[00000030h]	11_2_017DE420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DE420 mov eax, dword ptr fs:[00000030h]	11_2_017DE420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DE420 mov eax, dword ptr fs:[00000030h]	11_2_017DE420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01818402 mov eax, dword ptr fs:[00000030h]	11_2_01818402
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01818402 mov eax, dword ptr fs:[00000030h]	11_2_01818402
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01818402 mov eax, dword ptr fs:[00000030h]	11_2_01818402
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E04E5 mov ecx, dword ptr fs:[00000030h]	11_2_017E04E5
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h]	11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h]	11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h]	11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h]	11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h]	11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h]	11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h]	11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A430 mov eax, dword ptr fs:[00000030h]	11_2_0181A430
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h]	11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h]	11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h]	11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h]	11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h]	11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h]	11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h]	11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h]	11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E64AB mov eax, dword ptr fs:[00000030h]	11_2_017E64AB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180245A mov eax, dword ptr fs:[00000030h]	11_2_0180245A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0189A456 mov eax, dword ptr fs:[00000030h]	11_2_0189A456
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186C460 mov ecx, dword ptr fs:[00000030h]	11_2_0186C460
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180A470 mov eax, dword ptr fs:[00000030h]	11_2_0180A470
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180A470 mov eax, dword ptr fs:[00000030h]	11_2_0180A470
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180A470 mov eax, dword ptr fs:[00000030h]	11_2_0180A470
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188678E mov eax, dword ptr fs:[00000030h]	11_2_0188678E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E8770 mov eax, dword ptr fs:[00000030h]	11_2_017E8770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h]	11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018947A0 mov eax, dword ptr fs:[00000030h]	11_2_018947A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E0750 mov eax, dword ptr fs:[00000030h]	11_2_017E0750
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018607C3 mov eax, dword ptr fs:[00000030h]	11_2_018607C3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186E7E1 mov eax, dword ptr fs:[00000030h]	11_2_0186E7E1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018027ED mov eax, dword ptr fs:[00000030h]	11_2_018027ED
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018027ED mov eax, dword ptr fs:[00000030h]	11_2_018027ED
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018027ED mov eax, dword ptr fs:[00000030h]	11_2_018027ED
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E0710 mov eax, dword ptr fs:[00000030h]	11_2_017E0710
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181C700 mov eax, dword ptr fs:[00000030h]	11_2_0181C700
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E47FB mov eax, dword ptr fs:[00000030h]	11_2_017E47FB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E47FB mov eax, dword ptr fs:[00000030h]	11_2_017E47FB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01810710 mov eax, dword ptr fs:[00000030h]	11_2_01810710
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181C720 mov eax, dword ptr fs:[00000030h]	11_2_0181C720
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181C720 mov eax, dword ptr fs:[00000030h]	11_2_0181C720
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185C730 mov eax, dword ptr fs:[00000030h]	11_2_0185C730
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181273C mov eax, dword ptr fs:[00000030h]	11_2_0181273C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181273C mov ecx, dword ptr fs:[00000030h]	11_2_0181273C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181273C mov eax, dword ptr fs:[00000030h]	11_2_0181273C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EC7C0 mov eax, dword ptr fs:[00000030h]	11_2_017EC7C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181674D mov esi, dword ptr fs:[00000030h]	11_2_0181674D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181674D mov eax, dword ptr fs:[00000030h]	11_2_0181674D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181674D mov eax, dword ptr fs:[00000030h]	11_2_0181674D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E07AF mov eax, dword ptr fs:[00000030h]	11_2_017E07AF
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822750 mov eax, dword ptr fs:[00000030h]	11_2_01822750
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822750 mov eax, dword ptr fs:[00000030h]	11_2_01822750
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01864755 mov eax, dword ptr fs:[00000030h]	11_2_01864755
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186E75D mov eax, dword ptr fs:[00000030h]	11_2_0186E75D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181C6A6 mov eax, dword ptr fs:[00000030h]	11_2_0181C6A6
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018166B0 mov eax, dword ptr fs:[00000030h]	11_2_018166B0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FC640 mov eax, dword ptr fs:[00000030h]	11_2_017FC640
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A6C7 mov ebx, dword ptr fs:[00000030h]	11_2_0181A6C7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A6C7 mov eax, dword ptr fs:[00000030h]	11_2_0181A6C7
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E262C mov eax, dword ptr fs:[00000030h]	11_2_017E262C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017FE627 mov eax, dword ptr fs:[00000030h]	11_2_017FE627
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h]	11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h]	11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h]	11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h]	11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h]	11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h]	11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h]	11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0185E6F2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0185E6F2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0185E6F2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0185E6F2
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018606F1 mov eax, dword ptr fs:[00000030h]	11_2_018606F1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018606F1 mov eax, dword ptr fs:[00000030h]	11_2_018606F1
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E609 mov eax, dword ptr fs:[00000030h]	11_2_0185E609
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01822619 mov eax, dword ptr fs:[00000030h]	11_2_01822619
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01816620 mov eax, dword ptr fs:[00000030h]	11_2_01816620
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01818620 mov eax, dword ptr fs:[00000030h]	11_2_01818620
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A660 mov eax, dword ptr fs:[00000030h]	11_2_0181A660
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A660 mov eax, dword ptr fs:[00000030h]	11_2_0181A660
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A866E mov eax, dword ptr fs:[00000030h]	11_2_018A866E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A866E mov eax, dword ptr fs:[00000030h]	11_2_018A866E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E4690 mov eax, dword ptr fs:[00000030h]	11_2_017E4690
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E4690 mov eax, dword ptr fs:[00000030h]	11_2_017E4690
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01812674 mov eax, dword ptr fs:[00000030h]	11_2_01812674
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018689B3 mov esi, dword ptr fs:[00000030h]	11_2_018689B3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018689B3 mov eax, dword ptr fs:[00000030h]	11_2_018689B3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018689B3 mov eax, dword ptr fs:[00000030h]	11_2_018689B3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018769C0 mov eax, dword ptr fs:[00000030h]	11_2_018769C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018149D0 mov eax, dword ptr fs:[00000030h]	11_2_018149D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AA9D3 mov eax, dword ptr fs:[00000030h]	11_2_018AA9D3
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D8918 mov eax, dword ptr fs:[00000030h]	11_2_017D8918
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D8918 mov eax, dword ptr fs:[00000030h]	11_2_017D8918
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186E9E0 mov eax, dword ptr fs:[00000030h]	11_2_0186E9E0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018129F9 mov eax, dword ptr fs:[00000030h]	11_2_018129F9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018129F9 mov eax, dword ptr fs:[00000030h]	11_2_018129F9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E908 mov eax, dword ptr fs:[00000030h]	11_2_0185E908
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185E908 mov eax, dword ptr fs:[00000030h]	11_2_0185E908
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186C912 mov eax, dword ptr fs:[00000030h]	11_2_0186C912
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186892A mov eax, dword ptr fs:[00000030h]	11_2_0186892A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0187892B mov eax, dword ptr fs:[00000030h]	11_2_0187892B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h]	11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h]	11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h]	11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h]	11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h]	11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h]	11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01860946 mov eax, dword ptr fs:[00000030h]	11_2_01860946
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4940 mov eax, dword ptr fs:[00000030h]	11_2_018B4940
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E09AD mov eax, dword ptr fs:[00000030h]	11_2_017E09AD
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E09AD mov eax, dword ptr fs:[00000030h]	11_2_017E09AD
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h]	11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01806962 mov eax, dword ptr fs:[00000030h]	11_2_01806962
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01806962 mov eax, dword ptr fs:[00000030h]	11_2_01806962
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01806962 mov eax, dword ptr fs:[00000030h]	11_2_01806962
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0182096E mov eax, dword ptr fs:[00000030h]	11_2_0182096E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0182096E mov edx, dword ptr fs:[00000030h]	11_2_0182096E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0182096E mov eax, dword ptr fs:[00000030h]	11_2_0182096E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01884978 mov eax, dword ptr fs:[00000030h]	11_2_01884978
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01884978 mov eax, dword ptr fs:[00000030h]	11_2_01884978
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186C97C mov eax, dword ptr fs:[00000030h]	11_2_0186C97C
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186C89D mov eax, dword ptr fs:[00000030h]	11_2_0186C89D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E4859 mov eax, dword ptr fs:[00000030h]	11_2_017E4859
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E4859 mov eax, dword ptr fs:[00000030h]	11_2_017E4859
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F2840 mov ecx, dword ptr fs:[00000030h]	11_2_017F2840
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180E8C0 mov eax, dword ptr fs:[00000030h]	11_2_0180E8C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B08C0 mov eax, dword ptr fs:[00000030h]	11_2_018B08C0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AA8E4 mov eax, dword ptr fs:[00000030h]	11_2_018AA8E4
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181C8F9 mov eax, dword ptr fs:[00000030h]	11_2_0181C8F9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181C8F9 mov eax, dword ptr fs:[00000030h]	11_2_0181C8F9
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186C810 mov eax, dword ptr fs:[00000030h]	11_2_0186C810
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181A830 mov eax, dword ptr fs:[00000030h]	11_2_0181A830
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188483A mov eax, dword ptr fs:[00000030h]	11_2_0188483A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188483A mov eax, dword ptr fs:[00000030h]	11_2_0188483A
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h]	11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h]	11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h]	11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01802835 mov ecx, dword ptr fs:[00000030h]	11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h]	11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h]	11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01810854 mov eax, dword ptr fs:[00000030h]	11_2_01810854
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186E872 mov eax, dword ptr fs:[00000030h]	11_2_0186E872
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186E872 mov eax, dword ptr fs:[00000030h]	11_2_0186E872
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01876870 mov eax, dword ptr fs:[00000030h]	11_2_01876870
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01876870 mov eax, dword ptr fs:[00000030h]	11_2_01876870
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E0887 mov eax, dword ptr fs:[00000030h]	11_2_017E0887
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017DCB7E mov eax, dword ptr fs:[00000030h]	11_2_017DCB7E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017D8B50 mov eax, dword ptr fs:[00000030h]	11_2_017D8B50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01894BB0 mov eax, dword ptr fs:[00000030h]	11_2_01894BB0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01894BB0 mov eax, dword ptr fs:[00000030h]	11_2_01894BB0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01800BCB mov eax, dword ptr fs:[00000030h]	11_2_01800BCB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01800BCB mov eax, dword ptr fs:[00000030h]	11_2_01800BCB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01800BCB mov eax, dword ptr fs:[00000030h]	11_2_01800BCB
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188EBD0 mov eax, dword ptr fs:[00000030h]	11_2_0188EBD0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186CBF0 mov eax, dword ptr fs:[00000030h]	11_2_0186CBF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180EBFC mov eax, dword ptr fs:[00000030h]	11_2_0180EBFC
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4B00 mov eax, dword ptr fs:[00000030h]	11_2_018B4B00
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E8BF0 mov eax, dword ptr fs:[00000030h]	11_2_017E8BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E8BF0 mov eax, dword ptr fs:[00000030h]	11_2_017E8BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E8BF0 mov eax, dword ptr fs:[00000030h]	11_2_017E8BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h]	11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h]	11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h]	11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h]	11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h]	11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h]	11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h]	11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h]	11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h]	11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180EB20 mov eax, dword ptr fs:[00000030h]	11_2_0180EB20
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180EB20 mov eax, dword ptr fs:[00000030h]	11_2_0180EB20
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A8B28 mov eax, dword ptr fs:[00000030h]	11_2_018A8B28
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018A8B28 mov eax, dword ptr fs:[00000030h]	11_2_018A8B28
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E0BCD mov eax, dword ptr fs:[00000030h]	11_2_017E0BCD
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E0BCD mov eax, dword ptr fs:[00000030h]	11_2_017E0BCD
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E0BCD mov eax, dword ptr fs:[00000030h]	11_2_017E0BCD
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0BBE mov eax, dword ptr fs:[00000030h]	11_2_017F0BBE
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0BBE mov eax, dword ptr fs:[00000030h]	11_2_017F0BBE
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01894B4B mov eax, dword ptr fs:[00000030h]	11_2_01894B4B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01894B4B mov eax, dword ptr fs:[00000030h]	11_2_01894B4B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01876B40 mov eax, dword ptr fs:[00000030h]	11_2_01876B40
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01876B40 mov eax, dword ptr fs:[00000030h]	11_2_01876B40
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018AAB40 mov eax, dword ptr fs:[00000030h]	11_2_018AAB40
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01888B42 mov eax, dword ptr fs:[00000030h]	11_2_01888B42
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188EB50 mov eax, dword ptr fs:[00000030h]	11_2_0188EB50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B2B57 mov eax, dword ptr fs:[00000030h]	11_2_018B2B57
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B2B57 mov eax, dword ptr fs:[00000030h]	11_2_018B2B57
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B2B57 mov eax, dword ptr fs:[00000030h]	11_2_018B2B57
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B2B57 mov eax, dword ptr fs:[00000030h]	11_2_018B2B57
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_018B4A80 mov eax, dword ptr fs:[00000030h]	11_2_018B4A80
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01818A90 mov edx, dword ptr fs:[00000030h]	11_2_01818A90
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0A5B mov eax, dword ptr fs:[00000030h]	11_2_017F0A5B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017F0A5B mov eax, dword ptr fs:[00000030h]	11_2_017F0A5B
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01836AA4 mov eax, dword ptr fs:[00000030h]	11_2_01836AA4
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h]	11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h]	11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h]	11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h]	11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h]	11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h]	11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h]	11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01836ACC mov eax, dword ptr fs:[00000030h]	11_2_01836ACC
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01836ACC mov eax, dword ptr fs:[00000030h]	11_2_01836ACC
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01836ACC mov eax, dword ptr fs:[00000030h]	11_2_01836ACC
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01814AD0 mov eax, dword ptr fs:[00000030h]	11_2_01814AD0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01814AD0 mov eax, dword ptr fs:[00000030h]	11_2_01814AD0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181AAEE mov eax, dword ptr fs:[00000030h]	11_2_0181AAEE
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181AAEE mov eax, dword ptr fs:[00000030h]	11_2_0181AAEE
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0186CA11 mov eax, dword ptr fs:[00000030h]	11_2_0186CA11
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181CA24 mov eax, dword ptr fs:[00000030h]	11_2_0181CA24
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0180EA2E mov eax, dword ptr fs:[00000030h]	11_2_0180EA2E
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E0AD0 mov eax, dword ptr fs:[00000030h]	11_2_017E0AD0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01804A35 mov eax, dword ptr fs:[00000030h]	11_2_01804A35
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_01804A35 mov eax, dword ptr fs:[00000030h]	11_2_01804A35
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181CA38 mov eax, dword ptr fs:[00000030h]	11_2_0181CA38
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E8AA0 mov eax, dword ptr fs:[00000030h]	11_2_017E8AA0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_017E8AA0 mov eax, dword ptr fs:[00000030h]	11_2_017E8AA0
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0188EA60 mov eax, dword ptr fs:[00000030h]	11_2_0188EA60
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181CA6F mov eax, dword ptr fs:[00000030h]	11_2_0181CA6F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181CA6F mov eax, dword ptr fs:[00000030h]	11_2_0181CA6F
Source: C:\Users\user\Desktop\47879282.EXE.exe	Code function: 11_2_0181CA6F mov eax, dword ptr fs:[00000030h]	11_2_0181CA6F

Source: C:\Users\user\Desktop\47879282.EXE.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\47879282.EXE.exe

Memory written: C:\Users\user\Desktop\47879282.EXE.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

Process created: C:\Users\user\Desktop\47879282.EXE.exe "C:\Users\user\Desktop\47879282.EXE.exe"

Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe	Queries volume information: C:\Users\user\Desktop\47879282.EXE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\47879282.EXE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	111 Process Injection	1 Access Token Manipulation	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	41 Virtualization/Sandbox Evasion	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Process Injection	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Obfuscated Files or Information	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
47879282.EXE.exe	18%	ReversingLabs
47879282.EXE.exe	100%	Avira	HEUR/AGEN.1307443
47879282.EXE.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522589
Start date and time:	2024-09-30 12:05:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	47879282.EXE.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 109 Number of non-executed functions: 196
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: 47879282.EXE.exe

Simulations

Behavior and APIs

Time	Type	Description
06:06:08	API Interceptor	222x Sleep call for process: 47879282.EXE.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\47879282.EXE.exe.log

Download File

Process:	C:\Users\user\Desktop\47879282.EXE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4qnE4KMRr:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzep
MD5:	44C70324E4017AA9B87F70A242FD14A0
SHA1:	C3C2C544A77B0B14960CF3846A29D367B8856ABF
SHA-256:	2A03CD70D1498263BD76E589D42AED74E128CB19A0E595B4D24ED7E4AF3C5FEF
SHA-512:	1B16580915BD7B08D058ACB8062C72FA837A0CB4F952F579CAFCEA1410B806744CE24B3375E6EF6FF43B7BE01D63BF35354F3C037DD2AEAF0EF077ED96B5193B
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.137707929344114
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	47879282.EXE.exe
File size:	1'278'976 bytes
MD5:	bdc14e906213d80c6fcab22665329f9c
SHA1:	afcd74d3ad99ede80adb8574278c344ea6bf9147
SHA256:	5db9bae3849011553274c1149e83d594e9c3cb6adb3480f92ae1239ad26c4171
SHA512:	dec300b45a338b283fa9f915ac592bdc94eca86d3e0c4f6371478f72c45fad2325233a0d82fe57dc141968f1d901bd38f0650414d8d9fc7b9a3961433abfad01
SSDEEP:	12288:vxgm/wXVYekmWuSk0Krt5eiBeNhUYhlhd5pDwvq9vKFur+q0EkE3uvTskMHxmm1r:0FQx7rLHvd+qzeGmm1
TLSH:	1F45D5DA9EA53652D02772380F67830C67AD5CB7EA119B894983C1E7FA3E34EDC481C5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iO...................z..........~.... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x53987e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCF94F69 [Wed Nov 24 06:36:25 1976 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x139830	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13a000	0x410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x137884	0x137a00	cec9b4c6b50718a52817b8eca048d5e5	False	0.5417121063979141	data	6.143428292203556	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x13a000	0x410	0x600	b08b606227389bad822d7d0c85ceb71a	False	0.2994791666666667	data	2.571789430860167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13c000	0xc	0x200	f4bbd5fa9c6a74e23df1a2ac691e779a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x13a058	0x3b8	COM executable for DOS			0.43907563025210083

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 12:06:27.643094063 CEST	53	49586	1.1.1.1	192.168.2.7

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 47879282.EXE.exePID: 5260, Parent PID: 4056

General

Target ID:	6
Start time:	06:06:04
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\47879282.EXE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\47879282.EXE.exe"
Imagebase:	0x130000
File size:	1'278'976 bytes
MD5 hash:	BDC14E906213D80C6FCAB22665329F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000006.00000002.1969277153.0000000002481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 47879282.EXE.exePID: 7536, Parent PID: 5260

General

Target ID:	11
Start time:	07:22:28
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\47879282.EXE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\47879282.EXE.exe"
Imagebase:	0x130000
File size:	1'278'976 bytes
MD5 hash:	BDC14E906213D80C6FCAB22665329F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 47879282.EXE.exePID: 5260, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.4%
Total number of Nodes:	94
Total number of Limit Nodes:	10

Executed Functions

Function 07483348 Relevance: 5.8, Strings: 2, Instructions: 3280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0748675C
@, xrefs: 0748674C

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: c3990c8fbb326489941df15974551b03e63c3a3b6c3ec4206bfe5f7b0372892a
Instruction ID: 5bf0250a693bf4c3e44e8f82d48a16be39021c2e641da780b66dc898a2e89c0a
Opcode Fuzzy Hash: c3990c8fbb326489941df15974551b03e63c3a3b6c3ec4206bfe5f7b0372892a
Instruction Fuzzy Hash: D6537EB0E042288BCB94FF78E88576DBBF1EB89300F5144EDD449A7255DE38AE84CB55

Function 06FD750D Relevance: 5.5, Instructions: 5511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f593451705f2491d64e28c5ddadb5cce5a8342762bf506d92ccab8e4a055bf8f
Instruction ID: f1049943850e2a9120a90ff6144f64a26e97ce70ce1c735409144601f61b66f3
Opcode Fuzzy Hash: f593451705f2491d64e28c5ddadb5cce5a8342762bf506d92ccab8e4a055bf8f
Instruction Fuzzy Hash: 5EB3F770A016288BDB68FF79E9856ACBBF2FB89301F4045E9D449A7354DB34AD84CF41

Function 06FD7538 Relevance: 5.5, Instructions: 5499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c294daa0f8adf7fbc6347322d8e638487fa034fc9d20e177a4a37f04c3e04be
Instruction ID: b7a3b4cf17e5040c9b839c0f3f00507f89288e65125fb16480cc01357c68fe97
Opcode Fuzzy Hash: 7c294daa0f8adf7fbc6347322d8e638487fa034fc9d20e177a4a37f04c3e04be
Instruction Fuzzy Hash: 59B3F670A016288BDB68FF79E9856ACBBF2FB89301F4045E9D449A7354DB34AD84CF41

Function 08A5BE50 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e\1, xrefs: 08A5BF44
"*p, xrefs: 08A5BF81
"*p, xrefs: 08A5BF88
e\1, xrefs: 08A5BF3D

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: e\1$e\1$"*p$"*p
API String ID: 0-1513742261
Opcode ID: 31c0f46708985040cf56c319a7ca1baf55ad50f114b53ed361e45d8c8b56fdce
Instruction ID: 61fd0e1d8c0833f38246a43dcb12719e5896c5a43fd110b7845839670ae39c8f
Opcode Fuzzy Hash: 31c0f46708985040cf56c319a7ca1baf55ad50f114b53ed361e45d8c8b56fdce
Instruction Fuzzy Hash: 598112B0D05218CFCB14CFA5D9546EEBBF2BF88312F24942AD816BB654DB345A42CF64

Function 074832E6 Relevance: 4.2, Strings: 1, Instructions: 2973
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G, xrefs: 07483300

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: de5566e00d9f909ab4a4a4ddc749332bc2383a1069e55d6a58e1c0caae596cd5
Instruction ID: d27ce4d2077e82756e55dadc35a6e365b18f9f0ec1dbec348ac97ec7adb8e48e
Opcode Fuzzy Hash: de5566e00d9f909ab4a4a4ddc749332bc2383a1069e55d6a58e1c0caae596cd5
Instruction Fuzzy Hash: 8E436FB0E006288BCB94FF78E98576DBBF1EB88301F5144ADD449A7354DE38AE84CB55

Function 08A54510 Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6f, xrefs: 08A54762
$q, xrefs: 08A54599
6f, xrefs: 08A54770

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: 6f$6f$$q
API String ID: 0-2870187524
Opcode ID: 7a9d41aef280214c63ac98ce6ae1457ecfcf88bba8119d03aa7a42a1c012ad91
Instruction ID: d49128abc7c567642998fcc05f4f4629fbc193a02578c700354a6690afb9be2d
Opcode Fuzzy Hash: 7a9d41aef280214c63ac98ce6ae1457ecfcf88bba8119d03aa7a42a1c012ad91
Instruction Fuzzy Hash: 6871E5B4E01208DFDB14CFA5D5986DEBBB2FF89301F20842AD80AAB754DB349991CF55

Function 08A5C158 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

PHq, xrefs: 08A5C3D2
PHq, xrefs: 08A5C412

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 45db34b1903063bec2fa5dda66beaa980a665877567bba0f848bc749a77905e9
Instruction ID: 166344ff9086d79413a2611ac6f8fbca9201f6ad2a1d733b05aaf682bb5fd4b5
Opcode Fuzzy Hash: 45db34b1903063bec2fa5dda66beaa980a665877567bba0f848bc749a77905e9
Instruction Fuzzy Hash: 54A11374E14308CFCB14CFA9D594AADBBB2FB89721F20912AD816BB658DB345981CF14

Function 0748D2F8 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

Teq, xrefs: 0748D361
Teq, xrefs: 0748D53A

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: 53ba0034a1ce3ef37ef7ae40f9d05f9f41f2878d07f7ecbb658c4cd76390a5c7
Instruction ID: 95d4c5ae6de52720a8494137fbd790a392c59ce8888da7dced05e032f3db22be
Opcode Fuzzy Hash: 53ba0034a1ce3ef37ef7ae40f9d05f9f41f2878d07f7ecbb658c4cd76390a5c7
Instruction Fuzzy Hash: 8091E2B4E116098FDB48DFAAC980ADEBBB2FF89300F24942AD415BB354D7349946CF54

Function 0748D2F2 Relevance: 2.7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

Strings

Teq, xrefs: 0748D361
Teq, xrefs: 0748D53A

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: f3049e769ac5830bd04b61fdc04d213aa5ee79718dd5f65cc7b46aa48bb4c738
Instruction ID: a39f9b6f97647d4c02c6e1537538ee4535ad82baea1f44711400d35e755e5851
Opcode Fuzzy Hash: f3049e769ac5830bd04b61fdc04d213aa5ee79718dd5f65cc7b46aa48bb4c738
Instruction Fuzzy Hash: 8191D0B4E116098FDB48DFAAC980ADEBBB2FF89300F24942AD415BB354D7349946CF54

Function 08A54501 Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

$q, xrefs: 08A54599
6f, xrefs: 08A54770

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: 6f$$q
API String ID: 0-559323919
Opcode ID: af99a8908980eacb8e8f3d2f5e3b42a32eb44adf2a39c7060da50186fe537339
Instruction ID: 77656ff06862ebd368615dfa1895d0074b2b6ad5d1bed30bce158ada66c79d19
Opcode Fuzzy Hash: af99a8908980eacb8e8f3d2f5e3b42a32eb44adf2a39c7060da50186fe537339
Instruction Fuzzy Hash: EC7103B4E01208DFDB04DFA5D49869EBFB2FF89301F20842AD80AA7754DB349996CF51

Function 08A5B508 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 08A5B673

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: cf2e885525ea900848765fdf3b2a91f75ef283419a0006515697773f6537b62b
Instruction ID: f12e0a0a4a464f5aadbfd98d25145c43e16c15f5a27ae3c1686c04348e515a97
Opcode Fuzzy Hash: cf2e885525ea900848765fdf3b2a91f75ef283419a0006515697773f6537b62b
Instruction Fuzzy Hash: EC512971D0022ADFDB24CF59C840BDDBBB1BF48311F0081AAE909B7650DB759A86CFA0

Function 0748F383 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

kQD, xrefs: 0748F668

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: kQD
API String ID: 0-3066535408
Opcode ID: 0183ea1258e1f3907875b56ceeaa4df78b21c71672caf9c29bb3fd1f2d433569
Instruction ID: 2d3201fb1c9916b6c7b78c88d7d189ab7189cb3d86f1f324fd0dd64f96d73dc7
Opcode Fuzzy Hash: 0183ea1258e1f3907875b56ceeaa4df78b21c71672caf9c29bb3fd1f2d433569
Instruction Fuzzy Hash: 5CC145B4E1420ADFCB44DFA9C5808EEBBB2FF99300F148566D411AB355C734AA96CF91

Function 0748F369 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

kQD, xrefs: 0748F668

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: kQD
API String ID: 0-3066535408
Opcode ID: fce6fe486dadcfd45612014b6f98070a2ab2f4d008e62d41da4958b84fe4f5eb
Instruction ID: 1180b91ffe24e9a46cb4ff279f7187abf768297c0a219d1ac31316bd04c6f3f5
Opcode Fuzzy Hash: fce6fe486dadcfd45612014b6f98070a2ab2f4d008e62d41da4958b84fe4f5eb
Instruction Fuzzy Hash: FAC154B4E1420ADFCB44DFA9C5808EEBBB2FF99300F14856AD411AB355C734AA56CF91

Function 0748F3C0 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

kQD, xrefs: 0748F668

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: kQD
API String ID: 0-3066535408
Opcode ID: 43f72872a567be6b8133e584863ed0815e99f7ab04230e06813faca06fa63f9a
Instruction ID: d37154b70fb05a32b458b610ba35417eabf27490e81795cbe01b660800193bd6
Opcode Fuzzy Hash: 43f72872a567be6b8133e584863ed0815e99f7ab04230e06813faca06fa63f9a
Instruction Fuzzy Hash: F7C145B4E0420ADFCB44DFA9C5808AEFBB2FF99300F14856AD401AB355C734AA56CF91

Function 0748F3E8 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

kQD, xrefs: 0748F668

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: kQD
API String ID: 0-3066535408
Opcode ID: c34e1562470776fa1c9c274f98c72e37ce99d1aacdd3e1ca5333a96e3a613d35
Instruction ID: a4c0779ccfe5b233b95aeccf8ba88cef7671ded5002918b98e351d95844c7c00
Opcode Fuzzy Hash: c34e1562470776fa1c9c274f98c72e37ce99d1aacdd3e1ca5333a96e3a613d35
Instruction Fuzzy Hash: F9C157B4D0420ADFCB44DFA9C5808AEFBB2FF99300F14856AD411AB315C738AA46CF91

Function 0748DB80 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

>NG, xrefs: 0748DC26

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: >NG
API String ID: 0-1926143806
Opcode ID: 00dce15db33fc862957de1bee4278bbb91dbf5825fffdb6a65ba800f1f220975
Instruction ID: c4c09cb934544be453ecd0177eb7548d9b672c9f8a57ffb248e005371594d68d
Opcode Fuzzy Hash: 00dce15db33fc862957de1bee4278bbb91dbf5825fffdb6a65ba800f1f220975
Instruction Fuzzy Hash: C15116B0E152098FDB48DFA9C5406EEFBF2BF8D200F24D52AD419A7294D7748A418FA4

Function 07487A98 Relevance: 1.4, Instructions: 1392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3a8f816f3060430d9279a65b43a2c1f3ab7ab95af75a9d8f0a32ab5a1dfd80
Instruction ID: 9ebd31587753d797c75c4c7f943a23e16b1c4471f1c59dc973707d5d480ad7bc
Opcode Fuzzy Hash: 4f3a8f816f3060430d9279a65b43a2c1f3ab7ab95af75a9d8f0a32ab5a1dfd80
Instruction Fuzzy Hash: A9C24E70E002288BC755BF78E8857ADBBF2FB89300F5185A9D449A7358DF38AD58CB51

Function 0748DB72 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

>NG, xrefs: 0748DC26

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: >NG
API String ID: 0-1926143806
Opcode ID: 0da79fc0b75322a6c513d5d5a180b5aad2dd22fae0970c2605058735d424f043
Instruction ID: a0b7f149d4ea251de6549cb3169db11f2ab1cd6a5f0e1f0b8333dce419a010ed
Opcode Fuzzy Hash: 0da79fc0b75322a6c513d5d5a180b5aad2dd22fae0970c2605058735d424f043
Instruction Fuzzy Hash: 485127B0E152098FDB48DFA9D9406EEFBF2FF8D200F14D52AD419A7294D7748A418FA4

Function 0748B650 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

<, xrefs: 0748B775

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 581f24f0b90fd4ba96a68eddd769d313f577cf1b5f69f3b3b791660b32831254
Instruction ID: 59cc1d948a4f7c85d739ab66331b49a715b22ec76e85f2d5a287e186fdd6929f
Opcode Fuzzy Hash: 581f24f0b90fd4ba96a68eddd769d313f577cf1b5f69f3b3b791660b32831254
Instruction Fuzzy Hash: 2D5173B5E01618CFDB58DFAAC9446DDBBF2AF89301F14C0AAD409AB264DB345A85CF40

Function 0748B64A Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

<, xrefs: 0748B775

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: ef11c05fc37c11261d4b14db144b3625cc10e94d7260d52ddb69775edc4eb86f
Instruction ID: 800b0c21e7adef647c4e0fc89c825f44d9f97c81abe1067fdac257b601667609
Opcode Fuzzy Hash: ef11c05fc37c11261d4b14db144b3625cc10e94d7260d52ddb69775edc4eb86f
Instruction Fuzzy Hash: 535174B5E01658CFDB58DFAAC9446DDBBF2AF89301F14C0AAD409AB364DB345A85CF40

Function 06A38778 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977329874.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6a30000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81f004c7316043873a62c3b1c27b837017d35611bc252bb50822ba303c28b92
Instruction ID: 2d6b06e3333dd10af38340dfc2a861f0d84593fbad9b3f85d438273674383d57
Opcode Fuzzy Hash: a81f004c7316043873a62c3b1c27b837017d35611bc252bb50822ba303c28b92
Instruction Fuzzy Hash: 66528E34A003158FDB14DF28C844B98B7B2FF85314F2586A9E5586F3A2DB75AD86CF81

Function 06A38758 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977329874.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6a30000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883d9b00cde846d45eee636f44cfb9b83dab2e77892c4ba056e7ba4bb4c0f236
Instruction ID: 0a20476c6fc773343b7ef6b403f56ab01a885a2b0cce802072bd50c3aa54f674
Opcode Fuzzy Hash: 883d9b00cde846d45eee636f44cfb9b83dab2e77892c4ba056e7ba4bb4c0f236
Instruction Fuzzy Hash: 85528E34A007558FDB10DF28C844B98B7B2FF85314F2586E9E4586F3A2DB75A986CF81

Function 08A5F668 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d57f694d42a01d33415387201589e46f0f516538c0f27ead068a569d87bb1d4
Instruction ID: 9253cc082cca5a15d5ab53908d53aaf53770827503e4bd81d933bddf01885457
Opcode Fuzzy Hash: 6d57f694d42a01d33415387201589e46f0f516538c0f27ead068a569d87bb1d4
Instruction Fuzzy Hash: D4D1CB31B007008FEB25EB76C550BAEB7E6AF88706F14846DD946CBA91CF35E846CB51

Function 08A56778 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3065c04fb4897353c065e448c30e21a387119185f63deed47a16ee0a500a0525
Instruction ID: 0933b0ebb56aeed07564d844ef2f3b0fc43b4321d067da0b19d5afeda538c599
Opcode Fuzzy Hash: 3065c04fb4897353c065e448c30e21a387119185f63deed47a16ee0a500a0525
Instruction Fuzzy Hash: BDE10674E016698FDB64CF25C84479DBBB6BF88301F5086AAD409BB214E774AEC1CF44

Function 00ACF6B8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1969005732.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ac0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f5a18a4ebaa2c251913ea961220ceeb1a709986d7df81ac58028eacc70479b
Instruction ID: 07d8e43c01c5783cd164cda5e22c7c31ddb2e1e0fa41516602d4e91a997d727b
Opcode Fuzzy Hash: 95f5a18a4ebaa2c251913ea961220ceeb1a709986d7df81ac58028eacc70479b
Instruction Fuzzy Hash: A71261B1C01F858AE715CFB5FDDC2893AA1BB8532CBA04609D2612E2F5DBB8155BCF44

Function 08A56768 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc079fa827143d04ffd4cc1ea0651d99274ffab5d732a5491dbd1a8d6705c244
Instruction ID: 1f1dd5efcc813755ea8375d60269a61d8ba03123a3c814aefee2228929b2fa4f
Opcode Fuzzy Hash: bc079fa827143d04ffd4cc1ea0651d99274ffab5d732a5491dbd1a8d6705c244
Instruction Fuzzy Hash: 0DD1F574E116698FDB64CF25C954B9DBBB2BF88300F5086AAD409BB254E770AEC1CF44

Function 08A5B770 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2d48a6c8a08374b984a09fb869391eefa4bf715303832455bcfda4a30ed57a
Instruction ID: e7ce575748ff0ba11a69f10715d3e6ef321b51b494eb92b9b8ebb2d39bfd4822
Opcode Fuzzy Hash: 1c2d48a6c8a08374b984a09fb869391eefa4bf715303832455bcfda4a30ed57a
Instruction Fuzzy Hash: 8B6165B0D01219DFCB04CFA4D554BAEBBB2FF49B12F14882AD812A7754D7385A82CF61

Function 0748E548 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2648aa3d11a2e249be83f6aa3f068ba6a18e5185eacf14cd577e2b4d9079966
Instruction ID: f83da0fa87ba9b2a756f3258ee064d2f2e04ea6809f298d4263cbd0bd55a7b05
Opcode Fuzzy Hash: e2648aa3d11a2e249be83f6aa3f068ba6a18e5185eacf14cd577e2b4d9079966
Instruction Fuzzy Hash: 7D5116B0D01268CBDB54DFA6C9846DEBBB2FF89310F1084AAD409B7354DB346A91CF54

Function 0748E542 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9b65ff009d3670f2a09c863789e8178d8b541148af5b19110dffff9e36bebc
Instruction ID: 22a03aa386a39334eb0f58ecc9074b7976b18668c70caa7d833ecdf4bc6ab71f
Opcode Fuzzy Hash: 4e9b65ff009d3670f2a09c863789e8178d8b541148af5b19110dffff9e36bebc
Instruction Fuzzy Hash: 8A41E6B0D112688BDB58DFA6C9846DEBBF2FF88310F14C4AAD409B7254DB346A85CF54

Function 08A5A408 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e6aba96b166a272a64cc0c1cad02c43f228d6f67929257dd383aba990b7de9
Instruction ID: 640bcc1104f28887cc2b269dbaf6204721e80d6abe23edf3e75c64b35d126ea8
Opcode Fuzzy Hash: c7e6aba96b166a272a64cc0c1cad02c43f228d6f67929257dd383aba990b7de9
Instruction Fuzzy Hash: 3541C6B4E006288BDB18CFAAC9446DEFBF2BF88310F14C16AD849A7354EB305981CF50

Function 0748C6E8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82763e9854fe224c9989c689cd0d29b333959594e9def5d657a3a944459334ea
Instruction ID: 4229e177dd5b5ff6375ed8fb1ca8e5fafc9b6d55e03a7dd7d632a73a78a5c7b1
Opcode Fuzzy Hash: 82763e9854fe224c9989c689cd0d29b333959594e9def5d657a3a944459334ea
Instruction Fuzzy Hash: 1B31DAB1E006189BDB58DF6ADC4079EBBF3BFC9200F14C4AAD508B7254DB345A858F61

Function 08A511E0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490fdf6edcbfc608d6770dc4102e01be80352b9e46107211b3579cef0aac8d3b
Instruction ID: 197a2d44bb43b3565ef2024d1ad0bfac1564fb053f535c8715267636f73ccd07
Opcode Fuzzy Hash: 490fdf6edcbfc608d6770dc4102e01be80352b9e46107211b3579cef0aac8d3b
Instruction Fuzzy Hash: 3C21FF71E016189BEB58CF6BDC4079EF7F7AFC8200F04C1BAC908A6264EB3419568F51

Function 00ACC8B1 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00ACC93E
GetCurrentThread.KERNEL32 ref: 00ACC97B
GetCurrentProcess.KERNEL32 ref: 00ACC9B8
GetCurrentThreadId.KERNEL32 ref: 00ACCA11

Memory Dump Source

Source File: 00000006.00000002.1969005732.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ac0000_47879282.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 62bd96491172e7649238ddb687b4dc1c65dd0cc51936918baca5bdc30cc74d5b
Instruction ID: 16e585a67c096a1c91d44ecfd6b458c08eb20414e45932cab001b39ae97e7207
Opcode Fuzzy Hash: 62bd96491172e7649238ddb687b4dc1c65dd0cc51936918baca5bdc30cc74d5b
Instruction Fuzzy Hash: B55165B09003498FDB24DFAAD448BEEBBF1EF48310F20845DE459A7260DB74A945CB66

Function 00ACC8C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00ACC93E
GetCurrentThread.KERNEL32 ref: 00ACC97B
GetCurrentProcess.KERNEL32 ref: 00ACC9B8
GetCurrentThreadId.KERNEL32 ref: 00ACCA11

Memory Dump Source

Source File: 00000006.00000002.1969005732.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ac0000_47879282.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 028726e9d50a69dc94ba305c4ffe4af524a2c96ad06221a04f570a2f03bdcd7a
Instruction ID: f74a4445363b5d4b5c4046ecc71836bd02d2a52b87b2fe5612badf874e121329
Opcode Fuzzy Hash: 028726e9d50a69dc94ba305c4ffe4af524a2c96ad06221a04f570a2f03bdcd7a
Instruction Fuzzy Hash: 6E5154B0D003498FDB14DFAAD948B9EBBF1EF48310F20841DE419A72A0DB74A945CB66

Function 06FD27A8 Relevance: 4.0, Strings: 3, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 06FD4D61
(q, xrefs: 06FD4D8D
(q, xrefs: 06FD4DFF

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID: (q$(q$(q
API String ID: 0-2103260149
Opcode ID: 3d6f973fb8c81567bb9df7ab4c812e16d40832de91cee5cee8523d9ded82294a
Instruction ID: c015a89fe7fe0da4e4cc1309480ecd44d048766de6983713cf3c4d788e5715fc
Opcode Fuzzy Hash: 3d6f973fb8c81567bb9df7ab4c812e16d40832de91cee5cee8523d9ded82294a
Instruction Fuzzy Hash: 19A16B70E007089FDB14DFA9C85479DBBF2FF89310F188569E405AB391DB74A986CB91

Function 06FD621C Relevance: 3.9, Strings: 3, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJq, xrefs: 06FD6344
@, xrefs: 06FD6224
Teq, xrefs: 06FD632F

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID: @$TJq$Teq
API String ID: 0-53373553
Opcode ID: 9a9ded34bc4d52835b2b445cdb90dc7e64a1ac101ee79d77bfe257de5ec2fe9e
Instruction ID: c0a88567df8d2da5be4397f247b59df168294843c4e77f1063d39a8149518b66
Opcode Fuzzy Hash: 9a9ded34bc4d52835b2b445cdb90dc7e64a1ac101ee79d77bfe257de5ec2fe9e
Instruction Fuzzy Hash: C341659160E7D00FD703577898346597FB2AF8B219F1E01DBD182CF6E3D9598C0A83AA

Function 06FD51C8 Relevance: 2.9, Strings: 2, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 06FD5280
Hq, xrefs: 06FD5309

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: c60cdf6e3eb6f21bb493ff893d0e84029f212e133a87b7eef56b6c869963f451
Instruction ID: 62d21ab1bab6b4387313952b63baf584a436fce9b70eabb8313cb17c0b46c54d
Opcode Fuzzy Hash: c60cdf6e3eb6f21bb493ff893d0e84029f212e133a87b7eef56b6c869963f451
Instruction Fuzzy Hash: 87D19171E042188BC708BBB8E89526E7BF3EFC9310F554869D445E7394DE38AC49C7A6

Function 06FD6328 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

TJq, xrefs: 06FD6344
Teq, xrefs: 06FD632F

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID: TJq$Teq
API String ID: 0-3317343146
Opcode ID: a733a0e7cc7adaddff9eed9edd7cc8b068b63e64dfa42dd5201e51f010cffc35
Instruction ID: 95000ee1d544b67311bc5152e2d2dfdbe3cb62b13c7956766dbfa8b54dbaaa64
Opcode Fuzzy Hash: a733a0e7cc7adaddff9eed9edd7cc8b068b63e64dfa42dd5201e51f010cffc35
Instruction Fuzzy Hash: 36F096313101201FCA08A77DB565A3E76EBBFC9710329445DF906CB3A6CE69DC0243AA

Function 06FD371E Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

Teq, xrefs: 06FD3772

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 61ad441b1168df4ca490068325f7b968548d08421fd435dcb8e163e151989857
Instruction ID: 4ad51d5b683d4d0e85612360272e9438c278fbcea75e1530086f884415aba318
Opcode Fuzzy Hash: 61ad441b1168df4ca490068325f7b968548d08421fd435dcb8e163e151989857
Instruction Fuzzy Hash: 16527E71E043148BC754FBB8E88576DBBF2EB89300F5285A9D449A7364DF38AD48CB52

Function 00ACA628 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00ACA87E

Memory Dump Source

Source File: 00000006.00000002.1969005732.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ac0000_47879282.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 46e96ce1e1cc94e5ef51aed70a9c8840224fcdf115bbe9d25e5667de76febd17
Instruction ID: 1f96652797b356fd56013a96bad37e8ade9e29ee95b42ec568ee2978842e1648
Opcode Fuzzy Hash: 46e96ce1e1cc94e5ef51aed70a9c8840224fcdf115bbe9d25e5667de76febd17
Instruction Fuzzy Hash: 46816870A00B098FDB24DF29D555B6ABBF1FF88304F04892DD48AD7A50D775E846CB91

Function 08A5E000 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08A5E090

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e1ce3383f86186a7add6a0d6b287330994f69950220402e3ed85697dfb1d67ed
Instruction ID: e489c31d3d0c7d781d3b1ddda639da7a625c0bceaa71979e6e43903ec32d7b5b
Opcode Fuzzy Hash: e1ce3383f86186a7add6a0d6b287330994f69950220402e3ed85697dfb1d67ed
Instruction Fuzzy Hash: 54213971D003099FDB20DFA9C881BDEBBF5FF48310F50842AE958A7640C7799951CBA4

Function 0748C603 Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0748C69B

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d57235b144725937bbde371e4f1d47b673756ff3bf2edba04219c3d7924e08c9
Instruction ID: af8d24e855a0907ee8101ce026f707c273e60611324de1be0d95077da5d8ad70
Opcode Fuzzy Hash: d57235b144725937bbde371e4f1d47b673756ff3bf2edba04219c3d7924e08c9
Instruction Fuzzy Hash: B52166B6C043499FDB51DF99C4817DEBBF1EB48320F14846AE858E7651C738A944CFA1

Function 00ACCF09 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ACCF97

Memory Dump Source

Source File: 00000006.00000002.1969005732.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ac0000_47879282.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 64d90c3013beb3be709bf6168fd09a223d64434cf47cf29b32a801364e335057
Instruction ID: 2f5389cd5e2782e3e6d3bacabe4dafea18572134f7f21c889ea5a960a19c50bd
Opcode Fuzzy Hash: 64d90c3013beb3be709bf6168fd09a223d64434cf47cf29b32a801364e335057
Instruction Fuzzy Hash: BC21E3B5D003489FDB10CFAAD484ADEBBF5EB48320F14846AE958A3350D379A955CFA1

Function 08A5D490 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 08A5D50E

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: be3829f04a8fa8ec5c08914dd579cda3072426cd1563964884bc3fb7a41c2f06
Instruction ID: 374ddac785a00cca22cc397a70bb480308883930bfcc353d524452ffc52c777a
Opcode Fuzzy Hash: be3829f04a8fa8ec5c08914dd579cda3072426cd1563964884bc3fb7a41c2f06
Instruction Fuzzy Hash: 3D213871D003098FDB10DFAAC4857AEBBF4EF48314F54842ED859A7640CB78A985CFA5

Function 08A5E9F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08A5EA6E

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cc4acf0706d6e2d3f3fef1b5ab8d8959313ac49ac6660c788ff01cc22e7c1004
Instruction ID: ba6e179590db810f43908a90bdbac78b68f09610d5c6b49e2d5ae5f4601bc4ce
Opcode Fuzzy Hash: cc4acf0706d6e2d3f3fef1b5ab8d8959313ac49ac6660c788ff01cc22e7c1004
Instruction Fuzzy Hash: 60213771D003098FDB10DFAAC4857AEBBF4AB48211F54842AD919A7640CB789A45CFA4

Function 00ACCF10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ACCF97

Memory Dump Source

Source File: 00000006.00000002.1969005732.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ac0000_47879282.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9eabcf74c6b692eecf3d9b2be20cb4ca2ca7b6d8329358d6c1a83491180ad4ec
Instruction ID: 5a09d0db5b79679c0c1da634bc6c5e0781b62224701043d309189cf3e24e0d3c
Opcode Fuzzy Hash: 9eabcf74c6b692eecf3d9b2be20cb4ca2ca7b6d8329358d6c1a83491180ad4ec
Instruction Fuzzy Hash: B221E4B5D003089FDB10CF9AD884ADEFBF5EB48320F14841AE918A3350C378A951CFA0

Function 08A5E750 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 08A5E7C7

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 540b8e9e557285a2b317c9c0f36534952d869e9dde072ed59196e455f3ddd829
Instruction ID: 81d4b74990a33ae3e7d42dcb5e3e8e8a40a5f152c244fe3181b9469a301cdc77
Opcode Fuzzy Hash: 540b8e9e557285a2b317c9c0f36534952d869e9dde072ed59196e455f3ddd829
Instruction Fuzzy Hash: 75211871C003099FDB10DFAAC441BEEBBF5EF48320F54842AD919A7640CB799951CFA1

Function 08A54408 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08A5447B

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 88129944fe5df277421359c60e3f27e69e96e658a82cfb6bb2ed006a4ec25896
Instruction ID: 3a5040d6a1d72aad2a0e0f44fd67e42b4ca3184172b107b56216b6bd54f40f33
Opcode Fuzzy Hash: 88129944fe5df277421359c60e3f27e69e96e658a82cfb6bb2ed006a4ec25896
Instruction Fuzzy Hash: 5221D6B5D003499FDB10DF9AC485BDEFBF4EB48320F108429E958A7650D378A585CFA5

Function 0748C628 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0748C69B

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8505ae4134478b070443ed778d89088bc57c8d09f6a89e9c02331e3ccc8a2390
Instruction ID: e6747ad8cce58dfb921c9b6605417abf8d9910fa7911474b0243d90090069970
Opcode Fuzzy Hash: 8505ae4134478b070443ed778d89088bc57c8d09f6a89e9c02331e3ccc8a2390
Instruction Fuzzy Hash: DC21D6B5D002499FDB10DF9AC485BDEFBF4FB48320F10842AE958A7251D378A545CFA5

Function 08A5440A Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08A5447B

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 184e8aab52740df288b61c51aeeb8bcaa4d3b477c7f8488e4ec15ae4a80a917e
Instruction ID: 83dea0510b9220d2c6b6087d7ed22a6a2e228322f20fd6d63e48eed6b9364939
Opcode Fuzzy Hash: 184e8aab52740df288b61c51aeeb8bcaa4d3b477c7f8488e4ec15ae4a80a917e
Instruction Fuzzy Hash: CD11E7B5D002499FDB10DF9AD484BDEFBF4FB48310F108429E858A7650D378A585CFA5

Function 08A5DCC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08A5DD2E

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2b2a2b96bea76a7efb0c4bc7df9008e39c8905f3ca38fb7bf8b3e09c7b4c59a3
Instruction ID: e43e870eaf415af85fd483eac654992b7ef21a702434eaede599af894943b458
Opcode Fuzzy Hash: 2b2a2b96bea76a7efb0c4bc7df9008e39c8905f3ca38fb7bf8b3e09c7b4c59a3
Instruction Fuzzy Hash: AB113A71D003499FDB20DFAAC845BDEBBF5EF48310F148419E915A7650C7759551CFA0

Function 08A5EC58 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08A5ECBA

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c6b0794da1665bd90c78d2f1d841eff644441932a8a65e252e01328c2bd97085
Instruction ID: de2e07ecd165f66cca3110a7410991c704dab5766b913605df292ed4e475a9cf
Opcode Fuzzy Hash: c6b0794da1665bd90c78d2f1d841eff644441932a8a65e252e01328c2bd97085
Instruction Fuzzy Hash: EC113A71D003498FDB20DFAAC44579EFBF5EB88320F14842DD519A7640CB79A941CFA4

Function 00370864 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 00371425

Memory Dump Source

Source File: 00000006.00000002.1965838074.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_47879282.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 89208262fa94528d6cfa8c80df40d2b7adf649229f0f5c1f1c9ea8013db2e1fd
Instruction ID: ad1e0065e22b1e34d056ffc238cfbe8a31ededacc2b97ab5b6b21fba1d16c3f1
Opcode Fuzzy Hash: 89208262fa94528d6cfa8c80df40d2b7adf649229f0f5c1f1c9ea8013db2e1fd
Instruction Fuzzy Hash: DF11D6B59007499FDB21DF9AD445BDEFBF8FB48310F10845AE518A7640C379A944CFA1

Function 003713C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 00371425

Memory Dump Source

Source File: 00000006.00000002.1965838074.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_47879282.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 20f755331a97da97431ec6aafd2ca3904f57ef0a1673ab86d976cf337e60bdb5
Instruction ID: 571208de392a87968c4bdb567a622a2566448fd9f9f65fd8c9eba793a4c1b21b
Opcode Fuzzy Hash: 20f755331a97da97431ec6aafd2ca3904f57ef0a1673ab86d976cf337e60bdb5
Instruction Fuzzy Hash: A311B3B58002499FDB21DF9AD445BDEBFF8EB48310F148419D558A7640C379A944CFA1

Function 00ACA818 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00ACA87E

Memory Dump Source

Source File: 00000006.00000002.1969005732.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ac0000_47879282.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5eff0c8d43a5a56934048d1fd35de6efc9ccbc6d1bdb22a015d8af56083ec38e
Instruction ID: d5a864d7de7ff939f2651fae292679bf7d70de159d582ecd0f40e88137f65ac2
Opcode Fuzzy Hash: 5eff0c8d43a5a56934048d1fd35de6efc9ccbc6d1bdb22a015d8af56083ec38e
Instruction Fuzzy Hash: 2111E0B5C007498FDB20DF9AC844BDEFBF4EB88324F11842AD429A7610D379A546CFA5

Function 06FD2090 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

Teq, xrefs: 06FD21F1

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 35febb9d407aaadaeccdea3b4a12de66804147a74f0b1a1f540d8e67c4b01d0c
Instruction ID: 91ff5d90b8b30beef89941a63602c456a0df117edec04016bdc7221533ca67c6
Opcode Fuzzy Hash: 35febb9d407aaadaeccdea3b4a12de66804147a74f0b1a1f540d8e67c4b01d0c
Instruction Fuzzy Hash: 6E51BF31B002058FDB15DBB9D8549AFBBF6FFC42207198969E519CB391EB30AD0687A1

Function 06FD44C0 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

(q, xrefs: 06FD44E8

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: c59e6c0b00509a012d22f2363f6830a576c084595120a5c9f0488e6579878a57
Instruction ID: 19a5dfa810854c4ea96823ea83cb4b3b9adc2ef5bd3bd7d76cdb24cffecaaf79
Opcode Fuzzy Hash: c59e6c0b00509a012d22f2363f6830a576c084595120a5c9f0488e6579878a57
Instruction Fuzzy Hash: 7D318E31E006098FCB51EFADD8506EEBBF5EF89210B04826AD559E7211EB34A951CBA1

Function 06FD1FB0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Teq, xrefs: 06FD201B

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 62a19bfaeb0c88b96d7f080866ab22e75ce6cf6778e741a64cd15a95ca3cb69d
Instruction ID: 5adf0d46c2751ed8a6f25b12a18604a1243573fb0339b38ae648e133a1a8d2a4
Opcode Fuzzy Hash: 62a19bfaeb0c88b96d7f080866ab22e75ce6cf6778e741a64cd15a95ca3cb69d
Instruction Fuzzy Hash: DF111F31F003198FCB64EBB999117EEBAF6BB88751B544069D505E7244EB319E01C7E1

Function 06FD0040 Relevance: .9, Instructions: 907COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab3366ea8216070c1e287810db9472977398c1531914fb0d8ddbd43213adaf1
Instruction ID: cc979c5cb393d065e5366f0f0b1719b301421c6ab2a01e0a73953420b6f67e06
Opcode Fuzzy Hash: 1ab3366ea8216070c1e287810db9472977398c1531914fb0d8ddbd43213adaf1
Instruction Fuzzy Hash: D4728C70E002198BCB54BFB8E88576DBBF2FB88300F5189A9D449A7358DF38AD54CB55

Function 06FD0006 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d0837bf76c827017601e09fa4305440764eff6964e460856482e460cb85964
Instruction ID: f49fec885a732d8fe93c6ac2a37b221979bc51e6e8286b206543c51615b9fe55
Opcode Fuzzy Hash: 57d0837bf76c827017601e09fa4305440764eff6964e460856482e460cb85964
Instruction Fuzzy Hash: B7129D71A002148BCB54BF78E84576DBBF2EF88300F5188A9E449E7354EF38AD54CB92

Function 06FD639F Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4a15c934c278bf6649fbba66c58feb0909e0d8fb4c3c18c245de51179f4cba
Instruction ID: f761efc5a7010cdabc18233d1bff5ac72af405ac96c9435324f4fa7210e9c306
Opcode Fuzzy Hash: ae4a15c934c278bf6649fbba66c58feb0909e0d8fb4c3c18c245de51179f4cba
Instruction Fuzzy Hash: E3F15D70A102248FC748EFB9D595A6D7BE2FF89700B6584A9E406DB364CF39EC04CB95

Function 06FDED88 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5aa48676b437618f56866ae0bbeede41880e1d47d5aac31cfa42dc19a4a8c4
Instruction ID: ceaf00ecd2633e88fe38d5208cb134eac84148e0aed0472d94c1a9ad6f073e0e
Opcode Fuzzy Hash: fc5aa48676b437618f56866ae0bbeede41880e1d47d5aac31cfa42dc19a4a8c4
Instruction Fuzzy Hash: A2E1A371A01214CBC744FBB8E89A62D7BF2EB88300F964969E545E7398DE38EC45C791

Function 06FD0F45 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b2e7b10aeadbca353db8e29dc679038a3084f8fef5096af753142f7f558c6b
Instruction ID: 9ab3f9829bd644a44fd01d5b938c4671e284303237515a5fb31a1e3f6d94416b
Opcode Fuzzy Hash: 33b2e7b10aeadbca353db8e29dc679038a3084f8fef5096af753142f7f558c6b
Instruction Fuzzy Hash: 51A1BF71E043188BC704FBB8E4963AD7FF2EF89300F564469E445E7398DA39A859C762

Function 06FD0F88 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e9e1a78a806d5c9a6be0e166b87a7e4b6926893fbea84a3f194da42dab89ab
Instruction ID: 3f6da79f22c861a715fa2b5d46a22f670372a8cbd1ef606cc063a8f83f1599c8
Opcode Fuzzy Hash: d4e9e1a78a806d5c9a6be0e166b87a7e4b6926893fbea84a3f194da42dab89ab
Instruction Fuzzy Hash: 31918171F002188BC744FBB9E58636DBFF2EF88301F554828E445A7358DE39A859C756

Function 06FD2C58 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933c3a8e7f48bed3a6ed2de53990b3fa15d10c1e56136b620f950651403b710d
Instruction ID: 03d1ca101720bbfb3a74dba19ee09e47771b6bba8a2a82fe6db43be9ed77ae59
Opcode Fuzzy Hash: 933c3a8e7f48bed3a6ed2de53990b3fa15d10c1e56136b620f950651403b710d
Instruction Fuzzy Hash: DC610735E00619DFDB54DFA9C854A9DBBF2FF88311F158159E509AB3A0DB70AE81CB80

Function 06FD2C47 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5b6c2429ffd2c04c011c48e3922c5cc226ab7ba7a5cc08b7a5fbcef5be1d1e
Instruction ID: d2959872c16a47e8b00012a5c9c7db5a5a9e569507e78f5f2d4d6ffe67541d4d
Opcode Fuzzy Hash: 2a5b6c2429ffd2c04c011c48e3922c5cc226ab7ba7a5cc08b7a5fbcef5be1d1e
Instruction Fuzzy Hash: CE610735E00619DFDB54DFA9C454A9DBBF2FF88310F158159E509AB3A0DB70AE81CB80

Function 06FD4BD7 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a04cb8dac45ba2fe6c807c2d491b4390b8a7b5bd44e976522500629ab9dde3
Instruction ID: c997aa78055b2d8174d0d63ec2036ad1d27ff870384f66dd8bf6c5eaaf36c7b1
Opcode Fuzzy Hash: 89a04cb8dac45ba2fe6c807c2d491b4390b8a7b5bd44e976522500629ab9dde3
Instruction Fuzzy Hash: 08415E31E007099BDB14DFA9C89469DBBF2FF88300F14C669E8157B254EB70A985CB80

Function 06FD45D8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba014b7468894f8a0fd938e26b700d80243129bda1ad4b246204a641c66429c
Instruction ID: c3384404c8d879d779e0e8041ed1e253fcc3af31c38d0609504b36009c9c54ab
Opcode Fuzzy Hash: 8ba014b7468894f8a0fd938e26b700d80243129bda1ad4b246204a641c66429c
Instruction Fuzzy Hash: F53156B0E003098FDB54DFA9D84469EFBF6BF88310F54842AD816B7350DB38A904CBA0

Function 0082D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1968566074.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82d000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420f8fa62b29a8af782376142098c429b13538095f9ba9c97ccfd064f40f1a82
Instruction ID: ba60f3b312168421ab1a85cc3d40e3a078dc8cf33ae103bd76c6fe3a483be1fb
Opcode Fuzzy Hash: 420f8fa62b29a8af782376142098c429b13538095f9ba9c97ccfd064f40f1a82
Instruction Fuzzy Hash: A5212871504344DFDB15DF14EAC0B16BF65FB94328F20C169D9094F256C376D896CBA2

Function 0083D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1968632506.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_83d000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0b86d23d7dbbc9fb293ef8b7400f90e2d5972b89b85cf2044a361219eb86dd
Instruction ID: eff2e250532c8fc8d6329e8c17fd6b8a11ff7fffc03813f2d32f12b5482283f6
Opcode Fuzzy Hash: eb0b86d23d7dbbc9fb293ef8b7400f90e2d5972b89b85cf2044a361219eb86dd
Instruction Fuzzy Hash: BC21F275604304DFDB14DF14E9C4B16BB65FBC4318F24C56DE8098B396D336D846CAA2

Function 0083D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1968632506.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_83d000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43a292aab386a98256abf8f0461c4ce2258f7cb4b277f1adc392575b60415c6
Instruction ID: 8ed56beb2449c68721961a1ab099ed1ea54769b06240ad1ae02de5a89b7b8e8e
Opcode Fuzzy Hash: f43a292aab386a98256abf8f0461c4ce2258f7cb4b277f1adc392575b60415c6
Instruction Fuzzy Hash: 4E210071604704DFDB18DF20E9D4B16BB65FBC4714F20C569E84A8B286C33AD807CAA2

Function 06FD2888 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c752e4d69a3f6b746b322651341ec0bd9e793948ad33deab651878aef5673b6
Instruction ID: 51b0951dcd7eefb4dccaa1d5df2da8b9e8a34dc1c7c233216268eec2f88852a8
Opcode Fuzzy Hash: 4c752e4d69a3f6b746b322651341ec0bd9e793948ad33deab651878aef5673b6
Instruction Fuzzy Hash: 2931E2B1D01218DFEB60DF9AC589B9EBBF5AB48314F24841AE404BB250C7B5A945CFA1

Function 06FD2234 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4d23517a349b744c8c320e74c765c85a3530af1f59f31938cad3dfb6d9823a
Instruction ID: 4b4bf06c6584461d43fb9e905babfb9c6195faad35bdddac8769a8817f47306e
Opcode Fuzzy Hash: 6e4d23517a349b744c8c320e74c765c85a3530af1f59f31938cad3dfb6d9823a
Instruction Fuzzy Hash: C231E0B1D11318DFEB20DF99C585B8EBBF1AF48314F24846AE408BB250C7B56945CFA1

Function 06FD2240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2bbb9c1e291464a10799d1d41386e5c9f2b124c96f22047483dd8745e7608b
Instruction ID: 35098101183ec002554dc59191c743ab881b4ad3185e5e409bffcd07fdb5699d
Opcode Fuzzy Hash: de2bbb9c1e291464a10799d1d41386e5c9f2b124c96f22047483dd8745e7608b
Instruction Fuzzy Hash: 1221D0B0C11318DFEB60DF9AC985B8EBBF5AB48314F24842AE504BB240C7B56945CFA1

Function 06FD2083 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaed615b8f09c6c00d8ee476ff4db000addd54474b74ac8d0f4a2e19bba20287
Instruction ID: f7af011a316c24a8dd592ec8da841be1ff098208d5de13621db10f7afe586288
Opcode Fuzzy Hash: aaed615b8f09c6c00d8ee476ff4db000addd54474b74ac8d0f4a2e19bba20287
Instruction Fuzzy Hash: 6111E375F002468F8B01DB7898505BFB7B7FBC42607188A29D559D3380EF309E0187A1

Function 0082D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1968566074.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82d000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 3fc5e4453e7824782628249eda88def2c3b64240cec5eeb4c50af1598d31b483
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 83110376504380DFDB06CF04D6C0B16BF72FB94324F24C1A9D8094B256C336D856CBA2

Function 0083D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1968632506.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_83d000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 5cf77082dfe6ecf8bc51cec3f613abf9b75e456f877b6d5b3a9a027618a52dbe
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 85118E75504240DFCB05CF14E5C4B15BB71FB84314F24C6ADD8498B656C33AE85ACB91

Function 0083D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1968632506.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_83d000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 71028fc3c877447b9a3c825472093806fb09a195745c1bc5642c1f05b1e501f6
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: A611BE75504780CFCB15CF14E5D4B15BB62FB84714F24C6A9D8498B656C33AD80BCBA1

Function 06FD51B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0ff4a3a214631a4b7ef4cdbde9f11099402a31a5adf60886f013d59c432c06
Instruction ID: b66b91281b60233db187a04b5721fb0a167d6ac1d07e164d15655503e10d3b90
Opcode Fuzzy Hash: 2a0ff4a3a214631a4b7ef4cdbde9f11099402a31a5adf60886f013d59c432c06
Instruction Fuzzy Hash: 8E014771F042551B9B55E67D4C5067FB6ABEFC411470D443DD518DB341DE31EC0282D0

Function 06FD4528 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b7a59bce671087ff5cb4e17b11c50ab025e88565fc1fca4e5314c2cfd5ce4f
Instruction ID: ea3c1247a0ea249bf2870f3c53aadc17e1be164e015252d3e771d22944cb59aa
Opcode Fuzzy Hash: 35b7a59bce671087ff5cb4e17b11c50ab025e88565fc1fca4e5314c2cfd5ce4f
Instruction Fuzzy Hash: 3F11B331D0070A8FCB50EFA9C9409EEBBF4EF49310B15966AE558B7211E730EA91CB90

Function 0082D7B1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1968566074.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82d000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456ff7a76d895aa7c88d82b9958cd2b35447589ab33c31011557e2e95dfd844a
Instruction ID: 2b0337e844faae71171ba0ca6b5351bc3a93660afd3dda7cb2ad1f36e1e68d21
Opcode Fuzzy Hash: 456ff7a76d895aa7c88d82b9958cd2b35447589ab33c31011557e2e95dfd844a
Instruction Fuzzy Hash: E401D6315083589FE7205A15ECC4B67BFD8FF45325F28C56AED498F282C6799C84CAB2

Function 06FD2344 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122d59c56bbd284e35cc7e6642ce894b69cc796c906594bc32be0d0c9df4a3bc
Instruction ID: 5af2a8ba58bbc2ce912d0da8373f4c59df1f301d307881adb83a287cfe9c1709
Opcode Fuzzy Hash: 122d59c56bbd284e35cc7e6642ce894b69cc796c906594bc32be0d0c9df4a3bc
Instruction Fuzzy Hash: 3711FA71D04209DFDB55CF59C48979EBFF2AB48310F28C169E928AB290C3719A85CBE4

Function 06FD2350 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08083a81cc48cc1f8be83ee0dd30366a11fc32a5fb95f7eb3e8715770d3b83a7
Instruction ID: 2aaa7b7df2c9e1707daeae78ee1fa3002bef6e598b4a5de48ef7ca2f29234028
Opcode Fuzzy Hash: 08083a81cc48cc1f8be83ee0dd30366a11fc32a5fb95f7eb3e8715770d3b83a7
Instruction Fuzzy Hash: 9B01E171D00209DFDB15CF5AC44579EBEF6BB48350F28C169E918AB290C7759A84CBD4

Function 06FD2A90 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6bd6bc97f97678102d02b30031610bfe44edcdce2d2c53f69e104b52381559
Instruction ID: de2818a12ada0829e9349cb08b962d5a98995ff7aeb6bfc580dc7f75049e6252
Opcode Fuzzy Hash: ea6bd6bc97f97678102d02b30031610bfe44edcdce2d2c53f69e104b52381559
Instruction Fuzzy Hash: A3F0B4717042546F9314D76EDC84D67BBE9EBC922431540AAF548C7311D9309C02C7A0

Function 06FD45C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7da3f8ddde439c92844f815d9e2b3832857385b288fc5dd0d034618590ecac
Instruction ID: e3a02e1638dc70c418a6412c5eb723a8237556c61c63258a8b187c878156bfe8
Opcode Fuzzy Hash: af7da3f8ddde439c92844f815d9e2b3832857385b288fc5dd0d034618590ecac
Instruction Fuzzy Hash: 82014F71E1021A9FDB44DFA4C954AEEB7F6BF49304F144124C812B7394DB356E05CBA0

Function 06FD29F4 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e109e17d52fe4f3cd9fa7c18d9583c8a785ae075a6472db57a7a7929c6797c3
Instruction ID: 16fb25affdb6f150cd71e503ef2409d716c6173ffc43a0ee56541619f3931545
Opcode Fuzzy Hash: 6e109e17d52fe4f3cd9fa7c18d9583c8a785ae075a6472db57a7a7929c6797c3
Instruction Fuzzy Hash: 71011A71C00219DFEB25DFA9C8043AEBAB6FF48721F148625E564AA2A0D3749B40CBD0

Function 06FD6A3E Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cf2800c89dd5c6245439fabbebb1631db3976dd98074917ff25e8ee264d7bc
Instruction ID: b57e5663f7ac800378bd9d7f07b9be4d41e1a4c0b777d3bb0b6bfb9c440b963a
Opcode Fuzzy Hash: b6cf2800c89dd5c6245439fabbebb1631db3976dd98074917ff25e8ee264d7bc
Instruction Fuzzy Hash: 70F03A3131A2904FD3069B39D8548553FA5DF8BA2435900EAE049CB772C965DC06C790

Function 0082D7B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1968566074.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82d000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0301f8f3d84313b771ef5fe7cff3bbea842ca1bb161d9bcfed9c8a1279609c6c
Instruction ID: 5a1aef34d9a31b903a367a3a413ce10dbab041497f5f5d69301224f9992fb89f
Opcode Fuzzy Hash: 0301f8f3d84313b771ef5fe7cff3bbea842ca1bb161d9bcfed9c8a1279609c6c
Instruction Fuzzy Hash: 2FF0C2714043549EE7108A05DC84B62FFD8EB40335F18C56AED084B282C278AC84CAB1

Function 06FDEBEC Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2bc79cf9c4e8f8f970dcaeabd40b4bd5042d40662095f87c327ff07f193073
Instruction ID: e54dda38f05a73a35e8690380f8dbdb2b6ce7001c93d1606e9f37c7d938f7ba7
Opcode Fuzzy Hash: 5a2bc79cf9c4e8f8f970dcaeabd40b4bd5042d40662095f87c327ff07f193073
Instruction Fuzzy Hash: 8501A4755487809FD7129B78E46C7257FE1EF06709B0904C9E881CA297DB28FC21CB51

Function 06FD2A00 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7924bd93cee4875de8c2d85f20fd58f4c4a66567ab161b9980a8313b7bbd05e2
Instruction ID: 5dda1347e3cf2f6d960973b03a13b4199db891380d838df82c54d8f13a6334ae
Opcode Fuzzy Hash: 7924bd93cee4875de8c2d85f20fd58f4c4a66567ab161b9980a8313b7bbd05e2
Instruction Fuzzy Hash: B701FB71C00619DFDB65DF6AC8043AEBAF2FF48751F148625E524AA2A0D7745B40CFD0

Function 06FD50B2 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130f73f7412d21cf6e978adfe2095e43c6c452e4d8d06f937bfa434db71ccb2e
Instruction ID: 5a83ffd293551358123dd9ac3fe05b6127037758843690be5da49cedadaae110
Opcode Fuzzy Hash: 130f73f7412d21cf6e978adfe2095e43c6c452e4d8d06f937bfa434db71ccb2e
Instruction Fuzzy Hash: 8DF08C317002149FD3049B5AE885E9BFBEDFFD9720B24806EF518C7361CAB1AC0286A4

Function 06FD2AA0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3911adc70a7a20ab5949b42beb079c6d05b9179068512c1f137fd5dd08623e
Instruction ID: db0d79ece59a536fdd92d751e41254e9f51ae6fc9f73751fd955c2778952d33e
Opcode Fuzzy Hash: af3911adc70a7a20ab5949b42beb079c6d05b9179068512c1f137fd5dd08623e
Instruction Fuzzy Hash: 90E039767002286F93149AAEE884D6BBBEDFBCC664355807AF508C7310DA319C0186A0

Function 06FD50C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56d59cf64400e9666f016b07da5b214ef3a4c0f124fb4846912aceeaae4107b
Instruction ID: 2f3213c371986060c8fd6110f0e4776494ba6888448edfcea8cec840e6723a05
Opcode Fuzzy Hash: b56d59cf64400e9666f016b07da5b214ef3a4c0f124fb4846912aceeaae4107b
Instruction Fuzzy Hash: 9EE06D317002186FD3049A5E9C40E6BFBEDFFD9720B25806AF504D7361CAB0AC0186A4

Function 06FD5101 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbc4e2b70ed4faabfb23b65b23ec4aceb50c9a4c9417d7d7eb57d18550cc3e3
Instruction ID: 5711feaccd68d7613b5a6c27255906b318ec1711c9e6ed2afeb78d88265f9b75
Opcode Fuzzy Hash: 2cbc4e2b70ed4faabfb23b65b23ec4aceb50c9a4c9417d7d7eb57d18550cc3e3
Instruction Fuzzy Hash: 5DE092763081405FC3058B1AD898F46FFA9EFC9224F1441BAF60D8B362C5629C12C764

Function 06FD6A58 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe40ce4e3307a4b6f600b4d6224dfa0350539a3967186d113e73782e5442b1c9
Instruction ID: 97d701baf86f6562f9e4c01d0525c700aa33ac13183c6705fd333258aa6925b3
Opcode Fuzzy Hash: fe40ce4e3307a4b6f600b4d6224dfa0350539a3967186d113e73782e5442b1c9
Instruction Fuzzy Hash: C3E0EC353105148FC748DB2ED444C597BEAEFCEA2531540BAE509CB331DE71DC018B94

Function 06FD5110 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b1cac6122a4c81ff4ff957bb7ea4b652b1465c67cb6112755b26581e2af4f8
Instruction ID: 3a1b483e1dc2b537d693a674251c2866cb03fd3a9d98971772196d994f68c21d
Opcode Fuzzy Hash: 02b1cac6122a4c81ff4ff957bb7ea4b652b1465c67cb6112755b26581e2af4f8
Instruction Fuzzy Hash: FEE08C763042006FC3148A0EEC88D0AFBADFFC8630B10802AFA09C7360CA30AC01C6A4

Function 06FD44B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea370805839af0095898fc1630bca93b24a2351eb47ac4c1d7090095c39dfcb
Instruction ID: 5f9c7135a5b4c91dabde6057cd5ce61633281cc572f0172c40ffcedee9882614
Opcode Fuzzy Hash: 7ea370805839af0095898fc1630bca93b24a2351eb47ac4c1d7090095c39dfcb
Instruction Fuzzy Hash: B0E07D7A74400047C708465464247BA3F4F8BC4111F0C803FD60AC7281CC350851C360

Function 06FDEBDD Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b3c11150322a3d268538ce8c14ed961d8b1ebd1afcaf062af6af264ad290dd
Instruction ID: 6c81a4a30ba72ac234640ce298993dde03a3f65172f477b51c4952fa6272dced
Opcode Fuzzy Hash: 41b3c11150322a3d268538ce8c14ed961d8b1ebd1afcaf062af6af264ad290dd
Instruction Fuzzy Hash: C0E01739A41200EFCB056F30E42D12A3F76FE59206348486EF806C9752EF2DAD00CB50

Function 06FDEC10 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fa55242b2dbede0a9349ac53d1ed0d978b9e93c40b3fbe33f2eaeb2fbc1616
Instruction ID: af5ef800227f782408b83d5db2c68d229e7161ba9db64e335a8693bb097b2c19
Opcode Fuzzy Hash: 45fa55242b2dbede0a9349ac53d1ed0d978b9e93c40b3fbe33f2eaeb2fbc1616
Instruction Fuzzy Hash: 33E06739640304DFD751AFB6E4285293FE9FA09A063444468E846CA392EF29FC10CA61

Function 06FD1F6E Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b85b5910a587bc0ca1ebecd37432d3ad9740b0f67ecebe00cc322b31beb4c2
Instruction ID: 0e884d457ca8bd7f6affdd6664d6fbbf13c4001c57a707d6bfd598fa2174efaf
Opcode Fuzzy Hash: 54b85b5910a587bc0ca1ebecd37432d3ad9740b0f67ecebe00cc322b31beb4c2
Instruction Fuzzy Hash: 89D06CB625F7D09ED71353309D298827F3A9A6320830E84D7E0959A0B3D4498A29DB77

Non-executed Functions

Function 08A507D0 Relevance: 3.9, Strings: 3, Instructions: 182COMMON

Download Yara Rule

Strings

@, xrefs: 08A508A7
@, xrefs: 08A508AE
@, xrefs: 08A508C5

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: @$@$@
API String ID: 0-1615930675
Opcode ID: 0c79f13a91f4b393e0f41bf09e801137dcfab626cb159b0f96a226b9f3834bfc
Instruction ID: 5abed5fa83a6076434deaab34470ae2ae69fc40227e70e7f257649df0d15cf16
Opcode Fuzzy Hash: 0c79f13a91f4b393e0f41bf09e801137dcfab626cb159b0f96a226b9f3834bfc
Instruction Fuzzy Hash: 16711774E0164ADFCB04CFA9C581AEEBBF2FF88301F14845AD815A7644D734AA82CF94

Function 08A507E0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

@, xrefs: 08A508A7
@, xrefs: 08A508AE
@, xrefs: 08A508C5

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: @$@$@
API String ID: 0-1615930675
Opcode ID: d45abeecc5dc0753cc5a2fd1d94116dfa1045c2a121b86cad05deda3841e6f60
Instruction ID: 44404c9cb0cc0678627d47abd37bf1cb23e4040a8224019f4128b3a61f721042
Opcode Fuzzy Hash: d45abeecc5dc0753cc5a2fd1d94116dfa1045c2a121b86cad05deda3841e6f60
Instruction Fuzzy Hash: E06117B4D0160ADFCB14CF9AD981AAEFBF2BF88301F14941AD815A7644D7349A82CF94

Function 07482248 Relevance: 3.3, Strings: 2, Instructions: 803COMMON

Download Yara Rule

Strings

F, xrefs: 07482C21
el.appcore.dll, xrefs: 07482BCE

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID: el.appcore.dll$F
API String ID: 0-2414344920
Opcode ID: 84dde406a457276470be0e0a25262729ad0f5bcdf83402caccd11871941a45af
Instruction ID: f9543392c71ef6460327bc0e67cebe8687b43a7463369e0e23c7b1667392f95b
Opcode Fuzzy Hash: 84dde406a457276470be0e0a25262729ad0f5bcdf83402caccd11871941a45af
Instruction Fuzzy Hash: FE62BC70E003148FCB09EBB9D85576EBBF2BF89300F5285AAD449EB354DE38A945CB51

Function 003726A8 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PHq, xrefs: 0037296B
PHq, xrefs: 00372893

Memory Dump Source

Source File: 00000006.00000002.1965838074.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_47879282.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: b727a3f6f135d398e1a36a4dfff87f11dfa855e898652865cf50351ca2bbc800
Instruction ID: 8586353a1146bc384f02091c709fcf3effc68ab00ef2a9b70c999ecc5a6514e3
Opcode Fuzzy Hash: b727a3f6f135d398e1a36a4dfff87f11dfa855e898652865cf50351ca2bbc800
Instruction Fuzzy Hash: 26D1C534A00604CFDB59DF69C598AAAB7F1BF4D301F2680A8E549AB371DB35AD41CF60

Function 08A5C7F0 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Y|?, xrefs: 08A5D2A7
4|q, xrefs: 08A5D302

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: 4|q$Y|?
API String ID: 0-3434971125
Opcode ID: a8d661d8cf9be418b4d9ab291e804060478a66010ec05fca570c680b20815970
Instruction ID: 75756e21fe5f1da8031f93028bca24f08820c78cae9f47f4ac50f30351462a0d
Opcode Fuzzy Hash: a8d661d8cf9be418b4d9ab291e804060478a66010ec05fca570c680b20815970
Instruction Fuzzy Hash: E48108B0E05218DFEB68CF6AC850B9DBBB2BF88300F14C1AAD509A7355DB345A85CF55

Function 08A50DB1 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

#HBF, xrefs: 08A50F3F
w*S, xrefs: 08A50F28

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: #HBF$w*S
API String ID: 0-2996935253
Opcode ID: ac83720a1e42128dc5606c41fe4030cd613edc3536396a9241d152551897321d
Instruction ID: 3f7eb1204a88c2b7ac6c9e521098fc3fdccfc846d6464765f68d28831c3829e4
Opcode Fuzzy Hash: ac83720a1e42128dc5606c41fe4030cd613edc3536396a9241d152551897321d
Instruction Fuzzy Hash: BB71F474E05609CFCB04CFA9C5815EEFBF2EF89311F28946AD815F7214E3349A428B64

Function 08A50DC0 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

#HBF, xrefs: 08A50F3F
#HBF, xrefs: 08A50F38

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: #HBF$#HBF
API String ID: 0-136798975
Opcode ID: fff46da7a9ba651d85859859ab6e4d8269b7c835079ce299ccaf9193b3a2bc63
Instruction ID: d03d64a279d64506fc52820c9e900082ab71de6b2f5633f88a6edfd4f4eb9421
Opcode Fuzzy Hash: fff46da7a9ba651d85859859ab6e4d8269b7c835079ce299ccaf9193b3a2bc63
Instruction Fuzzy Hash: 7D610570E05609DFCB08CFA9D5816EEFBF2FF89311F24902AD815B7214E3749A418B64

Function 08A50B88 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

A{]z, xrefs: 08A50C6B
}\%G, xrefs: 08A50BDA

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: f27aa68f3409021ba4efa0b5d01eb31e74a056ebcb7a304972a1def11977350e
Instruction ID: 8c6518fa141d08ca9e58e993842ad4d61e746eb9352a44f232f234d54925a691
Opcode Fuzzy Hash: f27aa68f3409021ba4efa0b5d01eb31e74a056ebcb7a304972a1def11977350e
Instruction Fuzzy Hash: 2641E971D0460ADFCB44CFAAC5806EEFBF2AB89315F24D429C915BB654E3349A818F94

Function 08A50B7A Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

A{]z, xrefs: 08A50C6B
}\%G, xrefs: 08A50BDA

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: 2b65146d581b2b7f74157bdd5f4fe446b62b9272294677515621847e067ef0de
Instruction ID: 87bfdc81ab6e2bd11c787ca5f7563638f2ccf6e3b8df723442e4d3f01910ade8
Opcode Fuzzy Hash: 2b65146d581b2b7f74157bdd5f4fe446b62b9272294677515621847e067ef0de
Instruction Fuzzy Hash: 5241FA71D0460ADFDB44CFAAC5806AEFBF2BF88315F14D429C915BB654E3349A818F94

Function 08A504D0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 08A5060A

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: dbbd59667076fea22f432e4283f3992f655a96df593cee1adf08332339bde9ef
Instruction ID: 154a9a4ad11e07e10bcaab9a46665f15050b9fea0330f6955369c6a4894dec7d
Opcode Fuzzy Hash: dbbd59667076fea22f432e4283f3992f655a96df593cee1adf08332339bde9ef
Instruction Fuzzy Hash: 7381F6B4E0060ADFCB04CFA9D581AAEBBF2FF49311F14952AD815A7710D334A982CF95

Function 08A504E0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 08A5060A

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: f76725c286f93453778b8a003760bd718b4bea6d9517a280e816adb077caa5c7
Instruction ID: 060d9e3c661cc9f7fa25c4b66412502d603959bcb2ce630465d31ab847a53ede
Opcode Fuzzy Hash: f76725c286f93453778b8a003760bd718b4bea6d9517a280e816adb077caa5c7
Instruction Fuzzy Hash: 3571E3B4D0460ADFCB44CF99D5809AEFBB2FF89311F14952AE815AB714D330A982CF95

Function 07482238 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29af6f244c7220aca2bebedbe38507a6c76af8d1ab77e51cf0f33df9a37e5ff
Instruction ID: 4f7b016bea6da7f08c0a1d83fb4554c9d64ab6a33f92f87b0872ccd1c67914fb
Opcode Fuzzy Hash: c29af6f244c7220aca2bebedbe38507a6c76af8d1ab77e51cf0f33df9a37e5ff
Instruction Fuzzy Hash: 15328D70E002148FCB48EFB9D85576EBBF2FF89300F5285A9E449A7358DE38A945CB51

Function 06FD3008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814799eb45d095ab9e2ba55db09d2d8dd0a5dff01d8275ba4c139229098aa379
Instruction ID: c4935de516b1b04a9a3e8fdd5b4288a8fd25c5da8e884d17404698518048c847
Opcode Fuzzy Hash: 814799eb45d095ab9e2ba55db09d2d8dd0a5dff01d8275ba4c139229098aa379
Instruction Fuzzy Hash: FBD1F335D10B1A8ADB11EF64D890699F7B1FF96300F21C79AD4093B214EB70AAD9CF91

Function 06FD3018 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7996efb548731dce0b420d37e382fa74bfeb43692583db662216210fa9216bc
Instruction ID: d40fd1f8b36c0b6c94e595e63bfe89af833797e1bfa18b509011aaee69080560
Opcode Fuzzy Hash: e7996efb548731dce0b420d37e382fa74bfeb43692583db662216210fa9216bc
Instruction Fuzzy Hash: 1CD1E235D10B1A8ADB11EF64D850699F7B1FF96200F21C79AD4093B214EB70AAD9CF91

Function 08A59660 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f81da724fa7afca5a1b4eaa42d3203d32a332177e4b65d792f536961ae6ffc
Instruction ID: 15635fb4eb598060c858d94755eff103509d27c4851995e3c7012a55a58578fc
Opcode Fuzzy Hash: f3f81da724fa7afca5a1b4eaa42d3203d32a332177e4b65d792f536961ae6ffc
Instruction Fuzzy Hash: C4B12670E15219CBCF04CFA5E95469EFBB2FB89701F28952AC80AAB754D7349942CF14

Function 00ACCE34 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1969005732.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ac0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8506d10959bb4739e6c62fe69a633cfeb220f5da7556f33fd49747ea5fc82b
Instruction ID: 6be3d260cd7643b8a5e420aaeb57c84b000dc359e72f5ac299be22e0b6f4e828
Opcode Fuzzy Hash: 7c8506d10959bb4739e6c62fe69a633cfeb220f5da7556f33fd49747ea5fc82b
Instruction Fuzzy Hash: 46A16E32E00215DFCF19DFB5C944A9EB7B2FF85301B16856EE805AB261DB31E916CB50

Function 08A59DC8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e58774c304c3eca6298d701f4bd29038ea154bfff689f84e1e053493df0db9
Instruction ID: d33eb236d856c9da08bdfea770355800218979b6ec853201aac8006636be1758
Opcode Fuzzy Hash: e4e58774c304c3eca6298d701f4bd29038ea154bfff689f84e1e053493df0db9
Instruction Fuzzy Hash: FBA11C74E012299FDB14DF69D580AAEFBB6BF89301F24C269D818A7355D730AD81CF60

Function 08A58468 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d6ca757616a4448336814ac8036fe0aa925b0ac3cd49178c21f4e59f1e6c7b
Instruction ID: b25c6d56738dd3d1bbb759ec2f7fc54b280404408d2a7836a4b02a4ce7dda184
Opcode Fuzzy Hash: 82d6ca757616a4448336814ac8036fe0aa925b0ac3cd49178c21f4e59f1e6c7b
Instruction Fuzzy Hash: 7481F9B4E112198FDB24CFA9D980A9EFBF2FF89201F24C169D818A7355D7349A81CF51

Function 06FDFC88 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef6c1d33cabf17b10cf0c8508b553f9786a1a7c4eec4f8281b99d44621a6f2d
Instruction ID: 3654956468b4b46018a107b005234e277806c0644b5ccbd7b4218046ec59f523
Opcode Fuzzy Hash: 8ef6c1d33cabf17b10cf0c8508b553f9786a1a7c4eec4f8281b99d44621a6f2d
Instruction Fuzzy Hash: 6271E375E161099FCB48CF99D58499EFBF2FF88310F148566E419AB324D730AA41CF91

Function 06FDFC78 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977697762.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fd0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d620ada01dd75255fa162a06923d588b948e072be18b22d724a3accd8fce6f6
Instruction ID: dc6912b4e23720916a6c0ba25f0076aeb763b6b798a732d0942481484af9a37b
Opcode Fuzzy Hash: 5d620ada01dd75255fa162a06923d588b948e072be18b22d724a3accd8fce6f6
Instruction Fuzzy Hash: DF71E475E161099FCB48CFA9D58499EFBF2FF88310F188566E419AB324D730AA41CF91

Function 08A55528 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371362aa8127e66fefb054babd7c9d36d947d8d3702da5ca1589c9d64e96a204
Instruction ID: 57fa105179efcb5995bf0342122aff81195c231b427961988b796585103ed575
Opcode Fuzzy Hash: 371362aa8127e66fefb054babd7c9d36d947d8d3702da5ca1589c9d64e96a204
Instruction Fuzzy Hash: FA512CB0E116198BDB14DFAAC5806AEFBF2FF89301F24C56AD918B7245D7309A41CF61

Function 08A51D90 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7298b37a9436e9bfc5ac7563fef4ce4d6da950a0bad30a557bb6cc083518c8e6
Instruction ID: 84148b5ecbfa6df6506e6ceb48dc353a45dc0fdb7c1f453c0ca9fd2b60501645
Opcode Fuzzy Hash: 7298b37a9436e9bfc5ac7563fef4ce4d6da950a0bad30a557bb6cc083518c8e6
Instruction Fuzzy Hash: D9514B71E006188BEB68DF6B8D4479EFBF3AFC9301F14C1BA850CA6654EB341A858F11

Function 08A51D7D Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e1bc1016bdcd4652214d17fbdf62555580d5ecf105a8df460dab48edc4faa6
Instruction ID: bf255fcf45ed47acca5ea3d48681ab75147f1471b6ea28755de1f92d62a9fb98
Opcode Fuzzy Hash: b4e1bc1016bdcd4652214d17fbdf62555580d5ecf105a8df460dab48edc4faa6
Instruction Fuzzy Hash: D8514DB1E016188BEB58DF6B8D4479EFBF3AFC9300F14C1BA950CA6255EB341A858F51

Function 08A51038 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3674c7f0fad6e95367a5bc1695f71a092a61eb948c61d9b24e52b24ecc568f
Instruction ID: 5b97a31c995ceab49aa92ca75c0cebf95984e553e6cc025b8820260f2d56054e
Opcode Fuzzy Hash: 2e3674c7f0fad6e95367a5bc1695f71a092a61eb948c61d9b24e52b24ecc568f
Instruction Fuzzy Hash: 0441D6B0E0120ADFCB44CFAAC5806AEFBF2FF88711F14C569C805A7754E7349A818B94

Function 08A51028 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25385bf931f40e4dc12cc830000a46046cc7587ac54c228265f4dc3c29e64af8
Instruction ID: 935be8551fb4d71aec7e78cb8d5f027da7b25e99dfb6ae88e12114083919d598
Opcode Fuzzy Hash: 25385bf931f40e4dc12cc830000a46046cc7587ac54c228265f4dc3c29e64af8
Instruction Fuzzy Hash: 9F41E8B4E0120ADFDB44CFA9C5806AEFBB2FF88311F24C569C915A7654D7349A81CB94

Function 08A511D0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1978286340.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a50000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d5eac8df4fc23ad2a37723c8d754d1111f04382456fb8002e042e76ec3a870
Instruction ID: 2a1fd59e30f19d54b5e4b6a2e9d0e1e55494277039a5933160f9e0643f75a2d5
Opcode Fuzzy Hash: f3d5eac8df4fc23ad2a37723c8d754d1111f04382456fb8002e042e76ec3a870
Instruction Fuzzy Hash: 6211EC71E006589BEB58CF6BD84079EFBF3EFC9200F08C17AC918A6264EB3419568F55

Function 0748C6DA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1977910010.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7480000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c3d0e6f35f3972014c1490e0a5c9d51de00373754574b444520a343e42c101
Instruction ID: d02bc96ab5e57b02dbeb3f2894bfbf2862c696414a9f37629f2e8c27e6fffae7
Opcode Fuzzy Hash: 97c3d0e6f35f3972014c1490e0a5c9d51de00373754574b444520a343e42c101
Instruction Fuzzy Hash: 8F11DAB1E006199BEB58CF6BD84069EFBF3AFC8200F14C47AC818A6264DB3459458F15

Analysis Process: 47879282.EXE.exePID: 7536, Parent PID: 5260COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	4.6%
Signature Coverage:	8.3%
Total number of Nodes:	108
Total number of Limit Nodes:	10

Executed Functions

Function 004174A3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417515

Memory Dump Source

Source File: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_47879282.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b562ae60fd54ef7e74e4fbad3805424dc02d567235dc5e9e358a0258f6bb919e
Instruction ID: f6c5d379dfd00e5c801aac207e121da049f09af591d15966f8c96fc6a897d435
Opcode Fuzzy Hash: b562ae60fd54ef7e74e4fbad3805424dc02d567235dc5e9e358a0258f6bb919e
Instruction Fuzzy Hash: C2011EB5E0420DBBDB10DAA5DC42FDEB7B89B54308F4081AAE90897240F635EB588B95

Function 0042C3C3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C3FA

Memory Dump Source

Source File: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_47879282.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 0d6c1d5a7dea3e3ac8bd353e8548748f7cc9621c413f2378338f4d6a5780b421
Instruction ID: 273eda7a2718d54592459fdcfc25ee71535039d36161d44d14b8f944cff5f586
Opcode Fuzzy Hash: 0d6c1d5a7dea3e3ac8bd353e8548748f7cc9621c413f2378338f4d6a5780b421
Instruction Fuzzy Hash: 05E04F352012147BD620FA5ADC01FAB775CEBC5714F40441AFA5867282C674BA1186A5

Function 01822DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01822DFA

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: baf90c2c9d647d189b4a1e253471d7feb3cbc1a106e379a4cb2e93efbc9f45e5
Instruction ID: baf3ec5d843e371f0b603df7c07bc800eae88358576422d1fa6279e0edcae99e
Opcode Fuzzy Hash: baf90c2c9d647d189b4a1e253471d7feb3cbc1a106e379a4cb2e93efbc9f45e5
Instruction Fuzzy Hash: 9C90023120140417D11171584504707001997D1341F99C512B142C558DD6568B57B262

Function 01822C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01822C7A

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee6e601461355f2e0f405b4d3b11b6bf137967023c137955dce2043dced3b36e
Instruction ID: c63dd243a42b645e3a8c6a11fa473432e806145841714139002aa045e7b50a7e
Opcode Fuzzy Hash: ee6e601461355f2e0f405b4d3b11b6bf137967023c137955dce2043dced3b36e
Instruction Fuzzy Hash: 7990023120148806D1107158840474A001597D1301F5DC511B542C658DC6958A967262

Function 018235C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 018235CA

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6018f022a9cf8578e3d60f87faa91c9518a8ef85088f3dd21ed614bbf7845d10
Instruction ID: abfcc4a4fc5aa600ca40bd8e12a29b4196020462ded2d295581abdea42de8388
Opcode Fuzzy Hash: 6018f022a9cf8578e3d60f87faa91c9518a8ef85088f3dd21ed614bbf7845d10
Instruction Fuzzy Hash: 9190023160550406D10071584514706101597D1301F69C511B142C568DC7958B5676E3

Function 0042C6E3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E2F4,?,?,00000000,?,0041E2F4,?,?,?), ref: 0042C722

Memory Dump Source

Source File: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_47879282.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a3ff8bd95b6c0e244e412f48a5c946682ebe11ced0e520ea975b23274235a27f
Instruction ID: bbac8b8c9e56cb2a2a085277208aed22484c5cf44915228a1eee35bc316b08de
Opcode Fuzzy Hash: a3ff8bd95b6c0e244e412f48a5c946682ebe11ced0e520ea975b23274235a27f
Instruction Fuzzy Hash: E6E06D71241205BBDA10EE59EC41FAB33ACEFC8714F004429FA08A7242CA70B91186B8

Function 0042C733 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,4589C033,00000007,00000000,00000004,00000000,00416D24,000000F4), ref: 0042C772

Memory Dump Source

Source File: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_47879282.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ec816f4ca5d82bc13e126eafdd1c8505731cf6343472820f58b8146c89a1b6d5
Instruction ID: 4f04ad0ddf46a811164d14f9c12b7c09251f6089b910ef50b7e2ca345cc76a14
Opcode Fuzzy Hash: ec816f4ca5d82bc13e126eafdd1c8505731cf6343472820f58b8146c89a1b6d5
Instruction Fuzzy Hash: B4E06D712012047BDA10EE59EC42EEB33ACEFC9714F400419FA09A7242C7B0B9108BB4

Function 0042C783 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042C7B7

Memory Dump Source

Source File: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_47879282.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 44598e7aa129b606698fd0b6c4d0a5e634795c6eeec66b10b730062c703b8d78
Instruction ID: 154f639c4073ea2b7b7ba7aff32d001083d1c9a97c5a17a9c9547dc425392c4f
Opcode Fuzzy Hash: 44598e7aa129b606698fd0b6c4d0a5e634795c6eeec66b10b730062c703b8d78
Instruction Fuzzy Hash: 0EE086723016147FD620EA5AEC01F977B5DDFC9724F40841AFA0C67281C675B91087F4

Function 01822C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01822C24

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67c62dbe7c15b3f6fe93467c6dd086d1a71f3f7bdc1f25d54f6bf40f75884746
Instruction ID: f2d610d484d9b5427168d8146d1e952889dbae5ffa978e1785d8d974b521ad21
Opcode Fuzzy Hash: 67c62dbe7c15b3f6fe93467c6dd086d1a71f3f7bdc1f25d54f6bf40f75884746
Instruction Fuzzy Hash: B0B09B719015D5C9DA12E7644608717791177D1701F19C161E3038741F4738C2D5F2B6

Non-executed Functions

Function 01862349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 018625A0
@, xrefs: 01862942
MaxLoaderThreads, xrefs: 018624EC
UseImpersonatedDeviceMap, xrefs: 0186251C
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01863176
CFGOptions, xrefs: 01862967
DisableExceptionChainValidation, xrefs: 0186275F
DisableHeapLookaside, xrefs: 0186246D
GlobalFlag, xrefs: 01862F3F, 01863059
LdrpInitializeExecutionOptions, xrefs: 0186317D
minkernel\ntdll\ldrinit.c, xrefs: 01863187
TracingFlags, xrefs: 01862549
GlobalFlag2, xrefs: 01862FC0
MaxDeadActivationContexts, xrefs: 01862D82
RaiseExceptionOnPossibleDeadlock, xrefs: 01862579
@, xrefs: 01862B74
FrontEndHeapDebugOptions, xrefs: 01862489
ShutdownFlags, xrefs: 018624A1
MinimumStackCommitInBytes, xrefs: 01862BB0
UnloadEventTraceDepth, xrefs: 018624C0

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: a74c1dc9cc35427eb7ab83bd02fa18def2e171b967ff0a7e24087a15635e8ccb
Instruction ID: fde2d581e97f409db69045b9d25051466edc4585af443c2bb3c4c0cc616294de
Opcode Fuzzy Hash: a74c1dc9cc35427eb7ab83bd02fa18def2e171b967ff0a7e24087a15635e8ccb
Instruction Fuzzy Hash: CE929F71604346AFE721DF28C880F6BB7EABB84754F04486DFA94D7291D770EA44CB92

Function 01818620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

corrupted critical section, xrefs: 018554C2
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0185540A, 01855496, 01855519
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018554CE
8, xrefs: 018552E3
double initialized or corrupted critical section, xrefs: 01855508
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018554E2
Thread identifier, xrefs: 0185553A
Critical section address., xrefs: 01855502
Critical section address, xrefs: 01855425, 018554BC, 01855534
undeleted critical section in freed memory, xrefs: 0185542B
Critical section debug info address, xrefs: 0185541F, 0185552E
Thread is in a state in which it cannot own a critical section, xrefs: 01855543
Invalid debug info address of this critical section, xrefs: 018554B6
Address of the debug info found in the active list., xrefs: 018554AE, 018554FA

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 0801db006eb71e5b3c70010ddf4c01c3f45aaf6b700a59a45f64aeb54cc97a86
Instruction ID: 351b3dd58eb99054b8b699d279d23ace0a2632cf469a8e68f61be133350904d6
Opcode Fuzzy Hash: 0801db006eb71e5b3c70010ddf4c01c3f45aaf6b700a59a45f64aeb54cc97a86
Instruction Fuzzy Hash: 698188B1A00358ABDB60CF99C885BAEFBB9FB09B04F24411DF904F7241D3B5AA41CB51

Function 018129F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018525EB
RtlpResolveAssemblyStorageMapEntry, xrefs: 0185261F
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01852498
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01852602
@, xrefs: 0185259B
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018524C0
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01852624
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01852409
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01852506
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018522E4
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01852412

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: cefdd745637a8806b0d53bef8887f53276e12d06447445fbe3b6b62a3b9e7125
Instruction ID: 7d3ffd2fb549040006ee7a3be7b83092d26c32e4f1d5cc5963dd3638a1f92a6a
Opcode Fuzzy Hash: cefdd745637a8806b0d53bef8887f53276e12d06447445fbe3b6b62a3b9e7125
Instruction Fuzzy Hash: FB024FF2D002299BDB61DB58CC80B9AB7B9AB54714F5041DAEB09E7241DB309F84CF59

Function 01890274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 018906EA
HEAP[%wZ]: , xrefs: 01890399, 018904A8, 018905D0, 01890675, 018906CC
Just reallocated block at %p to %Ix bytes, xrefs: 018905F1
HEAP: , xrefs: 018903A6, 018904B5, 018905DD, 01890682, 018906D9
RtlReAllocateHeap, xrefs: 018902BF, 01890362
About to reallocate block at %p to %Ix bytes, xrefs: 018903BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 018904D3
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0189069F

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: b57e228b14c6bc748f3fada01c18cfee6e52ee9985adbd76839a8edb1078d066
Instruction ID: 7dba228acc57933a7ea1b165146dfb466ad4aec016f2620f8b8c207636c947e2
Opcode Fuzzy Hash: b57e228b14c6bc748f3fada01c18cfee6e52ee9985adbd76839a8edb1078d066
Instruction Fuzzy Hash: FAD1EB7160068AEFDF22DFA8C450AA9FBF5FF4A714F098049F585DB612C7349A80CB51

Function 018689B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDebug, xrefs: 01868CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01868A67
VerifierFlags, xrefs: 01868C50
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01868A3D
VerifierDlls, xrefs: 01868CBD
HandleTraces, xrefs: 01868C8F
AVRF: -*- final list of providers -*- , xrefs: 01868B8F

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: a867afebe56723065d2a6f65b393242d8701fa8ad4771ae1d05265f23454de8e
Instruction ID: c4ed03965679cd58ed13ef92c088f8e62ec7d1aeebc5aeb9604c50bca549a63a
Opcode Fuzzy Hash: a867afebe56723065d2a6f65b393242d8701fa8ad4771ae1d05265f23454de8e
Instruction Fuzzy Hash: FC912572A41716AFD721DF6CD890B1AB7ACAB66B14F04041DFA49EB245C7309F04CBA2

Function 018163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 018540E9, 0185414B, 0185420F, 01854269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 018540D8
Delaying execution failed with status 0x%08lx, xrefs: 01854258
_LdrpInitialize, xrefs: 018540DF, 01854141, 01854205, 0185425F
Process initialization failed with status 0x%08lx, xrefs: 0185413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 018541FE

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: dfc2822e342d63ba59c4d1d830b187cfd574525a1632e213c55c12f8575cf7bf
Instruction ID: d9a85ef3c91945f0f9c326b70b87b1f8e06850b53a6ec3331f78d1dbb8fd770d
Opcode Fuzzy Hash: dfc2822e342d63ba59c4d1d830b187cfd574525a1632e213c55c12f8575cf7bf
Instruction Fuzzy Hash: 74915971A417259BDB35DF18D884BAA7BB5EB10B14F24012DED40E7285F7B09781CB91

Function 017D645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01839A11, 01839A3A
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01839A2A
LdrpInitShimEngine, xrefs: 018399F4, 01839A07, 01839A30
apphelp.dll, xrefs: 017D6496
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01839A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 018399ED

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 9e1e5761dc7490ffbcd6c35846fa34f4134803164b27e94703b4f825d701f668
Instruction ID: 62d19e0406ebfae1b64ed1290e18020d92f17e7d321ae7fae7d50e73ad781124
Opcode Fuzzy Hash: 9e1e5761dc7490ffbcd6c35846fa34f4134803164b27e94703b4f825d701f668
Instruction Fuzzy Hash: 7851D2716083059FD720DF28C851BABB7E4FB84748F54091EF98697261E770EB45CB92

Function 0181C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 01858170
Unable to build import redirection Table, Status = 0x%x, xrefs: 018581E5
LdrpInitializeImportRedirection, xrefs: 01858177, 018581EB
minkernel\ntdll\ldrinit.c, xrefs: 0181C6C3
LdrpInitializeProcess, xrefs: 0181C6C4
minkernel\ntdll\ldrredirect.c, xrefs: 01858181, 018581F5

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 143305c025906ccc6fe642c698b579fe9367594bba1fb3995aea045ebcfda7e5
Instruction ID: 75af88b5ecdfc927ecff08e76ad6ab49dbbd3c3c607f61f661632d873672c2b9
Opcode Fuzzy Hash: 143305c025906ccc6fe642c698b579fe9367594bba1fb3995aea045ebcfda7e5
Instruction Fuzzy Hash: E931E6B26447469BC315EB2DDC45E2AB7A5EF95B10F04051CF980DB295E720EE04CBA3

Function 01812674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01852178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018521BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0185219F
SXS: %s() passed the empty activation context, xrefs: 01852165
RtlGetAssemblyStorageRoot, xrefs: 01852160, 0185219A, 018521BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01852180

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 21579c1e7bd084db256877dc18326bbc685c116956a4fed2c0a97bfe176962c3
Instruction ID: f1223aa27c1fd9d41e8f6a1dca95d924613c23691b9f9508a36b9332b15a0348
Opcode Fuzzy Hash: 21579c1e7bd084db256877dc18326bbc685c116956a4fed2c0a97bfe176962c3
Instruction Fuzzy Hash: E7315776B80215B7E7219A9A8C51F5BBBAEDB50F40F04405CBB04FB204DA70AB00CBA1

Function 017EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 017EA3EF
6, xrefs: 017EA3F7
LdrResFallbackLangList Exit, xrefs: 017EA3FF
8, xrefs: 017EA3E7

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 355768c80835db10b346bbce0d80cb1369f11499ba7fc0435cec1e6a59474eb1
Instruction ID: f643568d1329f21dcac206912c5a79a5a3870beea1536d45bb88650f3c6007f7
Opcode Fuzzy Hash: 355768c80835db10b346bbce0d80cb1369f11499ba7fc0435cec1e6a59474eb1
Instruction Fuzzy Hash: D1C18A75108386CFD721CF58C048B6AFBE4BF99704F0489AAF995CB251E734CA49CB66

Function 01818402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01818421
LdrpInitializeProcess, xrefs: 01818422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0181855E
@, xrefs: 01818591

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 17c7df39a26a2749d54bc0cb2c4d0f2fedc3d89f3aea62f69c9d5a2cece8ada3
Instruction ID: 11525ed9e065c064c4a31d8aa8c48748f11ee09a04fd58f3c90378b0b6f14edc
Opcode Fuzzy Hash: 17c7df39a26a2749d54bc0cb2c4d0f2fedc3d89f3aea62f69c9d5a2cece8ada3
Instruction Fuzzy Hash: 23917972548345AFD722DB25CC81FABBBECFB89744F40092EFA84D2155E734DA448B62

Function 0181273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 018128D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018522B6
SXS: %s() passed the empty activation context, xrefs: 018521DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018521D9, 018522B1

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 542a82442e6940ecbb50f7d1a5048a80b6062b8bec2a3e4775f8bbd212b41c56
Instruction ID: 53ee2508a1985d2521cb9ff045c390156648d78d6c0cc75f1c42daeed7fcc778
Opcode Fuzzy Hash: 542a82442e6940ecbb50f7d1a5048a80b6062b8bec2a3e4775f8bbd212b41c56
Instruction Fuzzy Hash: 77A1AE36900229DBDB24CF68D884BA9B7B6BF58354F2541E9D908EB255DB309F80CF90

Function 017E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01841028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01840FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0184106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018410AE

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: f77e8236fc5c9dec75c9c1145109f15c651b99addd541ff876e1549e9b5e8c56
Instruction ID: 995bf2d810326d571405dc4490998870a0d3132cee4961a98518f9260cfd98c3
Opcode Fuzzy Hash: f77e8236fc5c9dec75c9c1145109f15c651b99addd541ff876e1549e9b5e8c56
Instruction Fuzzy Hash: 4271B2B1A043159FCB21DF18C888F97BBE8AF69764F100469F9488B246D734D688CFD2

Function 0180245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0184A9A2
LdrpDynamicShimModule, xrefs: 0184A998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0184A992
apphelp.dll, xrefs: 01802462

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: b3245902742961aed5e1c29526090c495dd9224ca3a10d85bf543f3bc11849ee
Instruction ID: 4586dcd27dd589f46af5f4239f75c9138a464371ea46a4ce83d29d594fcd5c25
Opcode Fuzzy Hash: b3245902742961aed5e1c29526090c495dd9224ca3a10d85bf543f3bc11849ee
Instruction Fuzzy Hash: 4F316AB5680309ABDB35DF5DD885A6ABBB5FB84B04F16001DF911EB245DBB05B41CB80

Function 017F29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 017F3255
HEAP: , xrefs: 017F3264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 017F327D

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 8430e5926bfc2177a83954e7a1dc22397f2ff7635a4238c163b1184ba4baaffd
Instruction ID: 41ec94e5518d3e887dee52710a21eb42d1cda6f195f3b7c6f477e7106dcb77a3
Opcode Fuzzy Hash: 8430e5926bfc2177a83954e7a1dc22397f2ff7635a4238c163b1184ba4baaffd
Instruction Fuzzy Hash: 30929971A046499FEB25CF68C444BAEFBF1FF48310F18809DEA59AB392D734A945CB50

Function 017F0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 018450AE
HEAP: , xrefs: 018450BD
(UCRBlock->Size >= *Size), xrefs: 018450CA

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: c8701abd47a2182965f74eb5eeacaad8ada00e4aed3b25075c6dc4c8b2980576
Instruction ID: 8dd7d0f425b8dc87dfd5f840fd2a5675b71242a177fc1ba3377e12fc32041b72
Opcode Fuzzy Hash: c8701abd47a2182965f74eb5eeacaad8ada00e4aed3b25075c6dc4c8b2980576
Instruction Fuzzy Hash: 8DF19C7060060ADFEB15CF68C894B6AF7B6FF44304F1481A9E616DB392D734EA81CB91

Function 01806962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0184CA51
@, xrefs: 01806C24

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: b55264ffb613bc2201b61b50b73e465171e6460c1191d798dcecdbf7766fd07d
Instruction ID: e6e217a8ac262a4e846562c56d7325078771ae23563248684e6acc491edaa620
Opcode Fuzzy Hash: b55264ffb613bc2201b61b50b73e465171e6460c1191d798dcecdbf7766fd07d
Instruction Fuzzy Hash: 91C284716093499FE766CF28C840B6BBBE5AF88754F04892DF9C9C7281D734EA44CB52

Function 017DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0183C1E4
FilterFullPath, xrefs: 0183C2E6
UseFilter, xrefs: 017DA1C1

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 37dde3c519524d99f010e39d6bf6fac5316edb572f614d473f2ef096ad83e12b
Instruction ID: e2e1f6f374ba060624e5bb559deae3a8df16030d015c8fa01458382bc3afcecf
Opcode Fuzzy Hash: 37dde3c519524d99f010e39d6bf6fac5316edb572f614d473f2ef096ad83e12b
Instruction Fuzzy Hash: 5EA14D719116299BDB319F68CC88BAAB7B8FF84710F1401EAE909E7251D7359F84CF90

Function 0181C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 018582E8
LdrpInitializePerUserWindowsDirectory, xrefs: 018582DE
Failed to reallocate the system dirs string !, xrefs: 018582D7

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 7499f8ccd1c8c2367bbaaf1a70dfad93b7e5079b4ecbaf84940f921cb3f2db29
Instruction ID: 9ef8a325d5ec5e1c27f28707c8fdba672053e5bfd60a23ccf5bbc3cff89143ea
Opcode Fuzzy Hash: 7499f8ccd1c8c2367bbaaf1a70dfad93b7e5079b4ecbaf84940f921cb3f2db29
Instruction Fuzzy Hash: 0341F472541305ABC721EB6DEC44B5BB7E8EF44750F10492EF954D3295E7B0DA00CB92

Function 0189C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 0189C1F1
PreferredUILanguages, xrefs: 0189C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0189C1C5

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: a175ffd348ead7c8052478c3e787e45c0569b91a1d519cf74cafda8225647176
Instruction ID: 4e27aecd2c1ed871e4f28d71cac519e850957638231abbf6e4804e155eecd0b7
Opcode Fuzzy Hash: a175ffd348ead7c8052478c3e787e45c0569b91a1d519cf74cafda8225647176
Instruction Fuzzy Hash: 78416271E00219EBDF11DBD8C851BEEBBB8AB55704F1440AAE609E7280D7759B44CB50

Function 01874144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01874160
LdrpResValidateFilePath Exit, xrefs: 01874172
@, xrefs: 01874225

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: ee7b016afe0fad2c9ae25f4357b0675cc05ae047860e90ea67d03d3725a548d6
Instruction ID: 82746dc96e8653f018bfd5bc9daff0e71d457ab02d57619ed6587b6ec75d3234
Opcode Fuzzy Hash: ee7b016afe0fad2c9ae25f4357b0675cc05ae047860e90ea67d03d3725a548d6
Instruction Fuzzy Hash: A2412531A046498FEB26DBE8D844BADBBB8FF65344F140459DA11EB791DB34CA01CB21

Function 01864755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 0186488F
minkernel\ntdll\ldrredirect.c, xrefs: 01864899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01864888

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: d88aad8fe3c9ab2b46670c4b6e2e5f853014a0f2629c18723fecd23a7d79854a
Instruction ID: 1fc73fd0df1e9f84828f3ea6ce083b2f2f6bbc6b649cbb2deb7a9b9de3fd1139
Opcode Fuzzy Hash: d88aad8fe3c9ab2b46670c4b6e2e5f853014a0f2629c18723fecd23a7d79854a
Instruction Fuzzy Hash: 4A41E432A057598FCB21CE6CD940A2ABBECEF89750B06025DED44D7351D730DA00CB81

Function 018620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01862104
LdrpInitializationFailure, xrefs: 018620FA
Process initialization failed with status 0x%08lx, xrefs: 018620F3

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: ac9b01624c208dfa755ed47455c61aa43b2342377a6859c19a1c7d2025daf8e6
Instruction ID: bd90621c4cef4d9fac36d99a7622210eee251aeaf01fe53aeffaaf79e7e308f2
Opcode Fuzzy Hash: ac9b01624c208dfa755ed47455c61aa43b2342377a6859c19a1c7d2025daf8e6
Instruction Fuzzy Hash: 00F0C2B5681708ABE724E64CCC56F9A77ADFB40B54F51006DFA00B7282D6B0AB40CA92

Function 017F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01844D8A

Strings

#%u, xrefs: 01844D82

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: a00f958010ab6553e273c41eb1f7363b192e1c00d63c6a00103dc7d8272452ff
Instruction ID: 4f767b68363de7332c1d4426e50a06144125ac3278a9b6da704bf89b96ccfc5d
Opcode Fuzzy Hash: a00f958010ab6553e273c41eb1f7363b192e1c00d63c6a00103dc7d8272452ff
Instruction Fuzzy Hash: 1E712871A0014A9FDB05DFA8C994FAEBBF8BF18704F144069EA05E7351EA34EE41CB65

Function 017EA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 017EAA13
LdrResSearchResource Exit, xrefs: 017EAA25

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 7b7d67330376e830ae7d88e72cf656394997904e286cec1b121bc6d154fe70ee
Instruction ID: 1f86c26cfb21818b3d313257ec718196638fb3270bec69b4bb99ec3a82d3d7f2
Opcode Fuzzy Hash: 7b7d67330376e830ae7d88e72cf656394997904e286cec1b121bc6d154fe70ee
Instruction Fuzzy Hash: 77E17071A042199BEF22CF98D988BAEFBFABF58314F104566F901E7251DB34DA40CB50

Function 018AA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 018AA551
`, xrefs: 018AA44B

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: e41d68e943259953139c7fe1e7b11b11961f1ebef9cbccb0d34cd0c168f0d049
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: F6C1E0312043429BFB29CF28C841B6BBBE5AFC4318F484A2CF696CB690D775D605CB52

Function 0185E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0185E751
Legacy, xrefs: 0185E75A

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 5292e27239e60f6adfcf78c72eb91f65d292fd2e87954f99a616d4510470328a
Instruction ID: 78265fc57886309e78b0bad6cc5160eaa97bd057c21f26f50b52bd1996c2d467
Opcode Fuzzy Hash: 5292e27239e60f6adfcf78c72eb91f65d292fd2e87954f99a616d4510470328a
Instruction Fuzzy Hash: C1617B72E002199FDB65DFA8CD80BAEFBB5FB48704F54406DEA49EB241D731AA40CB50

Function 018843D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01884437
MUI, xrefs: 01884525

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 91eb28af5fedead763e2a0f115b7fb622591bf83b4be7d55efc14c0635a5b685
Instruction ID: 8e8323d2f52ab62599e6b100eb638e9d78b32f054068f30fe58521618c8cd3c5
Opcode Fuzzy Hash: 91eb28af5fedead763e2a0f115b7fb622591bf83b4be7d55efc14c0635a5b685
Instruction Fuzzy Hash: 4A51F872D0021EAEDF11DFA9CC94BEEBBB9EB58754F100529E611F7290D6309E45CB60

Function 017E04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 017E0540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 017E063D

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: c6cf5912fd8500fb350ec69b74c6a87e0cf0c58da1a524b5fd224b6e31ef8307
Instruction ID: b20db9aa63d8bd91ab91804ceb25c0264625c9400aed74e316af9f3279efa223
Opcode Fuzzy Hash: c6cf5912fd8500fb350ec69b74c6a87e0cf0c58da1a524b5fd224b6e31ef8307
Instruction Fuzzy Hash: 7E51AE716047429FD725DF68C448BA7FBE4AF88304F24483EEAA987241E7B4D545CFA2

Function 017EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 017EA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 017EA309

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: f4b2281d92b1be9cfd8554d0a8dcc410809bc8a546ad504aa5e0d4abe902a202
Instruction ID: 92b0e53529537d55981a1ac8b4babc10dd0852cd74002598b889d7027d956580
Opcode Fuzzy Hash: f4b2281d92b1be9cfd8554d0a8dcc410809bc8a546ad504aa5e0d4abe902a202
Instruction Fuzzy Hash: 39419D31A08649DBDB11CF59D848B6ABBF5FF88704F1440A9E914DB391E7B5DA40CB50

Function 0181A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 0181A5E4
Threadpool!, xrefs: 0181A5E9

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: d26b727f05b6683990e3e3e568ef717d9726069eccb05a6a1d1b94e23b3db4bf
Instruction ID: 341e1d64590a292f9bfb3473498f8bea5ee3be3b0c6aa9b24ec6f16002c9e207
Opcode Fuzzy Hash: d26b727f05b6683990e3e3e568ef717d9726069eccb05a6a1d1b94e23b3db4bf
Instruction Fuzzy Hash: 4C01D1B2245744AFD311DF14DD45B1677E8EB94B25F058939E648C7194E334EA04CB46

Function 017EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 017EC8C3, 017ECA40

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: b9f0ac0e208873325af647648fbb05c0a28c4b710669e73398e17166e2f202d7
Instruction ID: a33c636ea8070de7ed5a662e9fc3a95f79feaaa96f173fa361dacb95e9509e57
Opcode Fuzzy Hash: b9f0ac0e208873325af647648fbb05c0a28c4b710669e73398e17166e2f202d7
Instruction Fuzzy Hash: 89825B79E002198FEB25CFA9C988BEDFBF5BF49310F148169E919AB351D7309981CB50

Function 01866420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 018665C1

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2c241fd10091da917f4232d557f76aeb2769655a6c3caf13db71f833a7fc9c2a
Instruction ID: dad4951c2bc6bfc9fe981022988312bd5507c1d223755764a302b24af52cf4d6
Opcode Fuzzy Hash: 2c241fd10091da917f4232d557f76aeb2769655a6c3caf13db71f833a7fc9c2a
Instruction Fuzzy Hash: 80916672900259AFDB21DF99DD85FAEBBB8EF18750F200065F600EB191E774AE00CB51

Function 0188E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0188E1FA

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: afb41b14390dcc5204b43afc0255673ab15d734b0d526b75bc02cc514da1215b
Instruction ID: e2e136d61fb414dc904150cbd70b32185b55d21d576558bcd5b1535c983bb4da
Opcode Fuzzy Hash: afb41b14390dcc5204b43afc0255673ab15d734b0d526b75bc02cc514da1215b
Instruction Fuzzy Hash: 9D91B032901609BFDB22AFA8DC44FAFBBB9EF45754F100029F501E7251EB749A41CB91

Function 0181A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 018567C9

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 07e8d3537e884972ad901ff3f842805ed66243ef5761c9c28d4248bf1eaa71ce
Instruction ID: 1d81dde888cc4f1f193834fbeb3ea351155e2a4a5ab1ed8146454c115af443df
Opcode Fuzzy Hash: 07e8d3537e884972ad901ff3f842805ed66243ef5761c9c28d4248bf1eaa71ce
Instruction Fuzzy Hash: EF714DB5E0020ADFDF68CF9CD5906ADBBB1FF48714F64812AE905E7245E7319A41CB60

Function 017FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 017FE6A4

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 435ab585725cd3a6ed46e15a6415794899a84863af3f06db284f05eacb41e5b0
Instruction ID: 1c8d9b953beb188ecc6d64090c099ee888df5ad8a13c825b9ae16312daa53543
Opcode Fuzzy Hash: 435ab585725cd3a6ed46e15a6415794899a84863af3f06db284f05eacb41e5b0
Instruction Fuzzy Hash: 724191725083029BD721DA79C884B6FF7E8AF88714F45092DF684E7290EB74DA04C7A3

Function 0185C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0185C77F

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 5610fc7f48c4fd44b25dbf62897048aefa5ffd5e5805f818cdedcc3a72a64504
Instruction ID: 9b54335ca807c634de48de7a0832eaa739391a1ea5d094c65ec351b18b2088ec
Opcode Fuzzy Hash: 5610fc7f48c4fd44b25dbf62897048aefa5ffd5e5805f818cdedcc3a72a64504
Instruction Fuzzy Hash: 834151B1D0022DAADB61DA54CC84FDEB77CEB45714F0045A5EA08EB141DB709F89CFA5

Function 0186892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0186895E

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: eb1c4a9ff316a01a5284cc00f2cbd1ae689c0404108ed0bfeb6b504beb79e92b
Instruction ID: 35a01aed698f8fdf475e7d5bc7dd120d7e6cff3506c574cba0257650b4a2cf15
Opcode Fuzzy Hash: eb1c4a9ff316a01a5284cc00f2cbd1ae689c0404108ed0bfeb6b504beb79e92b
Instruction Fuzzy Hash: A9012B312013059FE7305B59CCC8B5A7BBDEF97758B04041DF64987655CB206A44C792

Function 01882000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5822da4c970dbabbb28b86ebca121c06609a0b96cb0f40e621c758b780686f4a
Instruction ID: cb43d288749228f808aeaa7701e8f53087f760f04079a3b58e58c47333a6bc99
Opcode Fuzzy Hash: 5822da4c970dbabbb28b86ebca121c06609a0b96cb0f40e621c758b780686f4a
Instruction Fuzzy Hash: 3842D5356083419FDB25EF68C890A6BFBE6BF88304F18092DFA82D7251D770DA45CB52

Function 01878158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7da4e79d168590831a6d0b5e87c8ef22948de31999fe47816ab39d73c470d1
Instruction ID: 9e04333351a30f7424093d7896750f1e958403645f86f7ab9fe3f56813d1d24c
Opcode Fuzzy Hash: 0b7da4e79d168590831a6d0b5e87c8ef22948de31999fe47816ab39d73c470d1
Instruction Fuzzy Hash: 8A426D75E102199FEB25CF69C885BADBBF5BF49300F148099E949EB242D734DA81CF60

Function 0188A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bd4341578476049f8ddaf75ddcf0ec923e0838f6c28c0d51bdfc1c7d87d819
Instruction ID: e86ce58efa966f457264b3aea7882e477cb411b9b8c4dfc087dd73274fb60e6b
Opcode Fuzzy Hash: 81bd4341578476049f8ddaf75ddcf0ec923e0838f6c28c0d51bdfc1c7d87d819
Instruction Fuzzy Hash: 4522C3742046558BEB29EF2DC090772BBF1AF44308F08845BE996CF2C6E775D692DB60

Function 0187892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f70a74399f566b686726313ba89278404a3cec01b99453d2e8ddbd135f96b8
Instruction ID: 5dc2776b26cce6f4e062dfbdfbe3b79d32b2246b7ad9727b8854f8e28c6ddc5b
Opcode Fuzzy Hash: 10f70a74399f566b686726313ba89278404a3cec01b99453d2e8ddbd135f96b8
Instruction Fuzzy Hash: 9CD1E071E0060A8BDF15CF69C885BFEBBF1AF89304F188169D955E7241E735EA05CB60

Function 017E65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b13f7540f583260cb6dad47e267d3a7dab60884a00c9b76a73487dfb8f86f6d
Instruction ID: 35ef7d9bafc3e2ac4f5f062d8c0452dfee03f0652542b933911204b7676c3ed8
Opcode Fuzzy Hash: 3b13f7540f583260cb6dad47e267d3a7dab60884a00c9b76a73487dfb8f86f6d
Instruction Fuzzy Hash: D8E18A71608342CFC715CF28C088A6AFBE0BF99314F158A6DF99987351EB31E945CB92

Function 017D8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4c0885767d52a668a4a593b764701f02bbace3f44f486d56633bcd5179a85c
Instruction ID: 10edc796225d7f8c67915a7dc24e35104141b348ea59a01a9125403d1a2ebfff
Opcode Fuzzy Hash: 9d4c0885767d52a668a4a593b764701f02bbace3f44f486d56633bcd5179a85c
Instruction Fuzzy Hash: B8D1F4B1A0020A9BDB14DF68C881ABAF7F5FF94314F09466DE916DB281F734DA50CB91

Function 01868243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 5ddd6a94878f961b3b9465f4a704ffbe29260c9665f8c59890ce562c586c6675
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: B2B17074A00709AFDF25DF99C940AABBBBDFF85304F10446DAA0AD7794DA74EA05CB10

Function 017F0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 34eac67af632e01c2c36b2491fc73adb82b43ba45191b6426aecdf90a6b335a2
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 1CB1B43160464AAFDB25DB68C854BBFFBF6AF44300F244199E652D7386DB70EA41CB90

Function 017E83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee88684ab8bd2afd25cf7b3eeac42723770dad77b77b0afbf5a1268b10a99839
Instruction ID: 8c4e07d08cc436350acf2e4a22bb7e57459d88bef9470becaa3657439a686f44
Opcode Fuzzy Hash: ee88684ab8bd2afd25cf7b3eeac42723770dad77b77b0afbf5a1268b10a99839
Instruction Fuzzy Hash: 64C157746083458FE764CF19C488BAAB7E4BF88304F54496DE98987291DB74EA48CF92

Function 017DC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b0f2f62a00ac549f0e906cb8638060be404eb3f883736342c53eab5c972923
Instruction ID: 23bd39fc096f2b484db3b785f10977894e6e4d656baf89c4ba5fdc90e01aa11c
Opcode Fuzzy Hash: 64b0f2f62a00ac549f0e906cb8638060be404eb3f883736342c53eab5c972923
Instruction Fuzzy Hash: 4DB18170A0026A8BDB65DF58C890BA9F7B5EF44700F6485EDD54AE7281EB309E85CF21

Function 0180E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b96d3f0d4aaddc854d4329065105592a5a6af37d9dd7bad4d290d8c2cd24b59
Instruction ID: d6b1f47c7452704c82019250be6ce99e403550fa170b394070c4822154ab5248
Opcode Fuzzy Hash: 0b96d3f0d4aaddc854d4329065105592a5a6af37d9dd7bad4d290d8c2cd24b59
Instruction Fuzzy Hash: CDA1E631E0066D9FEB22DB5CDC48BAEBBA4AB01714F150529EB11EB2D1DB749F40CB91

Function 01820185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d795b3769173382e1bc12cc6d8eca1c5deb40c2189089a2b229fd253f0841f7
Instruction ID: 9f8820a4eec3ae911a13aefc7f957a870644011ac85fa58d2949d3934dd74069
Opcode Fuzzy Hash: 4d795b3769173382e1bc12cc6d8eca1c5deb40c2189089a2b229fd253f0841f7
Instruction Fuzzy Hash: 98A1C270B0062ADFDB26CF69C990BAAB7F1FF54318F104129EA05D7281DB34EA55CB50

Function 018B4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22203823c306af3cad3235141b13427470d8bd33b207669be8aae1175c9ca954
Instruction ID: cc11ff30b65e9b5fa6c750b16cda2f9fc60f7d20405234fc97635c2ec6753c4f
Opcode Fuzzy Hash: 22203823c306af3cad3235141b13427470d8bd33b207669be8aae1175c9ca954
Instruction Fuzzy Hash: A3A1BD72A04616AFD712DF18C985BAAB7E9FF48704F15092CE686DB752D334EA00CB91

Function 018660E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b214e89c4f41d58e9a0fda0fca73873029f1f4b5f4e2061f98a70bc8d3e384
Instruction ID: acdbd8ce27f236b8770803e26cdb3e401bcec28395840369a5565011bb7a4db9
Opcode Fuzzy Hash: 82b214e89c4f41d58e9a0fda0fca73873029f1f4b5f4e2061f98a70bc8d3e384
Instruction Fuzzy Hash: 36919671D0065AAFDB15CF68D884BAEBFB9AF48710F254159E614EB341E734EF009BA0

Function 017FE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dba4a74d7140aa50a87d4dab0f013f5849c1aecc6f253a246337af9a7a52b16
Instruction ID: 1b94daeb45751a22a36bc974fd6ecdf82d27e87e1a9133e184bbdd3165fe1838
Opcode Fuzzy Hash: 4dba4a74d7140aa50a87d4dab0f013f5849c1aecc6f253a246337af9a7a52b16
Instruction Fuzzy Hash: 1C91F631A0061ACBE724DB5CC888B7BFBA1EF94714F2640ADEA05DB355EE34DA41C751

Function 0181E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16443213f55e1b3073e59b8a5654b0adc8e4477dbc0b34d280d22e661171e618
Instruction ID: 698f67c2baaea7dd4362c1f0484b14d2979d4a8c7db70c6d93a737e3ceb34e6f
Opcode Fuzzy Hash: 16443213f55e1b3073e59b8a5654b0adc8e4477dbc0b34d280d22e661171e618
Instruction Fuzzy Hash: 8B811171A00609DFDB26CFA9C880ADEBBF9FF48354F144429E955E7254D730AE45CB60

Function 017FC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e281f483e5a6ea0677607bae601e96e1f9e1f76280bfa6dcc7d700eb1bdb34
Instruction ID: 242582882dc16fb96002c7a54481b1d5f1f6f1d4cf25cc4549ce1d3cbe520e7d
Opcode Fuzzy Hash: 96e281f483e5a6ea0677607bae601e96e1f9e1f76280bfa6dcc7d700eb1bdb34
Instruction Fuzzy Hash: BC71A075D0566D9BCB268F98D890BBEFBB0FF59710F14415EEA81AB350D7349A00CBA0

Function 018947A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8436947701614584f9d774781b4377164c753157d8b5861f786227dc8d76904
Instruction ID: 6e54bb9deab6f1aea1ba1934ade4442c9e817b0c85bb735a25e82c3345d90719
Opcode Fuzzy Hash: e8436947701614584f9d774781b4377164c753157d8b5861f786227dc8d76904
Instruction Fuzzy Hash: A1717F70901309EFDF20DF59DA44A9EBBF9EF94310B28415AE610EB258E7398B45CF54

Function 017F260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1176bcdc4e30c82c4bd0bac95b8d65088d44b13d24e7c10d29d302c9c2cff6b
Instruction ID: de163cf5ee9d2d1f27b4f4c4266451f972dc4b999505d08610c3edd1b7ef6de5
Opcode Fuzzy Hash: b1176bcdc4e30c82c4bd0bac95b8d65088d44b13d24e7c10d29d302c9c2cff6b
Instruction Fuzzy Hash: 5571BD316042429FD312DF28C484B2AF7E5FF88310F0485AAEA99CB756EB34D945CBA1

Function 0186035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 18c44d81780f3bd5ebdbdf252b58c09292c9784819fe4feddd672ffb6d5d9ea6
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 4C716F71A0061AEFDB10DFA9C984EDEBBB8FF48700F104569E605EB290DB34EA41CB54

Function 018762A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849f8c5ace4c677ee624fd6008288cd7edd5693248d99e739f4ad9668ae66c09
Instruction ID: d1982705e1b2a2d9bbdfbf52492dd23f2a61ba314b8d8a736a050465c8396ad3
Opcode Fuzzy Hash: 849f8c5ace4c677ee624fd6008288cd7edd5693248d99e739f4ad9668ae66c09
Instruction Fuzzy Hash: 5871E432200B01AFE732DF18C884F66BBB6FF44764F254518E255CB2A1E775EA44CB50

Function 018B8324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b395ff0ce6d8c7543e14b5c5437f4444b0ce044c3d3ab49e6453eeaf0644bb72
Instruction ID: 65bd98be960cf1da3efa398e7cf5b76057efa191e9efe9024680539fdc561bd6
Opcode Fuzzy Hash: b395ff0ce6d8c7543e14b5c5437f4444b0ce044c3d3ab49e6453eeaf0644bb72
Instruction Fuzzy Hash: B0712C71E00219AFDF16DF94C881FEEBBB9FB09350F104119E621E7290D774AA45CB91

Function 0189A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93560bbeb438223ab1677b4a8a256c0445f41f9f7cce7fffcc3218831d192c9
Instruction ID: 7778713a71117f7d4e7404e9e9cbbd246d80ce9b9e089a013c9a4646c2c798ee
Opcode Fuzzy Hash: a93560bbeb438223ab1677b4a8a256c0445f41f9f7cce7fffcc3218831d192c9
Instruction Fuzzy Hash: B551C172504712AFDB16DE68C884E5BBBE8EBC5754F050929FA40DB250D770EE04CBA3

Function 01888350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6290bad73eaeea12f3862fc8748cc2e1c8a607991988f5174b0e8f2912c992b3
Instruction ID: 58a934b08728c8dfda5f7921a0441dccd70512745f4f1aef68027b28c837088d
Opcode Fuzzy Hash: 6290bad73eaeea12f3862fc8748cc2e1c8a607991988f5174b0e8f2912c992b3
Instruction Fuzzy Hash: 57511171900709DFD721EF5AC880AABFBF9BF55710F50461EE292D76A1C7B0AA40CB50

Function 0181E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c85e5f600ba74645e2b0c77027a0e9e8273229062f8e7f558da8454911b3d2a
Instruction ID: fa342502f86416780de9cc180d05eb19ce3239afa773b37c2fd44a47bcd975c4
Opcode Fuzzy Hash: 1c85e5f600ba74645e2b0c77027a0e9e8273229062f8e7f558da8454911b3d2a
Instruction Fuzzy Hash: 04516B72640A16DFCB22DF69C984FAAB3BDFF14784F410829EA52D7664D734EA40CB50

Function 01884180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734da0010ec2d9fbb41e3d015f8ef212a17cda8b72075d850a50d1597f87e4b
Instruction ID: 5b47015a12942a9ef54090d2ad073a2358b20ebf6fe4bf793dc00be181410e18
Opcode Fuzzy Hash: e734da0010ec2d9fbb41e3d015f8ef212a17cda8b72075d850a50d1597f87e4b
Instruction Fuzzy Hash: 205158726083469FD754EF29C880A6BBBE5BFD8308F44492DF599C7250EB30DA05CB92

Function 018045B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: fee29951f039b5d8c3473c073439fcbc286a77c58a10d55f74b8f074039708ec
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 6A51A071E0421EABDF56DF98C840BEEBBB9AF45754F044069EA01EB281D734DE44CBA0

Function 0186E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: b62c59ec6523069fd03d96cb5160a1efb298ff81007303b52aec364ab5e6f985
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 0951A335D0021EEFEF21DE98C884BAEBBBDAB00324F154665D612F7290D7309F448BA1

Function 0181A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03caa75d65809b8d05c49f8ea1d5ec67ca638d3f1a58692b5b008e6a56da7f16
Instruction ID: bb108d1dbd8c866d5e039194307962b36ce87ec8816482ca42bc93d44569d996
Opcode Fuzzy Hash: 03caa75d65809b8d05c49f8ea1d5ec67ca638d3f1a58692b5b008e6a56da7f16
Instruction Fuzzy Hash: 58411C72B423459BDB29EFACD8C1B6A7769EB15708F41002CFE16DB245E7719B00CB51

Function 018AA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: f542b0241504da61b1d0af3e5c07f42fb8e30e8340a14cc3a04115158da7755b
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 5941E8716007169FE729CF18C994A6AB7E9FF80314B45462EE912C7B44EB30FE05C791

Function 018101F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa2c2ce4d9c029f6d6be7d2a75967e20824a9f031c50a597c0815c94fa32463
Instruction ID: 0a6f2a09f3f0595a017f6a3e22b5eb803d8e1dcfa722f9b897245af270b18437
Opcode Fuzzy Hash: 7aa2c2ce4d9c029f6d6be7d2a75967e20824a9f031c50a597c0815c94fa32463
Instruction Fuzzy Hash: 6841BF36900219DBDB11DF98C840AEEBBB8BF48714F14815AF919FB344D7349E81CBA5

Function 01822750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 77324b7b58b1f21333c8920a871b147beae5297af0fd9b3ffdbfca602ff3c579
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: E1513975A002198FCB59CF98C4C0AAEFBB6FF84714F2482A9D915E7351D770AE81CB90

Function 017E6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1994e21bc28e7e9071f2cf88bfe1a12f5f9f82645e2d2792305e9d760f3405ec
Instruction ID: af5297b70e88b14bf0af29a94c5230bd02ba4ca480bc8ef0fe8d41691e742ef3
Opcode Fuzzy Hash: 1994e21bc28e7e9071f2cf88bfe1a12f5f9f82645e2d2792305e9d760f3405ec
Instruction Fuzzy Hash: 0D51E97090421ADBDB259B68CC08BE9FBF5EF15314F1442A9E625D72D5EB349A81CF40

Function 018A866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 93c199cf3a93e64fc9ba1b123710284da5be4f921aa3528a4fd7044e71fe24de
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: C5418075B00205ABFB15DB99C884AAFBBBAAF89711F544069E904E7341DA74DE01C760

Function 0180A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719df193870ff80ea9b7afb06278e76d7564cc6521ff6db78cf506b63d7a00b4
Instruction ID: 191956691285387c93ed8a5966bf304167f78c4f5e0f88d5b2f661581bde6ae0
Opcode Fuzzy Hash: 719df193870ff80ea9b7afb06278e76d7564cc6521ff6db78cf506b63d7a00b4
Instruction Fuzzy Hash: A9419A32A4170D8FDB6A8FA8D8947A97BB0BB14314F050199E415FB2D5DB359B40CBA0

Function 017D8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de315fd1b78fa7d326db61d2ba00d71aafa65a4d759f1c400a29f3934c7c9ea
Instruction ID: d051785c952a34742c44a2139c6ffefeca07ade403775a627f47aacb005e5319
Opcode Fuzzy Hash: 6de315fd1b78fa7d326db61d2ba00d71aafa65a4d759f1c400a29f3934c7c9ea
Instruction Fuzzy Hash: 1941497150870A9ED312DF698940A6BF7E9EF84B54F45092AFA84D7250E730DE058BE3

Function 017DA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: b7bfef269ec20d44bb3cbdba70f179be4c17e3df72edc5a53ed7d00b72fc7583
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 1C412771A00219DBDB21DE6984447BAFB71FBD0754F19806AE945DB284E633CE80CBD0

Function 017E09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff63f1d617d8f3b818659173b70badffcbb87dd38b56bcc5333f06dfc743112d
Instruction ID: 053d1fda725d3903cc2cb301b7ec31b13b686027ff2f7a26db1a5e0fea2b0c98
Opcode Fuzzy Hash: ff63f1d617d8f3b818659173b70badffcbb87dd38b56bcc5333f06dfc743112d
Instruction Fuzzy Hash: 51415871600605EFD721CF18D848B26FBF4FF58314F248A6AE559CB251E7B1EA42CB90

Function 01810710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: e8089ec8d07be965db7d5a1f1094e22c2600f9032c70a9642734f4b8f260b8d4
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: C8412C72A04705EFDB24CF98C980AAABBF9FF18704B10496DE556DB695D330EA84CF50

Function 017E262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6390d30216682d85525be084304097cea6a0022bf90586c3723382466c16b4f
Instruction ID: ef38a7cb4f60b940e06343082ad0777dd6454c66443654e34ae6bb1b2acb9a49
Opcode Fuzzy Hash: d6390d30216682d85525be084304097cea6a0022bf90586c3723382466c16b4f
Instruction Fuzzy Hash: AE41E571941709CFCB21EF28C948B65F7F9FF98310F1482A9C6068B6A6EB309A41CF51

Function 018607C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42da9306ec649ea0c81fdb79a01eab3095fdc497846f0aa4d44cb6b0fd90967
Instruction ID: c0ef581c7a8e6e1959d88bb604f0d64247481b8ecb4adabdfbc209eaccbaea99
Opcode Fuzzy Hash: d42da9306ec649ea0c81fdb79a01eab3095fdc497846f0aa4d44cb6b0fd90967
Instruction Fuzzy Hash: 84418E715043059BD761DF29C845B9BFBE8FF88764F004A2EF598C7251DB709A44CB92

Function 017D80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f113d544c1021c8b3fc60bb2d5f974bc29f4112945747d8a1067ee9fb6a3b4f
Instruction ID: 3c516e0367d94210fc5ae6b39497bd154b6fa1d7b426d9167c44921ab367c9dc
Opcode Fuzzy Hash: 7f113d544c1021c8b3fc60bb2d5f974bc29f4112945747d8a1067ee9fb6a3b4f
Instruction Fuzzy Hash: 8641F271E0561AEFDB01DF68C980AA8FBB1BF44760F24826DD815A7280D736ED458BD1

Function 018605A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2414781c1df687dc1f5989822b37689aebda33af1f47b5ab0a00774cf03ddedb
Instruction ID: 814f00a93001458ed152e056b91b987dcfc9bab7c34417d3475d0e2b230c39c2
Opcode Fuzzy Hash: 2414781c1df687dc1f5989822b37689aebda33af1f47b5ab0a00774cf03ddedb
Instruction Fuzzy Hash: 5A41AF726087469BC321DF6CD840A6AB7A9FF88700F14061DF954DB680E730EE04C7AA

Function 017F02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 8281c82beb0d35b062d7e186701058b62b54a4fbffd3033bf899eaf99eac28fd
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: C9312631A04245AFDB228B68CC48B9BFFEAEF14350F0845ADF915D7356C674D984CBA4

Function 0188E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81402003c2d519ecbc1455b0128e84889e73f3f8f1d75ba81ce0d7cd0b79b843
Instruction ID: 2800731a26b36ee1205eca4d4e5b6b55f42d0afd001af70cddd34cfc216503e1
Opcode Fuzzy Hash: 81402003c2d519ecbc1455b0128e84889e73f3f8f1d75ba81ce0d7cd0b79b843
Instruction Fuzzy Hash: 8D31BC3175071AABD722AF5D8C81F6B7AB4AF59B50F000028F604EB3D1DAA4DE01C7E1

Function 017E4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605f2bb67b477c8641400c38a46e4c88bdc0383a50566b508b71bc5ef180cb0b
Instruction ID: a2b289f10325b4b1ff26d8c96a53eb18a6abd7bfd0e1a6a2aef946bbba954766
Opcode Fuzzy Hash: 605f2bb67b477c8641400c38a46e4c88bdc0383a50566b508b71bc5ef180cb0b
Instruction Fuzzy Hash: DB41AD71200B49DFD722CF28C895BD7BBE9AF59314F114469E66ACB291CB74E940CB50

Function 018A61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee14ced8be7e18194ccb5225c3775239801ba851b88ef96b0970f43ef4f2ae4d
Instruction ID: a5c375411ac9553e01876b56b351f49d3b1c123baf43a0fdf5378661b178b069
Opcode Fuzzy Hash: ee14ced8be7e18194ccb5225c3775239801ba851b88ef96b0970f43ef4f2ae4d
Instruction Fuzzy Hash: 1F31D575A0021AEBEB15DF98CC40FAEB7B5FB44740F594168E900EB248E770EE40CBA4

Function 018A60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34559e34b7f1c45d637eee3cff75e9824aadbc8fc1400795e676d90becd92c1
Instruction ID: ac2323dbf67aa17f1feef25b15e92c66b7b1ea9e505b5726926722baf1288376
Opcode Fuzzy Hash: d34559e34b7f1c45d637eee3cff75e9824aadbc8fc1400795e676d90becd92c1
Instruction Fuzzy Hash: BA31D671740A06EFEB129F5DC850B6FBBB9AF44754F68006DE505DB346EA30EE018B90

Function 017E07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81458fcd30a2b5564187fda21a870df049d2a35d9341890383c879d9d91e9ec
Instruction ID: 70a45faccf8542cd8bbc66f04ee3fafce48946a06ddd3227c31dada71ca5ed57
Opcode Fuzzy Hash: c81458fcd30a2b5564187fda21a870df049d2a35d9341890383c879d9d91e9ec
Instruction Fuzzy Hash: AF310372B44716DBC722DE288888A6BFBE5AFD8250F05452DFD55E7300DA70DC018BE1

Function 017E8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe3ca099170abf17108ae7555b56712df1e114cd3ff24ee46f3f8f5ce4f057e
Instruction ID: 012f4273ad12742860c2f21c899d0990b3fee1cf86feb1853c3cebcae8e76aee
Opcode Fuzzy Hash: 2fe3ca099170abf17108ae7555b56712df1e114cd3ff24ee46f3f8f5ce4f057e
Instruction Fuzzy Hash: CA3169716093018FE720CF19D844B2AFBE6AB98710F1549ADF988DB351DB71E944CBA2

Function 0181A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 12080feba86bc5c453e3820bd56eb0fc666913e14d44cb11480e9e6ffaa96162
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: E5310AB2B01B41AFD765CF6DDD41B57BBF8AB08B50F14492DA59AC3651F630EA008B60

Function 0180438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90cfd4602ea29b3256b0ffe4f1d60480465c5b8a4c8c56f2800bdbbf31ef056
Instruction ID: d841c79eab2ec7fd0bdea4d539aeab335cf9c166ce25689bbd8cc1a788e4ca94
Opcode Fuzzy Hash: d90cfd4602ea29b3256b0ffe4f1d60480465c5b8a4c8c56f2800bdbbf31ef056
Instruction Fuzzy Hash: EB31E231B4160E9FD761DFA8CD81A6EBBF9AF84308F118429D606D7295E730EB41CB91

Function 017DC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535918019e7639f8ec3db8eabbd671eae310a58e5bdef3592ad9a6443629f85c
Instruction ID: c95107f62a46b85c3242cf70962b0d7d692020e19f63cbdfae3f547aff975572
Opcode Fuzzy Hash: 535918019e7639f8ec3db8eabbd671eae310a58e5bdef3592ad9a6443629f85c
Instruction Fuzzy Hash: B8313E715002118BDB32AF6CCC44B69B7B4AF90314F9882ADD945DB386EB34DA86CBD0

Function 0189C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 3897eaa9a8fcdcb486c16994ad7b76655fc22d432b0c58c3c13791cae24ab9c0
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 25212D3670065266CF15AB998840ABFBFB4EF80710F44841AFA55C7691E736DB40C3B1

Function 017DE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853a9ecae9979340ad2f2ef021e81a6e8171d4d646ee642abeee1b0108a9aaca
Instruction ID: 2d348f8495fe3f7cbb2ba20033f96c15083172e63aaf119fc9f6bcca6338a314
Opcode Fuzzy Hash: 853a9ecae9979340ad2f2ef021e81a6e8171d4d646ee642abeee1b0108a9aaca
Instruction Fuzzy Hash: 5A31D431A0112C9BDB32DF18CC41FEEF7B9AB15780F0101A5F655AB290DA749E80CFA0

Function 01814588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 034cf723e0faf8132132f1aa33bb9d57d031bad131910ecc3828c8bf11de33ff
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 74216232A00709EBDB15CF58C980A8EBBA9FF48768F108469EE16DF245D771DB458B50

Function 018144B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc405af69b140d1190643ee5e5ca8e6ba28a75526e5326437cbb1d3229436f8
Instruction ID: 0f4fcfdb55680b5dd1fbdb0bc3645f16e795b28d2014e8c1ea2c8b46a26a6f63
Opcode Fuzzy Hash: fcc405af69b140d1190643ee5e5ca8e6ba28a75526e5326437cbb1d3229436f8
Instruction Fuzzy Hash: 9B2193726047469BCB22DF18C840BABB7E8FF89761F014529FD55DB685D730EA01CBA2

Function 017DE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 769ba1c518e47ac2c30b0763e31856e58bdfb6a2c5e3241e36d5ef9ee1302e22
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 37317C31600609EFD722CF68C984F6AB7F9EF85354F1445A9E552DB290EB30EE42CB51

Function 0185E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffd49268263054c0b1a6b1e3a98dfc0d212cb3f0450102d95131b5a758cb9a1
Instruction ID: 470e475f293afeec616e1e4062a6bf530dc20d37e293e5d246aa072233f041b8
Opcode Fuzzy Hash: 4ffd49268263054c0b1a6b1e3a98dfc0d212cb3f0450102d95131b5a758cb9a1
Instruction Fuzzy Hash: 66314B756002099FCB59CF1CC8849AEB7F5EF88354B15445AEC09DB391EB71AB50CBA1

Function 018606F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe9328f177299ec851bed5c54369e1f6922310d9c82a19daee0c6baa2734a51
Instruction ID: 12dd91a7dceb70b2ed28e2d6596965e878955e5ac83b649dfd9b2199d0deefb7
Opcode Fuzzy Hash: 4fe9328f177299ec851bed5c54369e1f6922310d9c82a19daee0c6baa2734a51
Instruction Fuzzy Hash: 4E21AD71A002299BCF25DF59C881ABEB7F8FF48740B510069F941EB240D778AE41CFA5

Function 0186019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4def009468a9d000314844e1426948288d35f01c7b9efb2726cfdef5d2005028
Instruction ID: 44d274c9d113b040de01eedb78a68278a38f5fe47fe0bda5a9d8ae980b966a52
Opcode Fuzzy Hash: 4def009468a9d000314844e1426948288d35f01c7b9efb2726cfdef5d2005028
Instruction Fuzzy Hash: 68218971600645ABDB16DB6CD844F6AB7A8FF58740F140069FA04DB7A1D638EE40CBA8

Function 01860283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ccd0d1e3da395c64a0664d816012ed39dffb1a6268181be64f72b314f3159e
Instruction ID: a8db8d03e3a8ee0b99df3bc2af2ff5ff3498763b50a2a0c5637a988f5f21794f
Opcode Fuzzy Hash: b5ccd0d1e3da395c64a0664d816012ed39dffb1a6268181be64f72b314f3159e
Instruction Fuzzy Hash: 3D21AF729042469BD712EF5DC948B5BBBDCAF90344F08046ABA80C7291D734DA44C6A6

Function 0181A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff93ec86c70f23f25ebf64186b6757a7e4f787425616136beb26cd6ec9cb158
Instruction ID: 8f20048de89fd5145a97c7cc9eb68b9206a20209f2482031ceb3dd5d288142a9
Opcode Fuzzy Hash: 3ff93ec86c70f23f25ebf64186b6757a7e4f787425616136beb26cd6ec9cb158
Instruction Fuzzy Hash: 0F21AC352417419FCB29DF29C801B46B7F5FF08708F24846CA519CBB65E331EA42CB94

Function 0189A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dcccab36cae5ee7aa77abd4f5622ce93e8a7ca76100aa188aa1a20cb866ee4
Instruction ID: 56ef3fe0684b3c8eed491c0c9aefa44442afc369a097a0d31c110575e9bfb405
Opcode Fuzzy Hash: 31dcccab36cae5ee7aa77abd4f5622ce93e8a7ca76100aa188aa1a20cb866ee4
Instruction Fuzzy Hash: 9D113A36380A11BFDB2655989C40F27B6D9DBD4B60F180028B708DB284DF70DD00C795

Function 01860946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2158310cb625f68fc026b57ed6909f0b584fee4c2c2a7fc55a234ee3f5655d6f
Instruction ID: b49809a0461fb8855357ff1db0efe138f79e49d07c0cf049867332e0824320fe
Opcode Fuzzy Hash: 2158310cb625f68fc026b57ed6909f0b584fee4c2c2a7fc55a234ee3f5655d6f
Instruction Fuzzy Hash: 0E21F6B1E40309ABCB24CFAAD9849AEFBF9BF98700F10012EE405E7240DA709A41CF54

Function 018780A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 3e7c08b0cde1c9b12d01bee042b769d41cb1451e478378070a48e0e0ccab2726
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 90218E72A0020AEFDF129F98CC48BAEBBB9EF49310F214819F914E7251D734DA50DB60

Function 01810124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 825636f2bd95e502ff5b91711fc76315bc9ab9836c4cbc672bb89baa95ad3bd9
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 4D11EF73600A09AFE7229F88CD41F9ABBBCEB84754F104029F604CF180D675EE84CB65

Function 017E8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06fc7df405e7ace0210b8a14cc498119219a002a2c9bcf2c80cae35eb6a98af
Instruction ID: 6fcd6402e3568244ce85e63a8872f9c78da1a12eb128c41462e05a6c9b1c0bd4
Opcode Fuzzy Hash: c06fc7df405e7ace0210b8a14cc498119219a002a2c9bcf2c80cae35eb6a98af
Instruction Fuzzy Hash: 3311C1357406159BDB11CF8DC4C8A26FBE9AF4E714B1880AEEE08DF305D6B2D901C791

Function 017E80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4565f8f7981f7d0333a7db335e671ebf5f7881e7448297315aa43d3a5e0808
Instruction ID: 5dba07e2d41a52f7501c47c15a8f80020ec77525ea8c18beb5da1a152a86ac5d
Opcode Fuzzy Hash: 6b4565f8f7981f7d0333a7db335e671ebf5f7881e7448297315aa43d3a5e0808
Instruction Fuzzy Hash: BF214C75A40205DFCB14CF58C585A6AFBF6FB88314F24416DD105AB311D771ED06CB91

Function 0181674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b1d5b1b6c30e90f2c8e3ccb6ceffa02a988dc36f701f64aed574d9c222cdf2
Instruction ID: 6033d4c0de6b7e77e6490b32ea8eccc87752d4eebfc989dd9d5c1e537bd2de4e
Opcode Fuzzy Hash: 25b1d5b1b6c30e90f2c8e3ccb6ceffa02a988dc36f701f64aed574d9c222cdf2
Instruction Fuzzy Hash: DD219072610B01EFD7218F68C841F66B7F8FF44350F14892DE5AAC7250EBB0AA40CB60

Function 018166B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357f9af3bf2925d4d5e89cbda0d6f3f41e422645c1f9b3bc8ac54fe67a4a906b
Instruction ID: dc062a3c95f67f68fe1ce34f12a7ec7cfcb5e000462000e30ed250ca72fed579
Opcode Fuzzy Hash: 357f9af3bf2925d4d5e89cbda0d6f3f41e422645c1f9b3bc8ac54fe67a4a906b
Instruction Fuzzy Hash: 8611C177A0120ADFCB25CF59C580A5ABBF8AF94710B22867DD945DB319F6B0DE00CB90

Function 0186E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: fdbc37097b150a94df92171b8c498388281fb9645eb3cba004dc83826e6e3243
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 9911AC3A600609EFEB22DF49C844F5ABBE9EF45754F058428EA09DB260DB31DE40DB90

Function 018027ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d716b3fb8658dd320dd74203dbb9b281303b7feb132f603fb78faa7099faa470
Instruction ID: a1b3b9abfe11e1b000ddb6b9f53914ad387c2a287bb96aca4f77e14bbeee5756
Opcode Fuzzy Hash: d716b3fb8658dd320dd74203dbb9b281303b7feb132f603fb78faa7099faa470
Instruction Fuzzy Hash: C101D67668564DAFE32BA26DDC8CF276B9DEF44359F050065FA01CB291DE64DE00C261

Function 017E4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21a18c6c3713db24e319dacea9bc1043bb94bc18b5c0d0a5d65d094ce60096e
Instruction ID: dbfbb54f3a683be39fd49ba990b43cf821104a8e9ff70e630afc442423f5af9f
Opcode Fuzzy Hash: e21a18c6c3713db24e319dacea9bc1043bb94bc18b5c0d0a5d65d094ce60096e
Instruction Fuzzy Hash: C911C276284645AFDB25CF5DD888F56BBE8EB89764F104119F916CB350C370E840CFA0

Function 01816620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25228df9cfa1a7c2df69b569ada9f935bac0ca105a47d877c94c3153229f975
Instruction ID: 6d79c5b50bb1366d9f21119278e4dea2f1d1132c27601cdde0004bf460dbc515
Opcode Fuzzy Hash: d25228df9cfa1a7c2df69b569ada9f935bac0ca105a47d877c94c3153229f975
Instruction Fuzzy Hash: ED11C276A00716ABDB21DF59C980B5EFBBCEF88750F610859DA41E7208E770AE01CB50

Function 0180E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 0552e3e0b6e8703ff4b294acfb4a7085e8aaa59f479037837d1309a135df4b1b
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 0711E5722016CE9BE723972CC958B267B94AF0074CF1908A9EF41D77D2FB29CA42C250

Function 0186E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 60880d2c5b6f5529aff0ea6341cd3927917180a6fc6723c7567796bfc089d425
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 3601923A600105AFEB21DF59C844F5ABBEDEF45B54F158424EA05DB260EB79DE40C790

Function 017DA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 0ff4655bbd031032f0336876bf1a731c6f3cfe94b8c14671672c45845796567d
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 0901F9725097299BCB318F1AD840A36BBF5FF99760700896DFD95CB681D731E400CB60

Function 018B4940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb3bab6902eabe32e99b79f22467fde5dd35acef849be5d0685a51d9022f9be
Instruction ID: 9fae1e5cd2717426dfdfc66bec7d890d5d02137bb60e086f3e1e9d903794d978
Opcode Fuzzy Hash: 2cb3bab6902eabe32e99b79f22467fde5dd35acef849be5d0685a51d9022f9be
Instruction Fuzzy Hash: 910104325416019BC3229F1C9885E96B7A8EB81370B254259EA6ADB3A7D730EA01CB80

Function 0185E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70ec60b14cc3e75e553bc1b0b252193ab3fd65e14916f4db8bd6434b0230e63
Instruction ID: f61a51c74c660d4f7ae7d17c75689d4de7aa232ac412e2bd0fd3a0ba3ab26a2c
Opcode Fuzzy Hash: e70ec60b14cc3e75e553bc1b0b252193ab3fd65e14916f4db8bd6434b0230e63
Instruction Fuzzy Hash: F911CB32241205EFCB26AF09CC80F06BBB8FF58B84F200065FA05CB6A5C635EE00CA90

Function 017E6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a97a917b9371c4fb4d7e3f1e85f0d048c08bf1bb12a948011d28dd906dac321
Instruction ID: eead9b4bc6061ab49f421716aaf1777563d479f809b73aa5c1518de231e76823
Opcode Fuzzy Hash: 1a97a917b9371c4fb4d7e3f1e85f0d048c08bf1bb12a948011d28dd906dac321
Instruction Fuzzy Hash: 15115A71545229ABEB26AB68CC52FE9B3B9BF18710F5041D4A318E61E0DB709E81CF85

Function 01866050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7877d0de9f29e34238e411f4c5c5811bec9907d6f61c07a35c46c6c984fde1
Instruction ID: 1b682084a5a8741d726977ed9d216ad9987cd3d695afcad0ca10b0bc2c79fa9f
Opcode Fuzzy Hash: 1d7877d0de9f29e34238e411f4c5c5811bec9907d6f61c07a35c46c6c984fde1
Instruction Fuzzy Hash: 83111B73900119ABCB11DB94CC84DDFBB7CEF48354F144166E506E7211EA34AB55CBA1

Function 017E208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: ed507f1b226eb2ef750e24ce346d2e87fa8d5e148733f6d13346dac2e91ba71a
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 790128326001108BDF158A5DD884B92BBEBBFC8700F1945A5EE01CF297DA71CC81C3E1

Function 01876500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39155359317351c5f43175438865256daabc32e4a098d6b7764c948dbd37f7a8
Instruction ID: 7d943a4b0e80571add44ebb16bd2c7ca5ded84318a062b246d911d58a7e5fc63
Opcode Fuzzy Hash: 39155359317351c5f43175438865256daabc32e4a098d6b7764c948dbd37f7a8
Instruction Fuzzy Hash: 4B11E1326005469FE301CF18D800BA2BBB9FB5A314F188159F848CB315E732ED80DBA0

Function 017DC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: c541e18f69f565c576c0c8cf6610c84cc605146079e19c53bdb6e7a9a450f959
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 3001D8321007099FEB2396ADC840EA7B7FDFFC5354F44451DA646CB680DA70E642C791

Function 018220F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce62e40a6dcd3285c1ad245a11d8d7493a3bb3eaffa60b75b25b543bab9201
Instruction ID: e6f6e97d181b1a054a86b2dc6b31cbc032a880555763ed409fd23fab8da43a00
Opcode Fuzzy Hash: ddce62e40a6dcd3285c1ad245a11d8d7493a3bb3eaffa60b75b25b543bab9201
Instruction Fuzzy Hash: 97116D35A0125DEFCB06DF68C850EAE7BB6EB44344F104059E902DB290DA35EE51CB91

Function 0181E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fa31502514f6bad469395161153050335d25719730bc230876ae8ead7afd9a
Instruction ID: d4da2129f67b4bebee8ce8684ce515267cb0dcb2f367458c31b8556993fdba58
Opcode Fuzzy Hash: 59fa31502514f6bad469395161153050335d25719730bc230876ae8ead7afd9a
Instruction Fuzzy Hash: 9901D471600606BBC311AB2DCD88E53FBACFB547A47000529F605C3651DB24ED01C6A0

Function 018769C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998f886123aca252cbfed5264c8f0766438834473f0c283e89ff22557eb33ea7
Instruction ID: 699e9e153eea01eb9b87bc5e67834fcf0a51258891d5b993b0c26a722c146907
Opcode Fuzzy Hash: 998f886123aca252cbfed5264c8f0766438834473f0c283e89ff22557eb33ea7
Instruction Fuzzy Hash: 5F0128322146169FD324EF6D8848D67FBA8EF98724F214129E958C7280F730DA41C7D1

Function 0186C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590ef8db97dd66095f8dc544ab2ee855a619617b6cd204bf412ba1e2bf76bd1e
Instruction ID: 979ac3bd39156391e0c43f67d43217daca40a62608fd0a5d35c53d0ee4ff9c7c
Opcode Fuzzy Hash: 590ef8db97dd66095f8dc544ab2ee855a619617b6cd204bf412ba1e2bf76bd1e
Instruction Fuzzy Hash: 73115B71A0120DABDB15EF68C884EAE7BBAEB58354F004099F941D7380DB35EA51DB90

Function 017FE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 0cac013bc246c7386934866aa097d9a440afb656dff86dafa17ad85cc1ffc693
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 7501DF722045809FE322871CC908F27BBDCEF84754F0E00A5FA05CB7A1CA78DD40C265

Function 017D826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944d1224107651099ebf1dee9489c88b391787e3f76d12e4c262b537198a359a
Instruction ID: a9e97688090bc5ab392689a5a4e4e091ed03ad8612f1bf205f3479877fb11ec8
Opcode Fuzzy Hash: 944d1224107651099ebf1dee9489c88b391787e3f76d12e4c262b537198a359a
Instruction Fuzzy Hash: 71018471B04609DBD714EB6EDD049AEFBB9EF84720B154069D902DB645EE30EA01C692

Function 017E2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4207c1b14dc3f6a1ddb23ce5c224d31b7fa035213fbe8eafb4044688f9081f8b
Instruction ID: 91c18ee179461d2d50a91574b581e8aaaed4f4124bb373a816ef78c48b733399
Opcode Fuzzy Hash: 4207c1b14dc3f6a1ddb23ce5c224d31b7fa035213fbe8eafb4044688f9081f8b
Instruction Fuzzy Hash: E2F0F432A41A11B7C731DB5A8D48F07FEEDEBC8B90F154468A616D7640CA30ED01CAE0

Function 0180C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 07a9f3058232090f8bb93ed8d77b042f94a4af06fb072e6fb147635bac6b56aa
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: A1F0C2B2A00625ABD325CF4DDC40E57FBEADBD5B80F048169E615CB320EA31EE04CB90

Function 017DC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: d002606eeab5e15c61843c5b81ebb0a828176f11e061fa54e43ac9024187cb0a
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: A3F0F673248A279BD73316598844B6BEAB58FD5A64F1A007DE3099B248CE608D02D6D2

Function 018B634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2822ea33a3596c1c1766eedcc422a50cf6a2f652cbd6ff606521dd87d617a1bf
Instruction ID: 7f65a3b16061426db408696e96c6116e559eaed60430ca136b761cd782433ccf
Opcode Fuzzy Hash: 2822ea33a3596c1c1766eedcc422a50cf6a2f652cbd6ff606521dd87d617a1bf
Instruction Fuzzy Hash: 4C012C71A1121DABDB04DFA9D951AAEBBF8FF58304F10406AE904E7390D6749A019BA1

Function 018B62D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420238a6b6ca3ffc8f0d1715171ffebf3db426215535eb5d13ddb75681cb127e
Instruction ID: 48ba845e6a2deee82414286b26e9cadfe1983443a987671b00d79964483583a3
Opcode Fuzzy Hash: 420238a6b6ca3ffc8f0d1715171ffebf3db426215535eb5d13ddb75681cb127e
Instruction Fuzzy Hash: 49012C71A01219ABDB04DFA9D455AAEBBF8EF58304F50406AEA14E7390D674DA018BA1

Function 018B625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cea15c2e84090f090bd2ad50ea426e1e9ab9dbf1e65070c32267e096b6514c3
Instruction ID: 375adf5070be1ba1384d15d87a8f1b8225b5580b3fc0ce43f915e44eb621c6fd
Opcode Fuzzy Hash: 5cea15c2e84090f090bd2ad50ea426e1e9ab9dbf1e65070c32267e096b6514c3
Instruction Fuzzy Hash: CA012C71A1021AABDB04DFA9D491AAEB7F8EF58304F14406AF904E7391D674AA01CBA1

Function 018B61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c49fada26ab770c62b2cffe72bc2dc018772446f7b7cc0a0bb78a64e79d7c5
Instruction ID: ce44f486452934424d9743043c013ef5b02ec2589a550f6913f002b390292c60
Opcode Fuzzy Hash: 11c49fada26ab770c62b2cffe72bc2dc018772446f7b7cc0a0bb78a64e79d7c5
Instruction Fuzzy Hash: 58017C71A00259AFDB04DFA9D445AEEBBF8AF58314F14005AE900E7380E734EA01CBA5

Function 018663C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: bb2e0438203e911b8cbad11c4fbfbf6d043560e9dc9dc2d5e60609fa8ddd0cdf
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 18F0127210005DBFEF019F95DD80DAF7B7DFB55398B114125FA1192160D631DE21E7A0

Function 0186A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4128cbb7b3fd22e0b6a8c1ef2c28aef31bcd9a25db4af05374aca9bdb54eb4
Instruction ID: fd1c3e6dcdef1adf3a3fb6de456322226738d44d5e6085bb40f61a71d9797285
Opcode Fuzzy Hash: 9e4128cbb7b3fd22e0b6a8c1ef2c28aef31bcd9a25db4af05374aca9bdb54eb4
Instruction Fuzzy Hash: 7A018536111219ABCF129E88DC45EDA7F6AFB4C764F068101FE18A6220C336DA70EF81

Function 017DC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95ac17d37d5d96ed0c8600884fdf33bdac4cab6440da63a848f8fdedb2c27cf
Instruction ID: 771299d3354172d043d6ef0a61d88f93321e5b6c83692d29c2f6a351abc1acad
Opcode Fuzzy Hash: b95ac17d37d5d96ed0c8600884fdf33bdac4cab6440da63a848f8fdedb2c27cf
Instruction Fuzzy Hash: D7F02BB12042555BF716962D8C41B62F2B5EBC0750F35807DE7058B2C1FA72DC01C3B4

Function 0181656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4756967ad2af75481e60e4c037e609a50855a0b3f2400802ddc472e0f648bd
Instruction ID: e3ded3c675a815b4a2e58c9167d8d6aadb717edfef8ddbc1df6e8951e9fa60ce
Opcode Fuzzy Hash: 6c4756967ad2af75481e60e4c037e609a50855a0b3f2400802ddc472e0f648bd
Instruction Fuzzy Hash: DA01A471201785DBE322976CCD48FA537ACFB40B48F5801A4FA51CB6EEF768D681C610

Function 0188437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: b172074efe292b87943cddb6e1c0c3045beb1693a3d41aeda07d5beb5119afc2
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 60F08237341E1357EB76BA2E9820F2FBA95AFA0B50B09062C9655CB680DF60DA018791

Function 0186C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4c9a3e6be5729424b5642183fb65ab8e5483d772a3b014e6cd62adae945ba9
Instruction ID: 9d3cb6a89fd4da2a0b8b02b5b8e86a360ab0ddce422aada1f427f507f0bca106
Opcode Fuzzy Hash: 0c4c9a3e6be5729424b5642183fb65ab8e5483d772a3b014e6cd62adae945ba9
Instruction Fuzzy Hash: 79F04F70A01249AFCB04EF69C515E5EB7B4EF18304F408059A955EB385DA38EB01CB61

Function 017E47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c938d018a19b5a2c710842e7855e064c85d634b0c41529a22aa9520f7abf09e9
Instruction ID: 4d9434dbd30df3a22626cd6f55b483506fe7df5ec31c7ac81d4c1314add1b494
Opcode Fuzzy Hash: c938d018a19b5a2c710842e7855e064c85d634b0c41529a22aa9520f7abf09e9
Instruction Fuzzy Hash: 36F0E2319967E19FE733CB6CC05CB62FBD49B08730F0989AAD59BC7602C724D880C651

Function 018A0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bf81c624720ee1e16fa067694460644218b7e17f8b6ad2f29d67bf92e77bfd
Instruction ID: 223570ee86666ab1faff4b81c8dd4b2fa29b60e0e401d3e6eb922f2b432f560a
Opcode Fuzzy Hash: 21bf81c624720ee1e16fa067694460644218b7e17f8b6ad2f29d67bf92e77bfd
Instruction Fuzzy Hash: C2F05C66817BC457EF335B3C78903D13F54A742314F6D1045D8A0D7206D574A783CB25

Function 0181C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740657a59b7258eac6affeb9563b9055b9c4926d79a824607e7cbf74e7789785
Instruction ID: 17616188263460d987f4968109b29bfe6911bc7edce5f0475ece6b0450c6812a
Opcode Fuzzy Hash: 740657a59b7258eac6affeb9563b9055b9c4926d79a824607e7cbf74e7789785
Instruction Fuzzy Hash: BBF0E2735956559FE322975CC148B55BBEC9B407A4F08AC2DD50AC761AC360EA80CA51

Function 01822619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: cd549735d9abf43896617b02a78660efc701a08769db9fcd34a74fd76be65d56
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 27E092727006112BE7229E5D8C84F577B6E9F96B10F040079F6049E251C9E69D5982A4

Function 01876030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 92fdef7d7bc4c7d2651af5a4d8b853d6ab3f461e88a041394215a676c878ec38
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: F5F06572114604DFF7228F09D944F52BBF8EB15368F55C029E609EB661E379ED40CBA4

Function 017E0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: cdc25b0933259f48ecb7b5e761e1057b585acca03a22924be00c5e326deeebf0
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: B7F0E539304341DBDF16CF19C050A95BBE4FB45350B040094FC428B341D775EA82CB90

Function 018149D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: dcea5cf912059b3d8a8f8d2643d71d72fad0b4d042d75c5a6ae2881caa2a932a
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 54E0D833254249ABD3211E59C800B677BADDBD47A0F170429E200CB259DB70DD40C7D8

Function 018B4164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac8eee19fdc2c33202bd320725dd026a3e4febf5c304e66759183bed7834a6c
Instruction ID: 7a041491f742f17d3b822e9b044ad8edb8341b10082ebe056128c69d7f5bfc79
Opcode Fuzzy Hash: 1ac8eee19fdc2c33202bd320725dd026a3e4febf5c304e66759183bed7834a6c
Instruction Fuzzy Hash: CDF03031E269918FE762D72CE5D5B9677E4AB10730F5A05A4D406C7B13C724DD41C650

Function 0188678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: fe6f2aca1781b4ac52750822c7ababd9942860d118b283269322494fbda254e7
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: CFE0DF32A00110BBDB21B7998D05F9BBEACDB94FA0F150054B600EB1D4E530DF00C6D0

Function 017E25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8ec3906943b72e7b1da44fe248364398f3daa71c01f3dbfcdf5e08dcad8907
Instruction ID: bc91d691121b2c958e0d6b9f1c249bbbc7e5a068ee51c06f64756e15922e29db
Opcode Fuzzy Hash: 3c8ec3906943b72e7b1da44fe248364398f3daa71c01f3dbfcdf5e08dcad8907
Instruction Fuzzy Hash: B7E092321006549BC722BF29DD09F9BB7DAEF64360F114519F11597194CB30A950CB84

Function 0189A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 387244acbc24b452972fe40246dea2247bc4715e1e6e5d35906ee48ebf77c2f4
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: EBE09231010612DFEB366F2EC84CB52BBE5BF50711F188C2CE196424F0C77499C0CA40

Function 01864000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 90725ed71698153323ca526fb25bdb981b886abc714525de94d6ad8660874463
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 5AE0C2343003168FE755CF1AC040B667BBABFD5B10F28C068A9488F305EB32E942CB41

Function 017D823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 886b822682399b820de84b2488ceb3b93708c6b8ac200a93b1bea908bfbe1b9e
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: EAE0C231108A25EFDB322F1DDC00F52B6B6FFA4B10F154869F081460A48770BCC1CB46

Function 017E2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba9308542453c86b77754c06b9c1eeba7ca5907ccc595bd500b561c0ed8b3c7
Instruction ID: 5769db84333c7e6ef75107e06cdbc052024f3f85dcdb39a1d34e00340db00422
Opcode Fuzzy Hash: 1ba9308542453c86b77754c06b9c1eeba7ca5907ccc595bd500b561c0ed8b3c7
Instruction Fuzzy Hash: 0AE08C321005546BC611FA5DED14F5AB3DEEFA8360F110225B15197698CA20AD00CB94

Function 0181E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: ab1aca1de0f9d2f0e3b980a6c6b954b7645f83f71cdf34dec93cc6a0076a2615
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 52D0A932604620ABDB72AA1CFC04FC373E8BB88760F060859F028C7190C360AC81CA84

Function 0185E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 2af597f4af5402a1ae29477147576a628b29d13a5008ed8c868b4d8e83293478
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 12E0C2319407809FCF52DF59CA44F4EFBF4FB88B00F150408A5089B264C634EE00CB40

Function 017DA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 1f79f9d21c74160b31cc884f301d1e31d47ff78f2bad784fa6914c124681264d
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: D4D0223321203293CF2856656814F63E925BB80A90F1A006C350AA3944C0058C42C2E0

Function 017F02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 192a96fa97187ec52f16afe006596978b0a88b474f401199fd1b3b69bdcd703a
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: E7D0C939256E80CFD61BCB0CC5A4B1673A4FB44B44F850494F501CBB22DA3CD940CA10

Function 0181C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: db9a9e9a48a0355f125826fcf3c292205989b284945a2f8403989f29bf5de7a2
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 36C08033150644AFC711DF95CD01F0277A9F798B40F010421F30447670C531FC10D644

Function 01800310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 7efa5b493776a296917131fc68d00c8547823c94f8d4b151e92e2c6da3fa8b8a
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 79D0123610024CEFCB02DF45C890E9A772AFBD8750F108019FD1907650CA31ED62DA50

Function 017E0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 93733978f71005bdb7372bc894a58718510acca4796a08c9808b59fdef4a8eb8
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: CEC04879711A428FCF16DB2AD298F4AB7E4FB84740F190890E905CBB22E624E942CA10

Function 01824340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606d14355003ae3da865d5febcb5a03568271da0b4f524d91124bcd780e9914f
Instruction ID: db1ec23e323804ab176802dd8752147786f95abc47ddbe26b62c4903739fb2a9
Opcode Fuzzy Hash: 606d14355003ae3da865d5febcb5a03568271da0b4f524d91124bcd780e9914f
Instruction Fuzzy Hash: 03900231605800169140715848845464015A7E1301B59C111F142C554CCA148B5B63A2

Function 01824650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86a2ef36ff028e21c03115148383b9a8c44e9b218a41f069ac05d9d38313217
Instruction ID: 897e4701df41eee6363b8819521fe617f1f54bfb6769e71cab3af8e827fd9e59
Opcode Fuzzy Hash: e86a2ef36ff028e21c03115148383b9a8c44e9b218a41f069ac05d9d38313217
Instruction Fuzzy Hash: 4E900261601500464140715848044066015A7E2301399C215B155C560CC6188A5AA3AA

Function 01892410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 018924A6
___swprintf_l.LIBCMT ref: 018924E2
___swprintf_l.LIBCMT ref: 0189257D
___swprintf_l.LIBCMT ref: 018925A3
___swprintf_l.LIBCMT ref: 018925C8
___swprintf_l.LIBCMT ref: 01892608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 018924DA
:%u.%u.%u.%u, xrefs: 018925FF
ffff:, xrefs: 0189247D, 0189249D
::%hs%u.%u.%u.%u, xrefs: 0189249E

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 4c12c851872f8c015b92daa59d10f216e4bb8fce44b71030b22298cd9e28a5dc
Instruction ID: a9bdadc1cbbf5df483488d83f8a34d8b5e34cedc95d3719d109ec8c613ae3806
Opcode Fuzzy Hash: 4c12c851872f8c015b92daa59d10f216e4bb8fce44b71030b22298cd9e28a5dc
Instruction Fuzzy Hash: A651E6B5A00649BECF34DF9DC89097EB7FAEB44300B088869F596D7682D674DB408760

Function 018B6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 1f2c85fb4f2e3f896f449aaa5e05b0a8723f906bb4cdd199821f9de40a7d1f28
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: EF020571508342AFD705CF18C494AAEBBE5EFC4704F248A2DF9998B354EB31EA45CB52

Function 018920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0189214F
___swprintf_l.LIBCMT ref: 01892172

Strings

[, xrefs: 0189212B
%%%u, xrefs: 01892146
]:%u, xrefs: 01892169

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: e8d52b7d24f5cbdb0f1f7c0aa39a1a084486785d3a774e0071dc7f82a18adad6
Instruction ID: 05fd168ffef0308001ea42aefb3ad9bf5aac927e83e61a1360c2ef723f26ea5a
Opcode Fuzzy Hash: e8d52b7d24f5cbdb0f1f7c0aa39a1a084486785d3a774e0071dc7f82a18adad6
Instruction Fuzzy Hash: DE2165BAA00519ABDB11DF7DDC50AEEBBF9EF54754F080116E905D3200E730EB118BA1

Function 01892300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0189238D
___swprintf_l.LIBCMT ref: 018923B3

Strings

]:%u, xrefs: 018923AA
%%%u, xrefs: 01892384

Memory Dump Source

Source File: 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17b0000_47879282.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 973d64f5d3f985e780f81092e2666badbadd311419e10e3ac333ae0bf60e512e
Instruction ID: 8c1fc089649a7cc075c8850c01ecc99a287f654f77a8f0985e7ef3c5757673a3
Opcode Fuzzy Hash: 973d64f5d3f985e780f81092e2666badbadd311419e10e3ac333ae0bf60e512e
Instruction Fuzzy Hash: FF315472A00219AFDF20DE2DDC40BEEB7F9EB54710F48455AE949E3240EB309B449BA1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 47879282.EXE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\47879282.EXE.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: 47879282.EXE.exePID: 5260, Parent PID: 4056

General

Windows Analysis Report
47879282.EXE.exe

Function 07483348 Relevance: 5.8, Strings: 2, Instructions: 3280
COMMON

Function 06FD750D Relevance: 5.5, Instructions: 5511
COMMON

Function 06FD7538 Relevance: 5.5, Instructions: 5499
COMMON

Function 08A5BE50 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Function 074832E6 Relevance: 4.2, Strings: 1, Instructions: 2973
COMMON

Function 08A54510 Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Function 00ACC8B1 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Function 00ACC8C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 06FD27A8 Relevance: 4.0, Strings: 3, Instructions: 246
COMMON

Function 06FD621C Relevance: 3.9, Strings: 3, Instructions: 118
COMMON

Function 06FD51C8 Relevance: 2.9, Strings: 2, Instructions: 389
COMMON